Provide the Technical Assistance Center (TAC) engineer with your firewall's serial number and a complete system log export.
If the above steps fail, it often indicates a critical failure where the internal TPM-bound certificate must be manually cleared.
> show system info | match hostname > show device-certificate status > debug tpm show status > debug tpm show public-key
After reboot:
If you continue to see "Failed to send request to CSP server" or OCSP errors, the problem is likely network connectivity. Ensure your firewall's management interface can reach Palo Alto's services. A key fix from the community is to change the service route for "Palo Alto Networks Services" from the dedicated MGMT interface to an outside dataplane interface (e.g., ethernet1/1) under Device > Setup > Services > Service Route Configuration .
When a device certificate expires or attempts a renewal, the firewall occasionally generates orphaned, local .pub_pem configuration fragments inside its secure directory structure. These stale fragments conflict with subsequent One-Time Password (OTP) installation attempts.
Ensure your management traffic allows the paloalto-shared-services application and has access to certificates.paloaltonetworks.com . When to Contact TAC Provide the Technical Assistance Center (TAC) engineer with
If you see on your Palo Alto Networks Next-Generation Firewall (NGFW), your hardware Trusted Platform Module (TPM) chip public key does not match the cloud records in the Palo Alto Networks Customer Support Portal (CSP) . This specific cryptographic mismatch completely blocks the firewall from downloading its unique operational identity certificate.
If the fetch times out, try lowering the Management Interface MTU (e.g., to 1374 ) in Device > Setup > Interfaces to ensure communication with the CSP isn't being fragmented and dropped.
+------------------------------------------------------------+ | Palo Alto TAC Resolution Path | +------------------------------------------------------------+ | 1. Secure Challenge/Response -> 2. Root Access Elevation | | | | 3. Wipe Invalid Local Certs -> 4. Update Portal Hash/Key| +------------------------------------------------------------+ Ensure your firewall's management interface can reach Palo
The error message "failed to fetch device certificate TPM public key match failed"
A valid device certificate is critical for core functionalities, including device telemetry, Cloud Identity Engine (CIE) synchronization, and Cloud-Delivered Security Services (CDSS) like Advanced WildFire, DNS Security, and Advanced URL Filtering. When it fails, security updates and cloud sync actions stop completely. Technical Causes of the TPM Key Mismatch