The following warnings occurred:

Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.0.30 (Linux)

File	Line	Function
/global.php	783	errorHandler->error
/reputation.php	17	require_once

Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.0.30 (Linux)

File	Line	Function
/global.php	783	errorHandler->error
/reputation.php	17	require_once

Warning [2] Undefined variable $awaitingusers - Line: 36 - File: global.php(844) : eval()'d code PHP 8.0.30 (Linux)

File	Line	Function
/global.php(844) : eval()'d code	36	errorHandler->error
/global.php	844	eval
/reputation.php	17	require_once

Warning [2] Undefined array key "style" - Line: 909 - File: global.php PHP 8.0.30 (Linux)

File	Line	Function
/global.php	909	errorHandler->error
/reputation.php	17	require_once

Warning [2] Undefined property: MyLanguage::$lang_select_default - Line: 5132 - File: inc/functions.php PHP 8.0.30 (Linux)

File	Line	Function
/inc/functions.php	5132	errorHandler->error
/global.php	909	build_theme_select
/reputation.php	17	require_once

Warning [2] Undefined array key "additionalgroups" - Line: 7288 - File: inc/functions.php PHP 8.0.30 (Linux)

File	Line	Function
/inc/functions.php	7288	errorHandler->error
/inc/functions.php	5152	is_member
/global.php	909	build_theme_select
/reputation.php	17	require_once

Warning [2] Undefined array key "additionalgroups" - Line: 7288 - File: inc/functions.php PHP 8.0.30 (Linux)

File	Line	Function
/inc/functions.php	7288	errorHandler->error
/inc/functions.php	5152	is_member
/global.php	909	build_theme_select
/reputation.php	17	require_once

Key Match Failed: Palo Alto Failed To Fetch Device Certificate Tpm Public

The firewall local certificate state or crypto files are corrupted.

(needs reboot, backup first):

If the hardware was recently replaced via an RMA, the cloud database must be manually forced to update. Log into the . Navigate to Assets > Devices . Locate the serial number of the problematic firewall.

Many community members have reported that a simple commit force resolved the issue for them. After the commit, attempt to fetch the certificate again. The firewall local certificate state or crypto files

The firewall must be able to communicate with Palo Alto’s CSP servers ( certificate.paloaltonetworks.com and api.paloaltonetworks.com ) to retrieve the certificate. This requires reliable outbound internet access from the firewall's management plane, a process that is often hindered by network security policies. Common network-related issues include:

Old software versions struggle to communicate with updated cloud infrastructure APIs.

typically occurs when a Palo Alto Networks firewall cannot validate its hardware-bound Trusted Platform Module (TPM) against the certificate it is trying to retrieve from the Customer Support Portal (CSP) Core Causes TPM/CSP Mismatch Navigate to Assets > Devices

Generate a new telemetry or registration token to reset the cloud relationship.

An existing, broken, or expired device certificate gets stuck in the local cache, forcing a key mismatch during renewal.

Before altering firewall configurations, confirm that the hardware serial number matches your cloud account exactly. Log in to the . Navigate to Assets > Devices . Locate your firewall serial number. After the commit, attempt to fetch the certificate again

: Once the old certificate is cleared by support, you will need to generate a new One-Time Password (OTP) from the Palo Alto Customer Support Portal and re-run the request certificate fetch command. Summary of CLI Commands Fetch Certificate : request certificate fetch Check Status : show device-certificate status

This re-enrolls the cert using the TPM key.