VM-Series Deployment Guide
    : Install a Device Certificate on the VM-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. License the VM-Series Firewall
    5. VM-Series Models
    6. Install a Device Certificate on the VM-Series Firewall
    Download PDF

    VM-Series Deployment Guide

    Install a Device Certificate on the VM-Series Firewall

    Table of Contents

    Install a Device Certificate on the VM-Series Firewall

    Get the device certificate to activate the site licenses on the VM-Series firewalls.
    The firewall requires a device certificate to retrieve the site license entitlements and securely access cloud services such as WildFire, AutoFocus, and Cortex Data Lake. There are three methods for applying a site license to your VM-Series firewall—One-time password, autoregistration PIN, and through Panorama for managed firewalls. Each password or PIN is generated on the Customer Support Portal and unique to your Palo Alto Networks support account. The method you use depends on the license type used to deploy your firewall and if your firewalls are managed by Panorama. To successfully install the device certificate, the VM-Series firewall requires an outbound internet connection, and the following fully qualified domain names (FQDN) and ports must be allowed on your network.
    • One-time password (OTP)—For VM-Series firewalls previously registered with the Palo Alto Networks licensing server, you must generate a one-time password on the Customer Support Portal and apply it to your VM-Series firewall. Use this method for VM-Series firewalls with a BYOL or ELA license in small-scale, unmanaged deployments and manually deployed VM-Series firewalls managed by Panorama.
    • Registration PIN—This method allows you to apply a site license to your VM-Series firewall at initial startup. Use this method for VM-Series firewalls with usage-based licenses (PAYG), that you bootstrap at launch or with any type of automated deployment, regardless of license type. The autoregistration PIN enables you to automatically register your usage-based firewalls at launch with the Customer Support Portal and retrieve site licenses.
    • If you're using Panorama to manage the VM-Series firewall, see Install the device certificate on a managed firewall.
    For the VM-Series firewall on NSX-T, you can add the autoregistration PIN to your service definition configuration so the device certificate is fetched by the firewall upon initial boot up. See the service definition configuration for NSX-T (North-South) and NSX-T (East-West) for more information. If you upgrade previously-deployed firewalls to PAN-OS version that supports device certificates, you can apply a device certificate to those firewalls individually using a one-time password.
    Use one-time passwords and autoregistration PINs before they expire. If you don't, you must return to the Customer Support Portal to generate a new one.
    FQDN
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    TCP 80
    • https://api.paloaltonetworks.com
    • http://apitrusted.paloaltonetworks.com
    • https://certificatetrusted.paloaltonetworks.com
    • https://certificate.paloaltonetworks.com
    TCP 443
    • *.gpcloudservice.com
    TCP 444 and TCP 443

    Retrieve Licenses Automatically at Launch

    The firewall requires the device certificate to get the license entitlements and securely access the cloud services. To retrieve the site licenses when you launch the firewall, you must include the auto registration PIN ID and value in the bootstrap parameters. The auto registration PIN ID and value can be used with either the basic or complete bootstrap methods. See Choose a Bootstrap Method for more details about the bootstrap options and configuration.
    The auto registration PIN is valid only for the specified time period. For fully automated environments, such as auto scaling VM-Series deployments, the auto registration PIN should be regenerated before the expiration date and the new PIN ID and Value updated in the bootstrap parameters.
    1. Log in to the Palo Alto Networks Customer Support Portal with your account credentials.
    2. Generate the VM-Series registration PIN.
      1. Select
        Assets
        Device Certificates
         and
        Generate Registration PIN
        .
      2. Enter a
        Description
         and a
        PIN Expiration
         time period.
      3. Click
        Generate Registration PIN
        .
      4. Save the PIN ID and value.
      5. Make sure to launch the firewall before the PIN expires.
    3. Add the registration PIN ID and value in the init-cfg.txt file.
    4. In addition to the required parameters, you must include:
      vm-series-auto-registration-pin-id=
      vm-series-auto-registration-pin-value=
    5. Verify that the device certificate is fetched and that you can see the expected licenses on the firewall.

    Manually Retrieve a Device Certificate

    1. Log in to the Customer Support Portal as a superuser.
      Register your VM-Series firewall, if you have not already.
      Generating an OTP requires superuser privileges on the Customer Support Portal.
    2. Generate the one-time password (OTP).
      OTP lifetime is 60 minutes and expires if not used within the 60-minute lifetime.
      Firewall attempts to retrieve the OTP from the Customer Support Portal once. If the firewall fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
      1. Log in to the Customer Support Portal as a superuser.
        Generating an OTP requires superuser privileges.
      2. Select
        Assets
        Device Certificates
         and
        Generate OTP
        .
      3. For the
        Device Type
        , select
        Generate OTP for Next-Gen Firewall
         and click
        Next
        .
      4. Select your
        PAN OS Device
         serial number and
        Generate OTP
        .
      5. Download OTP
         or
        Copy to Clipboard
        .
    3. An admin with Superuser access privileges is required to apply the OTP used to install the device certificate.
    4. Configure the network time protocol (NTP) server for your firewalls.
      An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
      1. Select
        Device
        Setup
        Services
         and select the
        Template
        .
      2. Select one of the following depending on your platform:
        • For multi-virtual system platforms, select
          Global
           and edit the Services section.
        • For single virtual system platforms, edit the Services section.
      3. Select
        NTP
         and enter the hostname or IP address of the
        Primary NTP Server
        .
      4. (
        Optional
        ) Enter a hostname or IP address of the
        Secondary NTP Server
        .
      5. (
        Optional
        ) To authenticate time updates from the NTP server(s), for
        Authentication Type
        , select one of the following for each server.
        • None
           (default)—Disables NTP authentication.
        • Symmetric Key
          —Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
          • Key ID
            —Enter the Key ID (1-65534)
          • Algorithm
            —Select the algorithm to use in NTP authentication (
            MDS
             or
            SHA1
            )
      6. Click
        OK
         to save your configuration changes.
      7. Select
        Commit
         and
        Commit and Push
         your configuration changes to your managed firewalls.
    5. Select
      Setup
      Management
      Device Certificate
       and
      Get Certificate
      .
    6. Verify that the device certificate is fetched and that you can see the site license on the firewall.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.