Advanced WildFire Powered by Precision AI™
Install WildFire Appliance Device Certificate With an Internet Connection
Table of Contents
Install WildFire Appliance Device Certificate With an Internet Connection
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To fetch the device certificate on the WF-500
appliance when an Internet connection is available, you must log
in to the Palo Alto Networks Support Portal to
generate a one time password used to access the certificate. This
OTP is then used to retrieve the device certificate on the specific
appliance.
WF-500B appliances are equipped with a Trusted
Platform Module (TPM) that is used to securely identify itself and
automatically fetch the device certificate—no user intervention
is necessary to manage WF-500B device certificates.
If
you are operating a WildFire Private Cloud and do
not connect to any of the WildFire services, you do not need to
update the WildFire appliance device certificates. Instead, the
WildFire appliance uses predefined certificates for mutual authentication
to establish the SSL connections used for management access and
inter-device communication; however, you can Set Up Authentication Using a Custom Certificate on a Standalone WildFire Appliance instead.
If
your WF-500B appliance is not connected to the Internet, you might
observe failed jobs due to repeated attempts by the appliance to
retrieve device certificates.
To successfully install
the device certificate on your firewall, the following FQDNs and
ports must be allowed on your network.
FQDN | Ports |
---|---|
| TCP 80 |
| TCP 443 |
| TCP 444 and TCP 443 |
- Verify that you are running one of the following PAN-OS releases on the WildFire appliance:
- PAN-OS 11.0.1 and later
- PAN-OS 10.2.4 and later
- PAN-OS 10.1.10 and later (not supported on the WF-500B appliance)
- PAN-OS 10.0.12 and later (not supported on the WF-500B appliance)
- PAN-OS 9.1.17 and later (not supported on the WF-500B appliance)
Generate the One Time Password (OTP).- Log in to the Customer Support Portal with a user role that has permission to generate an OTP.Select ProductsDevice Certificates and Generate OTP.For the Device Type, select Generate OTP for WF-500.Select your WF-500 Device serial number.Generate OTP and copy the OTP.Access the WF-500 appliance CLI with superuser administrative privileges.Configure the WildFire appliance to synchronize with an NTP server:
admin@WF-500> configure admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <NTP primary server IP address> admin@WF-500# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <NTP secondary server IP address>
Download and install the WF-500 appliance device certificate using the following CLI command (remember to use the correct One-time Password you generated in the Customer Support Portal):admin@WF-500> request certificate fetch otp <otp_value>
Your WF-500 appliance successfully retrieves and installs the device certificate.(Optional) Verify the successful download and installation of a device certificate using the following CLI command:admin@WF-500> show device-certificate status
A successful installation of the device certificate displays the following response:Device Certificate information: Current device certificate status: Valid Not valid before: 2022/11/30 15:17:47 PST Not valid after: 2023/02/28 15:17:47 PST Last fetched timestamp: 2022/11/30 15:29:42 PST Last fetched status: success Last fetched info: Successfully fetched Device CertificateRefresh the WildFire appliance settings to establish a connection to the Advanced WildFire cloud with the updated device certificate using the following CLI command:PAN-OS Version Running on WildFire Appliance CLI Command - PAN-OS 11.0.1 and later
- PAN-OS 10.2.5 and later
- PAN-OS 10.1.10 and later
admin@WF-500> test wildfire registration
- PAN-OS 10.2.4
- PAN-OS 10.0.12 and later
- PAN-OS 9.1.17 and later
admin@WF-500> request restart system
This process can take up to 20 minutes to complete.Any version configured as a WildFire cluster nodeadmin@WF-500(active-controller)> request cluster reboot-local-node
You can view the status of the status of the reboot task on the WildFire controller node using the following CLI command:admin@WF-500(active-controller)> show cluster task pending
When there are no pending tasks remaining, use the following CLI command to verify a successful reboot:admin@WF-500(active-controller)> show cluster task history
Upon completion, you should see the status Finished: success at YYYY-MM-DD HH:MM:SS UTC, indicating when the reboot process has completed.