The firewall's hardware TPM generates a public key that must match the record in the Support Portal. If the device was previously registered or had a certificate that wasn't cleared properly, the portal may reject new fetch requests.
You must open a support case with Palo Alto Networks . A support engineer must gain root access (via a challenge/response process) to erase the invalid certificate and hash keys before a new one can be fetched. Known Bug Reference The firewall's hardware TPM generates a public key
If the fetch command simply times out without a clear "match failed" error, MTU is a likely culprit. set deviceconfig system mtu 1374 Follow this with a commit and retry the fetch. 4. Clear Existing Certificate State (Requires TAC) A support engineer must gain root access (via
Immediately attempt to fetch the certificate via the CLI to avoid expiration: request certificate fetch otp 2. Perform a "Commit Force" ensure you are using a valid
Before attempting advanced fixes, ensure you are using a valid, unexpired OTP.
