>
    Strata Copilot
    Set Up Connectivity with a Thales CipherTrust Manager HSM
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    5. Set Up Connectivity with an HSM (PAN-OS)
    6. Set Up Connectivity with a Thales CipherTrust Manager HSM
    Download PDF
    Next-Generation Firewall

    Set Up Connectivity with a Thales CipherTrust Manager HSM

    Table of Contents

    Set Up Connectivity with a Thales CipherTrust Manager HSM

    Set up HSM connectivity to use Thales CipherTrust Manager.
    To set up connectivity between the Palo Alto Networks firewall (HSM client) and a Thales CipherTrust Manager HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and then register the firewall with the server. Before you begin configuring your HSM client, create a partition for the firewall on the HSM server and then confirm that the Thales CipherTrust Manager client version on the firewall is compatible with your Thales CipherTrust Manager HSM server (see Set Up Connectivity with an HSM (PAN-OS)).
    Before the hardware security module (HSM) and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address—not a dynamic address assigned through DHCP. Operations on the HSM stop working if the firewall IP address changes during runtime.
    HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for a failover to function properly.
    1. Define connection settings for each Thales CipherTrust Manager HSM.
      1. Log in to the firewall web interface and select DeviceSetupHSM.
      2. Edit the hardware security module provider settings and set the Provider Configured to Thales CipherTrust Manager.
      3. Add each HSM server as follows. An HA HSM configuration requires two servers.
        1. Enter a Module Name for the HSM server. This can be any ASCII string of up to 31 characters.
        2. Enter an IPv4 address for the HSM Server Address.
      4. Click OK and Commit your changes.
    2. Set Up HSM Connectivity Account.
      1. Enter the Server Name. This should match the Module Name from the connection setting.
      2. Import the certificates you generated in Thales CipherTrust Manager.
        • HSM Server CA Certificate—Import a Base64 encoded certificate (PEM).
        • HSM Client Certificate—Import a Base64 encoded certificate (PEM).
        • HSM Client Private Key—Import a Base64 encoded certificate (PEM) and enter a Passphrase fewer than 32 characters.
      3. Click OK.
    3. Restart HSM Connection to refresh the PAN-OS state. This removes the old certificates and adds the new certificates.
      1. Click OK.
      2. Wait for the module state to display as Reachable.
    4. Set Up HSM Crypto User Account to match the Thales CipherTrust Manager account you want to use.
      1. Enter a Username.
      2. Enter a Password.
      3. Click OK.
      The success dialog displays and the Status changes to green in the dashboard.
    5. Show Detailed Information to view the new fields.
    6. Confirm that your certificate is imported and valid.
      1. Select DeviceCertification ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
      2. Confirm that the Key displays a lock and the Status is valid.

    © 2026 Palo Alto Networks, Inc. All rights reserved.