>
    Install WildFire Appliance Device Certificate With an Internet Connection
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced WildFire Powered by Precision AI™
    3. Set Up and Manage a WildFire Appliance
    4. Install WildFire Appliance Device Certificate With an Internet Connection
    Download PDF
    Advanced WildFire Powered by Precision AI™

    Install WildFire Appliance Device Certificate With an Internet Connection

    Table of Contents

    Install WildFire Appliance Device Certificate With an Internet Connection

    Where Can I Use This?What Do I Need?
    • WildFire Appliance
    • WildFire License
    • Customer Support Portal (CSP) account with one of the following user roles:
      Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
    • Superuser access to the WildFire appliance
    To fetch the device certificate on the WF-500 appliance when an Internet connection is available, you must log in to the Palo Alto Networks Support Portal to generate a one time password used to access the certificate. This OTP is then used to retrieve the device certificate on the specific appliance.
    WF-500B appliances are equipped with a Trusted Platform Module (TPM) that is used to securely identify itself and automatically fetch the device certificate—no user intervention is necessary to manage WF-500B device certificates.
    If you are operating a WildFire Private Cloud and do not connect to any of the WildFire services, you do not need to update the WildFire appliance device certificates. Instead, the WildFire appliance uses predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication; however, you can Set Up Authentication Using a Custom Certificate on a Standalone WildFire Appliance instead.
    If your WF-500B appliance is not connected to the Internet, you might observe failed jobs due to repeated attempts by the appliance to retrieve device certificates.
    To successfully install the device certificate on your firewall, the following FQDNs and ports must be allowed on your network.
    FQDN
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    TCP 80
    • https://api.paloaltonetworks.com
    • http://apitrusted.paloaltonetworks.com
    • certificatetrusted.paloaltonetworks.com
    • certificate.paloaltonetworks.com
    TCP 443
    • *.gpcloudservice.com
    TCP 444 and TCP 443
    1. Verify that you are running one of the following PAN-OS releases on the WildFire appliance:
      • PAN-OS 11.0.1 and later
      • PAN-OS 10.2.4 and later
      • PAN-OS 10.1.10 and later (not supported on the WF-500B appliance)
      • PAN-OS 10.0.12 and later (not supported on the WF-500B appliance)
      • PAN-OS 9.1.17 and later (not supported on the WF-500B appliance)
    2. Generate the One Time Password (OTP).
      1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
      2. Select ProductsDevice Certificates and Generate OTP.
      3. For the Device Type, select Generate OTP for WF-500.
      4. Select your WF-500 Device serial number.
      5. Generate OTP and copy the OTP.
    3. Access the WF-500 appliance CLI with superuser administrative privileges.
    4. Configure the WildFire appliance to synchronize with an NTP server:
      admin@WF-500> configure 
admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <NTP primary server IP address> 
admin@WF-500# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <NTP secondary server IP address>
    5. Download and install the WF-500 appliance device certificate using the following CLI command (remember to use the correct One-time Password you generated in the Customer Support Portal): 
      admin@WF-500> request certificate fetch otp <otp_value>
    6. Your WF-500 appliance successfully retrieves and installs the device certificate.
    7. (Optional) Verify the successful download and installation of a device certificate using the following CLI command:
      admin@WF-500> show device-certificate status
      A successful installation of the device certificate displays the following response:
      Device Certificate information:
Current device certificate status: Valid
Not valid before: 2022/11/30 15:17:47 PST
Not valid after: 2023/02/28 15:17:47 PST
Last fetched timestamp: 2022/11/30 15:29:42 PST
Last fetched status: success
Last fetched info: Successfully fetched Device Certificate
    8. Refresh the WildFire appliance settings to establish a connection to the Advanced WildFire cloud with the updated device certificate using the following CLI command:
      PAN-OS Version Running on WildFire ApplianceCLI Command
      • PAN-OS 11.0.1 and later
      • PAN-OS 10.2.5 and later
      • PAN-OS 10.1.10 and later
      		 
      admin@WF-500> test wildfire registration
      • PAN-OS 10.2.4
      • PAN-OS 10.0.12 and later
      • PAN-OS 9.1.17 and later
      		 
      admin@WF-500> request restart system
      This process can take up to 20 minutes to complete.
      Any version configured as a WildFire cluster node
      		 
      admin@WF-500(active-controller)> request
cluster reboot-local-node
      You can view the status of the status of the reboot task on the WildFire controller node using the following CLI command:
      admin@WF-500(active-controller)> show
cluster task pending
      When there are no pending tasks remaining, use the following CLI command to verify a successful reboot: 
      admin@WF-500(active-controller)> show
cluster task history
      Upon completion, you should see the status Finished: success at YYYY-MM-DD HH:MM:SS UTC, indicating when the reboot process has completed.

    © 2025 Palo Alto Networks, Inc. All rights reserved.