PAN-OS ® New Features Guide
    : Authentication Key for Secure Onboarding
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Panorama Features
    5. Authentication Key for Secure Onboarding
    Download PDF

    PAN-OS ® New Features Guide

    Authentication Key for Secure Onboarding

    Table of Contents

    Authentication Key for Secure Onboarding

    Onboard new firewalls, Log Collectors, and WildFire appliances to the Panorama™ management server using a secure device registration authentication key generated on Panorama.
    To strengthen your security posture when onboarding new firewalls, Dedicated Log Collectors, and WildFire appliances to a Panorama™ management server, PAN-OS 10.1 introduces improved mutual authentication between a new device and Panorama on first connection. You can configure an authentication key to have a specific lifetime, specify the count to determine the number of times the authentication key can be used to onboard new devices, specify one or more serial numbers for which the authentication key is valid, and specify for which devices the authentication key is valid.
    To securely onboard a new firewall, you must generate a unique device registration authentication key on Panorama. You then import this authentication key to the device to securely authenticate and connect to Panorama when the device is onboarded for the first time. A system log is generated each time a firewall uses the Panorama-generated authentication key is used. Additionally, the device uses the authentication key to authenticate Panorama when it delivers the device certificate that is used for all subsequent communications.
    (PAN-OS 10.1 only) For devices running a PAN-OS 10.1 release, Panorama running PAN-OS 10.1.3 or later release supports onboarding devices running PAN-OS 10.1.3 or later release only. You cannot add a device running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release to Panorama management if Panorama is running PAN-OS 10.1.3 or later release.
    Panorama supports onboarding devices running the following releases:
    • Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release— Devices running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
    • Panorama running PAN-OS 10.1.3 or later release— Devices running PAN-OS 10.1.3 or later release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
    There is no impact to devices already managed by Panorama on upgrade to PAN-OS 10.1.
    1. Log in to the Panorama web interface.
    2. Create the device registration authentication key.
      1. Select PanoramaDevice Registration Auth Key and Add a new authentication key.
      2. Configure the authentication key.
        • Name—Enter a descriptive name for the authentication key.
        • Lifetime—Enter the key lifetime to specify how long the authentication key may be used to onboard new firewalls or Log Collectors.
        • Count—Specify how many times the authentication key may be used to onboard new firewalls or Log Collectors.
        • Device Type—Specify whether the authentication key may be used for Firewalls, Log Collectors, or Any device.
        • (Optional) Devices—Enter one or more device serial numbers to specify for which firewalls or Log Collectors the authentication key is valid.
      3. Click OK.
      4. Copy Auth Key and Close.
    3. On Panorama, add a firewall as a managed device.
      You must add the device registration authentication key when you configure the Panorama server IP address on the firewall.
      The device registration authentication key is required only when manually onboarding a firewall to Panorama management. A device registration authentication key is not required when leveraging Zero Touch Provisioning (ZTP) to onboard a firewall to Panorama management because ZTP provides its own security when onboarding a firewall.
    4. Add a Dedicated Log Collector to Panorama as a managed collector.
      1. On Panorama, configure a managed collector.
      2. Log in to the Log Collector CLI.
      3. Add the device registration authentication key. 
        admin> request authkey set <auth key>
    5. Add a WildFire appliance to manage with Panorama.
      1. On Panorama, Add Standalone WildFire Appliances to Manage with Panorama.
      2. Log in to the WildFire CLI and add the device registration authentication key. 
        admin> request authkey set <auth key>
    6. Verify that the managed firewall, Log Collector, and WildFire appliance are connected to Panorama.
      1. Select PanoramaManaged DevicesSummary and verify that the Device State for the new device shows as Connected.
      2. Select PanoramaManaged Collectors and verify that the Run Time Status for the Log Collector shows as Connected.
      3. Select PanoramaManaged WildFire Appliances and verify that the Connected status for the WildFire appliance shows as Connected.

    © 2025 Palo Alto Networks, Inc. All rights reserved.