How to install PA firewall device certificate for Panorama managed devices
Palo Alto device certificates are required for devices that need to communicate with Palo Alto cloud services. There are two ways to install them - one is directly from the firewall itself, while the other one is for Panorama managed devices.
Procedure is quite simple, but does require a valid CSP (Customer Support Portal) account as we will be entering the OTP request into a certificate request generator there.
First step is to log into the Panorama and then navigate to Panorama
-> Managed Devices
-> Summary
:
We need to first select the device that we want to generate certificate for and then at the bottom of the screen click on Request OTP from CSP
. Notice that columns DEVICE CERTIFICATE
and DEVICE CERTIFICATE EXPIRY DATE
say that there are no certificates installed and N/A
for expiry.
We currently have only one firewall in this Panorama instance, so we will choose option Custom selected devices
, but if you manage multiple firewalls, you can choose the second option as well.
This will now generate an OTP request token, that we will copy and paste in the CSP:
Once copied, we can close this pop-up window. Next, log into your CSP account and under Products
-> Device Certificates
click on Generate OTP
button:
In the next step, select option Generate OTP for Panorama managed devices
and click Next
:
Paste the OTP from Panorama in the next step:
Click on Generate OTP
and you will be notified that it will take a few minutes to generate the OTP.
Once again, go back to Products
-> Device Certificates
but this time select View OTP History
:
In the next screen, you will be able to copy your newly generated OTP:
If you're being too hasty, status will most likely show In progress
, but come back after a few minutes and it should change to Completed
. You can even download the OTP in a file, but since you will be pasting it into a window in Panorama, you can just click on copy button as indicated in the screenshot above.
Now go back to Panorama and there click on Upload OTP
button at the bottom right side. Another window will pop-up where you can paste the OTP obtained from Customer Support Portal:
Click on Upload
and that's it. This process is a little bit more involved than when doing it directly on the firewall, but it's meant to be done on multiple firewalls at the same time, not on a single firewall like in this example. Panorama will inform you that it's been successful and that the device certificate is being installed (no commit necessary) and that you should, once again, wait a few minutes before checking things out. For me it was almost instantaneous, but this is something that may very well be different for you.
Final result should look like this:
And that's it - now the device should be able to successfully communicate with CSP and other PA cloud services.
Member discussion