Focus

Panorama Administrator's Guide

Install the Device Certificate for a Managed Firewall

Table of Contents

Install the Device Certificate for a Managed Firewall

Install the device certificate for selected managed firewalls from the Panorama™ management server.

Where Can I Use This?	What Do I Need?
NGFW (Panorama Managed)	Device management license Support license Outbound internet access Customer Support Portal (CSP) account with one of the following user roles: Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User. Panorama superuser role

Where Can I Use This?

What Do I Need?

NGFW (Panorama Managed)

Device management license

Support license

Outbound internet access

Customer Support Portal (CSP) account with one of the following user roles:

Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.

Panorama superuser role

Select and install the device certificate for managed firewalls from the Panorama management server to use one or more cloud services. You only need to install a device certificate once. The device certificate has a 90-day lifetime. The firewall reinstalls the device certificate 15 days before the certificate expires. In the event the firewall is unable to reinstall the device certificate on its own, you may need to manually restore an expired device certificate.

To successfully install the device certificate on a firewall, the firewall must have outbound internet access and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network in order to reach to the CSP. Additionally, the managed firewall must belong to the same CSP account as Panorama in order to generate the One Time Password (OTP) used to install the device certificate.

FQDN	Ports
http://ocsp.paloaltonetworks.com http://crl.paloaltonetworks.com http://ocsp.godaddy.com	TCP 80
https://api.paloaltonetworks.com http://apitrusted.paloaltonetworks.com https://certificatetrusted.paloaltonetworks.com https://certificate.paloaltonetworks.com	TCP 443
*.gpcloudservice.com	TCP 444 and TCP 443

The following Palo Alto Networks Next-Generation firewall models install the device certificate when they first connect to the Palo Alto Networks CSP during the initial registration process. You do not need to manually install the device certificate for these firewall models.

PA-400 Series firewalls

PA-1400 Series firewalls

PA-3400 Series firewalls

PA-5400 Series firewalls

PA-5450 firewall

A Panorama admin with Superuser access privileges is required to generate OTP Request Token and apply the OTP used to install the device certificate on a managed firewall.

(Best Practices) Configure the Network Time Protocol (NTP) server for Panorama.

An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.

Select

Panorama

Setup

Services

Select

NTP

and enter the hostname or IP address of the

Primary NTP Server

(Optional) Enter a the hostname or IP address of the

Secondary NTP Server

(Optional) To authenticate time updates from the NTP server(s), for

Authentication Type

, select one of the following for each server.

None
(default)—Disables NTP authentication.

Symmetric Key
—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.

Key ID
—Enter the Key ID (1-65534)

Algorithm
—Select the algorithm to use in NTP authentication (

MDS

SHA1

)

Click

to save your configuration changes.

Select

Commit

and

Commit to Panorama

Configure the Network Time Protocol (NTP) server for your firewalls.

An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.

Select

Device

Setup

Services

and select the

Template

Select one of the following depending on your platform:

For multi-virtual system platforms, select

Global

and edit the Services section.

For single virtual system platforms, edit the Services section.

Select

NTP

and enter the hostname or IP address of the

Primary NTP Server

(Optional) Enter a the hostname or IP address of the

Secondary NTP Server

(Optional) To authenticate time updates from the NTP server(s), for

Authentication Type

, select one of the following for each server.

None
(default)—Disables NTP authentication.

Symmetric Key
—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.

Key ID
—Enter the Key ID (1-65534)

Algorithm
—Select the algorithm to use in NTP authentication (

MDS

SHA1

)

Click

to save your configuration changes.

Select

Commit

and

Commit and Push

your configuration changes to your managed firewalls.

Generate the OTP Request Token on Panorama.

The OTP Request Token generated on Panorama is used to generate the OTP required to install the device certificate on a managed firewall.

Select

Panorama

Managed Devices

Summary

Select one or more managed firewalls that do not have a device certificate installed.

Select

Request OTP From CSP

Custom selected devices

Copy

the entire output in the OTP Request Token field.

Generate the One Time Password (OTP) for managed firewalls.

OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.

Firewall may only attempt to retrieve the OTP from the CSP one time. If the firewall fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.

Select

Products

Device Certificates

and

Generate OTP

For the

Device Type

, select

Generate OTP for Panorama managed firewalls

and click

Paste the OTP request you copied in the previous step and

Generate OTP

Click

Done

and wait a few minutes for the OTP to successfully generate.

View OTP History

In the

Current

One Time Password History, copy or download the OTP

Copy to Clipboard

Download

the OTP.

Install the device certificate on managed firewalls.

Managed firewalls must have an outbound internet connection to successfully install the device certificate. After you upload the OTP from Panorama, each managed firewall connects to the Palo Alto Networks CSP to install the device certificate.

Select

Panorama

Managed Devices

Summary

and

Upload OTP

Paste the OTP you generated and

Upload

You must still copy and paste the OTP generated from the Palo Alto Networks CSP even if you downloaded the OTP in the previous step. Uploading the file containing the OTP is not supported.

(WildFire and Advanced WildFire) Log in to the firewall CLI and refresh the firewall settings to establish a connection to the Advanced WildFire cloud with the updated device certificate.

Repeat this step for each managed firewall with an activate WildFire or Advanced WildFire subscription that is actively communicating with the Advanced WildFire cloud service.

admin>request wildfire registration channel public

Verify that the

Device Certificate

column displays as

Valid

and that the

Device Certificate Expiry Date

displays an expiration date.

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for All Managed Firewalls Without a Device Certificate

Panorama Administrator's Guide

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for a Managed Firewall

Recommended For You