Install WildFire Appliance Device Certificate With an Internet Connection
Focus
Focus
Advanced WildFire Powered by Precision AI™

Install WildFire Appliance Device Certificate With an Internet Connection

Table of Contents

Install WildFire Appliance Device Certificate With an Internet Connection

Where Can I Use This?What Do I Need?
  • WildFire Appliance
  • WildFire License
  • Customer Support Portal (CSP) account with one of the following user roles:
    Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
  • Superuser access to the WildFire appliance
To fetch the device certificate on the WF-500 appliance when an Internet connection is available, you must log in to the Palo Alto Networks Support Portal to generate a one time password used to access the certificate. This OTP is then used to retrieve the device certificate on the specific appliance.
WF-500B appliances are equipped with a Trusted Platform Module (TPM) that is used to securely identify itself and automatically fetch the device certificate—no user intervention is necessary to manage WF-500B device certificates.
If you are operating a WildFire Private Cloud and do not connect to any of the WildFire services, you do not need to update the WildFire appliance device certificates. Instead, the WildFire appliance uses predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication; however, you can Set Up Authentication Using a Custom Certificate on a Standalone WildFire Appliance instead.
If your WF-500B appliance is not connected to the Internet, you might observe failed jobs due to repeated attempts by the appliance to retrieve device certificates.
To successfully install the device certificate on your firewall, the following FQDNs and ports must be allowed on your network.
FQDN
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • http://apitrusted.paloaltonetworks.com
  • certificatetrusted.paloaltonetworks.com
  • certificate.paloaltonetworks.com
TCP 443
  • *.gpcloudservice.com
TCP 444 and TCP 443
  1. Verify that you are running one of the following PAN-OS releases on the WildFire appliance:
    • PAN-OS 11.0.1 and later
    • PAN-OS 10.2.4 and later
    • PAN-OS 10.1.10 and later (not supported on the WF-500B appliance)
    • PAN-OS 10.0.12 and later (not supported on the WF-500B appliance)
    • PAN-OS 9.1.17 and later (not supported on the WF-500B appliance)
  2. Generate the One Time Password (OTP).
    1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
    2. Select ProductsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for WF-500.
    4. Select your WF-500 Device serial number.
    5. Generate OTP and copy the OTP.
  3. Access the WF-500 appliance CLI with superuser administrative privileges.
  4. Configure the WildFire appliance to synchronize with an NTP server:
    admin@WF-500> configure 
    admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <NTP primary server IP address> 
    admin@WF-500# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <NTP secondary server IP address> 
  5. Download and install the WF-500 appliance device certificate using the following CLI command (remember to use the correct One-time Password you generated in the Customer Support Portal):
    admin@WF-500> request certificate fetch otp <otp_value>						
  6. Your WF-500 appliance successfully retrieves and installs the device certificate.
  7. (Optional) Verify the successful download and installation of a device certificate using the following CLI command:
    admin@WF-500> show device-certificate status						
    A successful installation of the device certificate displays the following response:
    Device Certificate information: Current device certificate status: Valid Not valid before: 2022/11/30 15:17:47 PST Not valid after: 2023/02/28 15:17:47 PST Last fetched timestamp: 2022/11/30 15:29:42 PST Last fetched status: success Last fetched info: Successfully fetched Device Certificate
  8. Refresh the WildFire appliance settings to establish a connection to the Advanced WildFire cloud with the updated device certificate using the following CLI command:
    PAN-OS Version Running on WildFire ApplianceCLI Command
    • PAN-OS 11.0.1 and later
    • PAN-OS 10.2.5 and later
    • PAN-OS 10.1.10 and later
    admin@WF-500> test wildfire registration
    • PAN-OS 10.2.4
    • PAN-OS 10.0.12 and later
    • PAN-OS 9.1.17 and later
    admin@WF-500> request restart system
    This process can take up to 20 minutes to complete.
    Any version configured as a WildFire cluster node
    admin@WF-500(active-controller)> request
    cluster reboot-local-node
    You can view the status of the status of the reboot task on the WildFire controller node using the following CLI command:
    admin@WF-500(active-controller)> show
    cluster task pending
    When there are no pending tasks remaining, use the following CLI command to verify a successful reboot:
    admin@WF-500(active-controller)> show
    cluster task history
    Upon completion, you should see the status Finished: success at YYYY-MM-DD HH:MM:SS UTC, indicating when the reboot process has completed.