VM-Series Deployment Guide
    : Install a Device Certificate on the VM-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. License the VM-Series Firewall
    5. VM-Series Models
    6. Install a Device Certificate on the VM-Series Firewall
    Download PDF

    VM-Series Deployment Guide

    Install a Device Certificate on the VM-Series Firewall

    Table of Contents

    Install a Device Certificate on the VM-Series Firewall

    Get the device certificate to activate the site licenses on the VM-Series firewalls.
    The firewall requires a device certificate to retrieve the site license entitlements and securely access cloud services such as WildFire, AutoFocus, and Cortex Data Lake. There are two methods for applying a site license to your VM-Series firewall—One-time password and auto-registration PIN. Each password or PIN is generated on the Customer Support Portal (CSP) and unique to your Palo Alto Networks support account. The method you use depends on the license type used to deploy your firewall and if your firewalls are managed by Panorama. To successfully install the device certificate, the VM-Series firewall must have an outbound internet connection and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network.
    There are three methods for applying a site license to your VM-Series firewall—One-time password, auto-registration PIN, and through Panorama for managed firewalls. Each password or PIN is generated on the Customer Support Portal (CSP) and unique to your Palo Alto Networks support account. The method you use depends on the license type used to deploy your firewall and if your firewalls are managed by Panorama.
    • One Time Password (OTP)—For VM-Series firewalls that have already been registered with Palo Alto Networks licensing server, you must generate a One-Time Password on the Customer Support Portal and apply it to your VM-Series firewall. Use this method for VM-Series firewalls with a BYOL or ELA license in small-scale, unmanaged deployments and manually-deployed VM-Series firewalls managed by Panorama.
    • Registration PIN—This method allows you to apply a site license to your VM-Series firewall at initial startup. Use this method for VM-Series firewalls with usage-based licenses (PAYG), that you bootstrap at launch or with any type of automated deployment, regardless of license type. The auto-registration PIN enables you to automatically register your usage-based firewalls at launch with the CSP and retrieve site licenses.
    • If you are using Panorama to manage the VM-Series firewall, see Install the device certificate on a managed firewall.
    For the VM-Series firewall on NSX-T, you can add the auto-registration PIN to your service definition configuration so the device certificate is fetched by the firewall upon initial boot up. See the service definition configuration for NSX-T (North-South) and NSX-T (East-West) for more information. If you upgrade previously-deployed firewalls to PAN-OS version that supports device certificates, you can apply a device certificate to the those firewalls individually using a one time password.
    One-time passwords and auto-registration PINs must be used before they expire. If you do not, you must return to the CSP to generate a new one.
    FQDN
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    TCP 80
    • https://api.paloaltonetworks.com
    • http://apitrusted.paloaltonetworks.com
    • https://certificatetrusted.paloaltonetworks.com
    • https://certificate.paloaltonetworks.com
    TCP 443
    • *.gpcloudservice.com
    TCP 444 and TCP 443

    Retrieve Licenses Automatically at Launch

    The firewall requires the device certificate to get the site license entitlements and securely access the cloud services. To retrieve the site licenses when you launch the firewall, in the bootstrap package you must include the authcode in the /license folder, and add the auto registration PIN ID and value in the init-cfg.txt file and place it in the /config folder. Adding the auto registration PIN ID and value also enable auto-registration of the PAYG or usage-based instances on the VM-Series firewall.
    1. Log in to the Customer Support Portal (CSP) as a Superuser.
    2. Generate the VM-Series registration PIN.
      1. Select
        Assets
        Device Certificates
        .
      2. Enter a
        Description
         and a
        PIN Expiration
         time period.
      3. Click
        Generate Registration PIN
        .
      4. Save the PIN ID and value.
      5. Make sure to launch the firewall before the PIN expires.
    3. Add the registration PIN ID and value in the init-cfg.txt file.
    4. In addition to the required parameters, you must include:
      vm-series-auto-registration-pin-id=
      vm-series-auto-registration-pin-value=
    5. Verify that the device certificate is fetched and that you can see the site license on the firewall.

    Manually Retrieve a Device Certificate

    1. Log in to the Customer Support Portal (CSP) as a Superuser.
      Register your VM-Series firewall, if you have not already.
      Superuser privileges are required to generate the OTP.
    2. Generate the One Time Password (OTP).
      OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.
      Firewall may only attempt to retrieve the OTP from the CSP one time. If the firewall fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
      1. Log in to the Customer Support Portal as a Superuser.
        Superuser privileges are required to generate the OTP.
      2. Select
        Assets
        Device Certificates
         and
        Generate OTP
        .
      3. For the
        Device Type
        , select
        Generate OTP for Next-Gen Firewall
         and click
        Next
        .
      4. Select your
        PAN OS Device
         serial number and
        Generate OTP
        .
      5. Download OTP
         or
        Copy to Clipboard
        .
    3. An admin with Superuser access privileges is required to apply the OTP used to install the device certificate.
    4. Configure the Network Time Protocol (NTP) server for your firewalls.
      An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
      1. Select
        Device
        Setup
        Services
         and select the
        Template
        .
      2. Select one of the following depending on your platform:
        • For multi-virtual system platforms, select
          Global
           and edit the Services section.
        • For single virtual system platforms, edit the Services section.
      3. Select
        NTP
         and enter the hostname or IP address of the
        Primary NTP Server
        .
      4. (
        Optional
        ) Enter a the hostname or IP address of the
        Secondary NTP Server
        .
      5. (
        Optional
        ) To authenticate time updates from the NTP server(s), for
        Authentication Type
        , select one of the following for each server.
        • None
           (default)—Disables NTP authentication.
        • Symmetric Key
          —Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
          • Key ID
            —Enter the Key ID (1-65534)
          • Algorithm
            —Select the algorithm to use in NTP authentication (
            MDS
             or
            SHA1
            )
      6. Click
        OK
         to save your configuration changes.
      7. Select
        Commit
         and
        Commit and Push
         your configuration changes to your managed firewalls.
    5. Select
      Setup
      Management
      Device Certificate
       and
      Get Certificate
      .
    6. Verify that the device certificate is fetched and that you can see the site license on the firewall.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.