>
    Install WildFire Appliance Device Certificate With an Internet Connection
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced WildFire
    3. Set Up and Manage a WildFire Appliance
    4. Install WildFire Appliance Device Certificate With an Internet Connection
    Download PDF

    Advanced WildFire

    Install WildFire Appliance Device Certificate With an Internet Connection

    Table of Contents

    Install WildFire Appliance Device Certificate With an Internet Connection

    Where Can I Use This?
    What Do I Need?
    • WildFire Appliance
    • WildFire License
    To fetch the device certificate on the WF-500 appliance when an Internet connection is available, you must log in to the Palo Alto Networks Support Portal to generate a one time password used to access the certificate. This OTP is then used to retrieve the device certificate on the specific appliance.
    WF-500B appliances are equipped with a Trusted Platform Module (TPM) that is used to securely identify itself and automatically fetch the device certificate—no user intervention is necessary to manage WF-500B device certificates.
    If you are operating a WildFire Private Cloud and do not connect to any of the WildFire services, you do not need to update the WildFire appliance device certificates. Instead, the WildFire appliance uses predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication; however, you can Set Up Authentication Using a Custom Certificate on a Standalone WildFire Appliance instead.
    If your WF-500B appliance is not connected to the Internet, you might observe failed jobs due to repeated attempts by the appliance to retrieve device certificates.
    To successfully install the device certificate on your firewall, the following FQDNs and ports must be allowed on your network.
    FQDN
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    TCP 80
    • https://api.paloaltonetworks.com
    • http://apitrusted.paloaltonetworks.com
    • certificatetrusted.paloaltonetworks.com
    • certificate.paloaltonetworks.com
    TCP 443
    • *.gpcloudservice.com
    TCP 444 and TCP 443
    1. Verify that you are running one of the following PAN-OS releases on the WildFire appliance:
      • PAN-OS 11.0.1 and later
      • PAN-OS 10.2.4 and later
      • PAN-OS 10.1.10 and later (not supported on the WF-500B appliance)
      • PAN-OS 10.0.12 and later (not supported on the WF-500B appliance)
      • PAN-OS 9.1.17 and later (not supported on the WF-500B appliance)
    2. Generate the One Time Password (OTP).
      1. Log in to the Customer Support Portal with an account with super user permissions.
      2. Select
        Products
        Device Certificates
         and
        Generate OTP
        .
      3. For the
        Device Type
        , select
        Generate OTP for WF-500
        .
      4. Select your
        WF-500 Device
         serial number.
      5. Generate OTP
         and copy the OTP.
    3. Access the WF-500 appliance CLI with superuser administrative privileges.
    4. Configure the WildFire appliance to synchronize with an NTP server:
      admin@WF-500> 
      configure
       
admin@WF-500# 
      set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 
      <NTP primary server IP address>
       
admin@WF-500# 
      set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address 
      <NTP secondary server IP address>
    5. Download and install the WF-500 appliance device certificate using the following CLI command (remember to use the correct
      One-time Password
       you generated in the Customer Support Portal): 
      admin@WF-500> 
      request certificate fetch otp <otp_value>
    6. Your WF-500 appliance successfully retrieves and installs the device certificate.
    7. (Optional) Verify the successful download and installation of a device certificate using the following CLI command:
      admin@WF-500> 
      show device-certificate status
      A successful installation of the device certificate displays the following response:
      Device Certificate information:
Current device certificate status: Valid
Not valid before: 2022/11/30 15:17:47 PST
Not valid after: 2023/02/28 15:17:47 PST
Last fetched timestamp: 2022/11/30 15:29:42 PST
Last fetched status: success
Last fetched info: Successfully fetched Device Certificate
    8. Refresh the WildFire appliance settings to establish a connection to the Advanced WildFire cloud with the updated device certificate using the following CLI command:
      PAN-OS Version Running on WildFire Appliance
      CLI Command
      • PAN-OS 11.0.1 and later
      • PAN-OS 10.2.5 and later
      • PAN-OS 10.1.10 and later
      admin@WF-500> 
      test wildfire registration
      • PAN-OS 10.2.4
      • PAN-OS 10.0.12 and later
      • PAN-OS 9.1.17 and later
      admin@WF-500> 
      request restart system
      This process can take up to 20 minutes to complete.
      Any version configured as a WildFire cluster node
      admin@WF-500(active-controller)> 
      request
cluster reboot-local-node
      You can view the status of the status of the reboot task on the WildFire controller node using the following CLI command:
      admin@WF-500(active-controller)> 
      show
cluster task pending
      When there are no pending tasks remaining, use the following CLI command to verify a successful reboot: 
      admin@WF-500(active-controller)> 
      show
cluster task history
      Upon completion, you should see the status
      Finished: success at YYYY-MM-DD HH:MM:SS UTC
      , indicating when the reboot process has completed.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.