3 min read

How to install PA firewall device certificate for Panorama managed devices

Palo Alto device certificates are required for devices that need to communicate with Palo Alto cloud services. There are two ways to install them - one is directly from the firewall itself, while the other one is for Panorama managed devices.

Palo Alto device certificates are required for devices that need to communicate with Palo Alto cloud services. There are two ways to install them - one is directly from the firewall itself, while the other one is for Panorama managed devices.

Procedure is quite simple, but does require a valid CSP (Customer Support Portal) account as we will be entering the OTP request into a certificate request generator there.

First step is to log into the Panorama and then navigate to Panorama -> Managed Devices -> Summary:

Step 1 - Select the device for which you want to generate the certificate

We need to first select the device that we want to generate certificate for and then at the bottom of the screen click on Request OTP from CSP. Notice that columns DEVICE CERTIFICATE and DEVICE CERTIFICATE EXPIRY DATE say that there are no certificates installed and N/A for expiry.

Step 2 - Click on Custom selected devices

We currently have only one firewall in this Panorama instance, so we will choose option Custom selected devices, but if you manage multiple firewalls, you can choose the second option as well.

This will now generate an OTP request token, that we will copy and paste in the CSP:

Step 3 - Copy OTP request token

Once copied, we can close this pop-up window. Next, log into your CSP account and under Products -> Device Certificates click on Generate OTP button:

Step 4 - Generate OTP

In the next step, select option Generate OTP for Panorama managed devices and click Next:

Step 5 - Select Generate OTP for Panorama managed device

Paste the OTP from Panorama in the next step:

Step 6 - Paste the OTP from Panorama

Click on Generate OTP and you will be notified that it will take a few minutes to generate the OTP.

Once again, go back to Products -> Device Certificates but this time select View OTP History:

Step 7 - View OTP History

In the next screen, you will be able to copy your newly generated OTP:

Step 8 - Copy the generated OTP

If you're being too hasty, status will most likely show In progress, but come back after a few minutes and it should change to Completed. You can even download the OTP in a file, but since you will be pasting it into a window in Panorama, you can just click on copy button as indicated in the screenshot above.

Now go back to Panorama and there click on Upload OTP button at the bottom right side. Another window will pop-up where you can paste the OTP obtained from Customer Support Portal:

Step 9 - Paste the OTP

Click on Upload and that's it. This process is a little bit more involved than when doing it directly on the firewall, but it's meant to be done on multiple firewalls at the same time, not on a single firewall like in this example. Panorama will inform you that it's been successful and that the device certificate is being installed (no commit necessary) and that you should, once again, wait a few minutes before checking things out. For me it was almost instantaneous, but this is something that may very well be different for you.

Final result should look like this:

Step 10 - Confirm that the certificate has been successfully installed

And that's it - now the device should be able to successfully communicate with CSP and other PA cloud services.