Next-Generation Firewall
Configure a Master Key
Table of Contents
Configure a Master Key
Learn how to configure a unique master key to secure all private keys and passwords
in a particular configuration.
A master key encrypts all private keys and passwords in a configuration to
secure them (such as the private key used for SSL Forward Proxy decryption). Every
Next-Generation Firewall (NGFW), Panorama appliance, log collector, and WF-500
appliance has a default master key.
Change
the default master key as soon as possible to ensure that you use a unique
master key for encryption.
Master key requirements vary by deployment:
- In a high availability (HA) configuration, both NGFWs or Panorama appliances must use the same master key since keys are not synchronized across HA peers. Otherwise, HA synchronization will not work properly.
- If you're using Panorama to manage your NGFWs, you can either configure the same master key on Panorama and the managed NGFWs or configure a unique master key for each managed NGFW. The most secure option is to configure a unique master key for Panorama and each managed NGFW. This limits the security impact of a compromised master key. See Manage the Master Key from Panorama if your NGFWs are managed by a Panorama appliance.Unique master keys are supported only for Panorama and managed NGFWs. Log collectors and WF-500 appliances must share the same master key as Panorama.
Store master keys in a safe location such as a hardware security module (HSM). Lost master
keys cannot be recovered. The only way to restore the default master key is to reset the NGFW to
factory default settings.
- Backup the configuration.(HA only) Disable configuration synchronization.This step is required before deploying a new master key to any NGFW HA pair.Before deploying a new master key to any NGFW in an HA pair, disable Config Sync. For Panorama managed NGFWs, if you don’t disable Config Sync before deploying a new master key, Panorama loses connectivity to the primary NGFW.
- Select and edit the Setup.Disable (clear) Enable Config Sync and then click OK.Commit your configuration changes.Select and edit the Master Key section.Enter the Current Master Key if one exists.Define a new New Master Key, and then Confirm New Master Key. The key must contain exactly 16 characters.To specify the master key Lifetime, enter the number of Days or Hours after which the key expires.Configure a new master key before the current key expires. If the master key expires, the NGFW or Panorama automatically reboots in Maintenance mode. Then, you must reset the NGFW to factory default settings.Set the Lifetime to two years or less, depending on how many encryptions the device performs. The more encryptions a device performs, the shorter the Lifetime you should set. The critical consideration is to not run out of unique encryptions before you change the master key. Each master key can provide up to 232 unique encryptions based on the master key value and the Initialization Vector (IV) value. After 232 unique encryptions, encryptions repeat (are no longer unique), which is a security risk.Set a Time for Reminder value (see next step) for the master key and when the reminder notification occurs, change the master key.Enter a Time for Reminder that specifies the number of Days and Hours before the master key expires when the NGFW generates an expiration alarm. The NGFW automatically opens the System Alarms dialog to display the alarm.Set the reminder so that it gives you plenty of time to configure a new master key before it expires in a scheduled maintenance window. When the Time for Reminder expires and the NGFW or Panorama sends a notification log, change the master key, don’t wait for the Lifetime to expire. For grouped devices, track every device (for example, NGFWs that Panorama manages and NGFW HA pairs) and when the reminder value expires for any device in the group, change the master key.To ensure the expiration alarm displays, select , edit the Alarm Settings, and Enable Alarms.Enable Auto Renew Master Key to configure the NGFW to automatically renew the master key. To configure Auto Renew With Same Master Key, specify the number of Days or Hours to renew the same master key. The key extension enables the NGFW to remain operational and continue securing your network; it is not a replacement for configuring a new key if the existing master key lifetime expires soon.Automatically renewing the master key has benefits and risks. The benefit is that extending the master key Lifetime protects against failure to change the master key before its lifetime expires. The risk is that encryptions will repeat and cause a security risk if the number of encryptions the device performs with the master key exceeds the number of unique encryptions the master key can generate (232 unique encryptions).If the master key expires (you don’t automatically renew or replace it in a timely manner), the device goes into maintenance mode.If you enable Auto Renew Master Key, set it so that the total time (lifetime plus the auto renew time) does not cause the device to run out of unique encryptions. For example, if you believe the device will consume the master key’s number of unique encryptions in two and a half years, you could set the Lifetime for two years, set the Time for Reminder to 60 days, and set the Auto Renew Master Key for 60-90 days to provide the extra time to configure a new master key before the Lifetime expires. However, the best practice is still to change the master key before the lifetime expires to ensure that no device repeats encryptions.Consider the number of days until your next available maintenance window when configuring the master key to automatically renew after the lifetime of the key expires.(Optional) For added security, select whether to use an HSM to encrypt the master key. For details, see Encrypt and Refresh Master Keys Using an HSM.Click OK and Commit.(HA only) Re-enable configuration synchronization.
- Select and edit the Setup.Enable Config Sync, and then click OK.Commit your changes.
