auth-key vs vm-auth-key vs Device Registration Auth Key

auth-key vs vm-auth-key vs Device Registration Auth Key

413
Created On 02/02/26 20:11 PM - Last Modified 03/09/26 19:37 PM


Question


What’s the difference between “vm-auth-key” and “auth-key” in my user data / init-cfg.txt file, and where should one use the "Device Registration Auth Key"?

Environment


  • Bootstrapping a VM-Series Firewall while using basic configuration to bootstrap it (Palo Alto Networks, Inc., 2024).

  • (Optional) The Firewall is expected to: onboard a Panorama; and be licensed by the Panorama Software Firewall License Plugin (Palo Alto Networks, Inc., 2024).

Answer


  • "auth-key":

    • This is the Auth key generated by the Panorama Software Firewall License plugin when it is used to license the Firewall. 

    • Typical format: 

      • “_AQ__Oe9…”

      • Will always start with “_AQ

      • Your Panorama will conveniently display, and let you copy, this Auth key along with other relevant bootstrap parameters, directly via the GUI under Panorama > SW Firewall License > License Managers > Click on “Show Bootstrap Parameters " for your License Manager

    • Use this value if you’re using the Panorama Software Firewall License Plugin to bootstrap your Firewalls.

    • Reference: step 4 of the “Use Panorama-Based Software Firewall License Management” document (linked in the References in the “Additional Information” section).



  • "vm-auth-key":

    • This is the Auth key you generate by running “request bootstrap vm-auth-key generate lifetime <1-8760>” on your Panorama CLI.

    • Typical format: 

      • E.g. “755036225328715” 

      • Will be all numbers

    • Use this value if you wish to bootstrap your Firewalls and have them register themselves to your Panorama automatically, but you ARE NOT using the Panorama Software Firewall License Plugin to bootstrap your Firewalls.

    • This Auth key cannot be viewed on the Panorama GUI; it can be viewed only on the CLI by running “request bootstrap vm-auth-key show”.

    • This Auth key is different from the "Device Registration Auth Key"; if you use the "Device Registration Auth Key" to bootstrap your Firewall while actually intending to use this key, the Firewall will not onboard onto the Panorama and you will have to redeploy the Firewall.

    • Reference: The “Generate the VM Auth Key on Panorama” document (linked in the References in the “Additional Information” section).



  • "Device Registration Auth Key":

    • This is the Auth key you generate from the Panorama GUI > Panorama > Device Registration Auth Key:

 

 

 

  • Typical format: 

    • E.g. “2:xQ56BgvCR3q3VvxKWvEeTwpv26PdwUKFvdGK4No6HFJJX8OoW6gQhpBhRyH255XigES64pPdubZZwoZ-UclsUQ” 

    • Has a colon near the start of the string, most likely “2:

  • This auth key is used to onboard Log Collectors, WildFire appliances, and non-bootstrapped Firewalls to the Panorama, and therefore does not apply to bootstrapped Firewalls.

  • This key can therefore be used to onboard newly-deployed Firewalls only if they have not been bootstrapped.

  • This Auth key is different from the "vm-auth-key"; if you use the "Device Registration Auth Key" to bootstrap your Firewall while actually intending to use this key, the Firewall will not onboard onto the Panorama and you will have to redeploy the Firewall.

  • Reference: The “Panorama > Device Registration Auth Key” document (linked in the References in the “Additional Information” section).

 

In conclusion:

  • Out of the three, only the “vm-auth-key” and the “auth-key” are used for bootstrapping; "Device Registration Auth Key” is not.

  • Only one value between the “vm-auth-key” and the “auth-key” will be used during bootstrapping while specifying bootstrap parameters (e.g. in the init-cfg.txt file) and based on the use case; both values should not be used simultaneously.

  • This article supersedes the other article written to address this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OfHCAU

Additional Information


References

Palo Alto Networks, Inc. (2024, 03 14). Choose a Bootstrap Method. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/bootstrap-the-vm-series-firewall/choose-a-bootstrap-method

Palo Alto Networks, Inc. (2024, 03 14). Use Panorama-Based Software Firewall License Management. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management

Palo Alto Networks, Inc. (2024, 04 23). Panorama Software Firewall License Plugin. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-software-firewall-license-plugin

Palo Alto Networks, Inc. (2025, 12 15). Panorama > Device Registration Auth Key. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/ngfw/help/11-1/panorama-web-interface/panorama-device-registration-auth-key
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000oMA9KAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail