: Install the Panorama Device Certificate
Focus
Focus

Install the Panorama Device Certificate

Table of Contents

Install the Panorama Device Certificate

Install the Panorama device certificate to leverage Palo Alto Networks cloud services.
Where Can I Use This?
What Do I Need?
  • Panorama
  • CSP
  • Device management license
  • Support license
  • Outbound internet access
  • Customer Support Portal (CSP) account with one of the following user roles:
    • Super User
    • Standard User
    • Limited User
    • Threat Researcher
    • AutoFocus Trial Role
    • Group Super User
    • Group Standard User
    • Group Limited User
    • Group Threat Researcher
    • Authorized Support Center (ASC) User
    • ASC Full Service User
  • Panorama Superuser Role
You must install the device certificate on the Panorama™ management server to use one or more cloud services. You only need to install a device certificate once. The device certificate has a 90-day lifetime. The firewall reinstalls the device certificate 15 days before the certificate expires. In the event Panorama is unable to reinstall the device certificate on its own, you may need to manually restore an expired device certificate.
To successfully install the device certificate, Panorama must have an outbound internet connection and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network.
FQDN
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • http://apitrusted.paloaltonetworks.com
  • https://certificatetrusted.paloaltonetworks.com
  • https://certificate.paloaltonetworks.com
TCP 443
  • *.gpcloudservice.com
TCP 444 and TCP 443
  1. Generate the One Time Password (OTP).
    OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.
    Panorama may only attempt to retrieve the OTP from the CSP one time. If Panorama fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
    1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
    2. Select
      Products
      Device Certificates
      and
      Generate OTP
      .
    3. For the
      Device Type
      , select
      Generate OTP for Panorama
      and click
      Next
      .
    4. Select the
      Panorama Device
      serial number and
      Generate OTP
      .
    5. Generate OTP
      and copy the OTP.
  2. A Panorama admin with Superuser access privileges is required to required to apply the OTP used to install the device certificate on Panorama.
  3. Configure the Network Time Protocol (NTP) server.
    An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Select
      Panorama
      Setup
      Services
      .
    2. Select
      NTP
      and enter the hostname or IP address of the
      Primary NTP Server
      .
    3. (
      Optional
      ) Enter a the hostname or IP address of the
      Secondary NTP Server
      .
    4. (
      Optional
      ) To authenticate time updates from the NTP server(s), for
      Authentication Type
      , select one of the following for each server.
      • None
        (default)—Disables NTP authentication.
      • Symmetric Key
        —Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
        • Key ID
          —Enter the Key ID (1-65534)
        • Algorithm
          —Select the algorithm to use in NTP authentication (
          MDS
          or
          SHA1
          )
    5. Click
      OK
      to save your configuration changes.
    6. Select
      Commit
      and
      Commit to Panorama
      .
  4. Select
    Panorama
    Setup
    Management
    Device Certificate Settings
    and
    Get certificate
    .
  5. Enter the
    One-time Password
    you generated and click
    OK
    .
  6. Panorama successfully retrieves and install the certificate.

Recommended For You