Install the Device Certificate for Multiple Managed Firewalls

Install the device certificate for multiple managed firewalls from the Panorama™ management server.
In PAN-OS 10.0 and later releases, you must install the device certificate for managed firewalls from the Panorama management server. The managed firewalls must have internet access to successfully install the device certificate.
  1. Register Panorama and managed firewalls with the Palo Alto Networks Customer Support Portal (CSP).
  2. Configure the Network Time Protocol (NTP) server.
    An NTP server is required validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Select
      Device
      Setup
      Services
      and select the
      Template
      .
    2. Select one of the following depending on your platform:
      • For multi-virtual system platforms, select
        Global
        and edit the Services section.
      • For single virtual system platforms, edit the Services section.
    3. Select
      NTP
      and enter the hostname
      pool.ntp.org
      as the
      Primary NTP Server
      or enter the IP address of your primary NTP server.
    4. (
      Optional
      ) Enter a
      Secondary NTP Server
      address.
    5. (
      Optional
      ) To authenticate time updates from the NTP server(s), for
      Authenticastion Type
      , select one of the following for each server.
      • None
        (default)—Disables NTP authentication.
      • Symmetric Key
        —Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
        • Key ID
          —Enter the Key ID (1-65534)
        • Algorithm
          —Select the algorithm to use in NTP authentication (
          MDS
          or
          SHA1
          )
    6. Click
      OK
      to save your configuration changes.
    7. Select
      Commit
      and
      Commit and Push
      your configuration changes to your managed firewalls.
  3. Select
    Panorama
    Managed Devices
    Summary
    .
  4. Select
    Request OTP From CSP
    Select all devices without a certificate
    .
  5. Copy the entire OTP request token.
  6. Generate the One Time Password (OTP) for managed firewalls.
    1. Select
      Assets
      Device Certificates
      and
      Generate OTP
      .
    2. For the
      Device Type
      , select
      Generate OTP for Panorama managed firewalls
      .
    3. Paste the OTP request you copied in the previous step and
      Generate OTP
      .
    4. Click
      Done
      and wait a few minutes for the OTP to successfully generate. You can refresh the page if the new OTP is not displayed.
    5. Copy to Clipboard
      or
      Download
      the OTP.
      csp-otp-generation.png
  7. Select
    Panorama
    Managed Devices
    Summary
    and
    Upload OTP
    .
  8. Paste the OTP you generated and click
    Upload
    .
  9. Verify that the
    Device Certificate
    column displays as
    Valid
    and that the
    Device Certificate Expiry Date
    displays an expiration date.
    device-cert-verify.png

Recommended For You