>
    Strata Copilot
    Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. NGFW Clustering
    4. Strata Cloud Manager
    Download PDF
    Next-Generation Firewall

    Strata Cloud Manager

    Table of Contents

    Strata Cloud Manager

    Configure an NGFW cluster of two PA-7500 Series firewalls using Strata Cloud Manager.
    Use this process to configure an NGFW Cluster of up to two PA-7500 Series firewalls using Strata Cloud Manager.
    1. Select ConfigurationNGFW and Prisma Access.
    2. For the Configuration Scope, select a folder.
    3. Create an NGFW cluster.
      1. Select Overview and in the Cluster Setup pane, select the gear icon or click on the number of clusters already configured.
      2. Select Clusters and Add Cluster.
      3. On the General tab, enter the Cluster Name containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
      4. (Optional) Enter the Group ID (in the range 1 to 63; the default is 1).
    4. Add devices to the cluster.
      1. On the Select Devices tab, select the Node 1 Device (a PA-7500 Series firewall to assign to the cluster).
      2. Select the Node 2 Device (the second PA-7500 Series firewall to assign to the cluster).
    5. Configure the HSCI-A and HSCI-B links.
      1. On the Communications tab, select the + and add an Inter Firewall Link by selecting hsci-a.
      2. Enter the Key Server Priority in the range 1 to 255.
      3. Select a MACsec Crypto Profile to apply to the link.
      4. Select a MACsec Pre Shared Key Profile to apply to the link.
      5. Repeat this step to configure the hsci-b link.
    6. Configure system monitoring for the NGFW cluster.
      1. On the System Monitoring tab, select the State Upon Capacity Loss: degraded or failed.
      2. Enter the Minimum Network Cards required; range is 1 to 7; default is 1.
      3. Enter the Minimum Data Processing Cards required; range is 1 to 7; default is 1.
      4. Save the configuration.
    7. Create a MACsec policy to apply to the HSCI ports.
      1. On the MACsec Profiles tab, Add MACsec Policy.
      2. Enter a Name for the profile, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), or dots (.). The name is a maximum of 31 characters.
      3. Select the Encryption type: AES-128-GCM (default) or AES-256-GCM.
      4. Select the Confidentiality Offset to specify a number of bytes (starting from the frame header), after which MACsec encrypts the bytes in a frame. The value is 0 (default), 30, or 50.
      5. Enable SCI Include to include the Secure Channel Identifier (SCI) tag in the Security Tag field of the MACsec header. The default is disabled.
      6. Enable Anti Replay to enable replay protection. This allows a MACsec port to accept frames out of order if they are within the Anti Replay Window. The default is disabled.
      7. Enter the Anti Replay Window size in the range 0 to 65,535; the default is 16,384. This value determines the range of packet numbers that the port will accept, for packets that might be out of order. The port will accept packets with a packet number greater than or equal to the last packet number minus the window size. For example, after the port receives packet number 12, if the window is 5, the port will subsequently accept only packets numbered 7 or higher.
        Specify an Anti Replay window size based on the traffic rate because the HSCI ports will likely experience packets arriving out of order due to prioritization or load balancing in the network.
      8. Enter the SAK Rekey Interval (sec) in seconds; range is 60 to 86,400; default is 3,600. Connectivity Association participants negotiate a Secure Association agreement, which includes a cipher suite and keys. A Key Server generates a Secure Association Key (SAK) from the Connectivity Association Key (CAK); the SAK is refreshed at the SAK rekey interval. The end-to-end nodes use the SAK to encrypt traffic for a given session. To avoid the SAKs of all interfaces being refreshed at the same time, MACsec might spread the rekeying actions evenly by subtracting a small random number from the SAK rekey interval.
    8. Create a MACsec pre-shared key profile.
      1. On the MACsec Profiles tab, Add Pre Shared Key.
      2. Enter a Name for the pre shared key profile, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces. The name is a maximum of 31 characters.
      3. Enter the CKN (Connectivity Association Key Name) that identifies the Connectivity Association Key. The CKN is 1 byte to 32 bytes of hexadecimal string (2 to 64 hex digits) with an even number of digits; for example, 1234.
      4. Enter the CAK (Connectivity Association Key), which is a 16-byte hexadecimal string (32 hex digits) for AES-128-GCM, or a 32-byte hexadecimal string (64 hex digits) for AES-256-GCM. The CAK is used to generate all other keys used for MACsec. An example CAK for AES-128-GCM is 12345678912345678912345678912345. A CAK for AES-256-GCM is twice as long as a CAK for AES-128-GCM.
      5. Confirm CAK.
      6. Save the profiles.

    © 2025 Palo Alto Networks, Inc. All rights reserved.