Learn how to install a device certificate to license the CN-Series
firewall.
Where Can I Use
This? | What Do I Need? |
|
- CN-Series 10.1.x or above Container Images
- Panorama running PAN-OS 10.1.x or above
version
- Helm 3.6 or above version client for CN-Series deployment using helm
|
The firewall requires a device certificate that authorizes secure access to the Palo
Alto cloud-delivered security services (CDSS) such as WildFire, AutoFocus, and
Strata Logging Service. You must apply an auto-registration PIN to apply a CDSS
license to your CN-Series firewall deployment. Each PIN is generated on the
Customer Support Portal (CSP) and unique to your Palo Alto Networks
support account. To successfully install the device certificate, the CN-Series
management plane pod (CN-MGMT) must have an outbound internet connection and the
following Fully Qualified Domain Names (FQDN) and ports must be allowed on your
network.
FQDN
|
Ports
|
|
TCP 80
|
https://api.paloaltonetworks.com http://apitrusted.paloaltonetworks.com https://certificatetrusted.paloaltonetworks.com https://certificate.paloaltonetworks.com
|
TCP 443
|
|
TCP 444 and TCP 443
|
To add a device certificate to an existing deployment
without an existing device certificate, you must redeploy the CN-Series firewall
after adding the valid PIN ID and value to
pan-cn-mgmt-secret.yaml. For public cloud CN-Series
deployment, you must delete the persistent volume claim before redeployment. For
static/native Kubernetes deployments, you must delete the persistent volume claim
and persistent volume before redeployment.