Install a Device Certificate on the CN-Series Firewall


Install a Device Certificate on the CN-Series Firewall

Table of Contents

Install a Device Certificate on the CN-Series Firewall

Learn how to install a device certificate to license the CN-Series firewall.
Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment using helm
The firewall requires a device certificate that authorizes secure access to the Palo Alto cloud-delivered security services (CDSS) such as WildFire, AutoFocus, and Cortex Data Lake. You must apply an auto-registration PIN to apply a CDSS license to your CN-Series firewall deployment. Each PIN is generated on the Customer Support Portal (CSP) and unique to your Palo Alto Networks support account. To successfully install the device certificate, the CN-Series management plane pod (CN-MGMT) must have an outbound internet connection and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network.
TCP 80
TCP 443
  • *
TCP 444 and TCP 443
To add a device certificate to an existing deployment without an existing device certificate, you must redeploy the CN-Series firewall after adding the valid PIN ID and value to
. For public cloud CN-Series deployment, you must delete the persistent volume claim before redeployment. For static/native Kubernetes deployments, you must delete the persistent volume claim and persistent volume before redeployment.
  1. Log in to the Palo Alto Networks Customer Support Portal with your account credentials.
  2. Select
    Device Certificates
    Generate Registration PIN
  3. Enter a
    and select a
    PIN Expiration
    from the drop-down.
  4. Save the PIN ID and value.
    Save the PIN ID and value. This PIN ID and value are inputs in the
    file used to deploy the cn-series firewall. Make sure to launch the firewall before the PIN expires.
    # Thermite Certificate retrieval CN-SERIES-AUTO-REGISTRATION-PIN-ID: "<your-pin-id>" CN-SERIES-AUTO-REGISTRATION-PIN-VALUE: "<your-pin-value>"

Recommended For You