Your NGFW must be able to reach Palo Alto services ( certificate.paloaltonetworks.com ) from its management interface. A failure due to DNS resolution, incorrect static routes, or an upstream firewall blocking outbound HTTPS traffic (TCP 443) will prevent the certificate from being fetched at all.
The Trusted Platform Module (TPM) is a hardware-based security module that provides an additional layer of security to devices. In Palo Alto devices, the TPM is used to securely store and manage cryptographic keys, including the device certificate. The TPM public key is used to authenticate the device and ensure the integrity of the certificate.
Palo Alto Networks hardware platforms (such as the PA-400, PA-1400, PA-3400, and PA-5400 series) use an onboard TPM chip to securely bind a unique cryptographic identity to the physical hardware. The Device Certificate is vital for several enterprise-grade functions: Your NGFW must be able to reach Palo
show system info (Provides the exact serial number and software version). debug device-certificate show
| Bug ID | PAN-OS Versions with Fix | | :--- | :--- | | | Fixed in PAN-OS 10.1.x later releases | | PAN-238792 | Fixed in PAN-OS 10.2.x (10.2.1-h1, 10.2.2-h4, etc.), 11.0.x, and 11.1.x series | | PAN-313623 | Fixed in PAN-OS 11.1.x (11.1.6-h29, 11.1.10-h21, etc.) and 11.2.x (11.2.7-h12, 11.2.10-h5, etc.). For PAN-OS 12.1.x, check the latest release notes | In Palo Alto devices, the TPM is used
: For TPM-enabled devices, use the specific command request certificate fetch rather than the OTP-based command.
If the ping fails, investigate your DNS settings ( > Setup > Services ) or routing tables. Method 4: Upgrade or Downgrade PAN-OS The Device Certificate is vital for several enterprise-grade
What is the output of the CLI command ? Share public link
"Failed to fetch device certificate. TPM public key match failed."
The serial number is registered to a different tenant or account in the portal.
Management traffic must be allowed to reach certificate.paloaltonetworks.com via the paloalto-shared-services application. Troubleshooting and Resolution Steps 1. Basic Connectivity and MTU Checks