To set up connectivity between the Palo Alto
Networks firewall (HSM client) and a SafeNet Network HSM server,
you must specify the IP address of the server, enter a password
for authenticating the firewall to the server, and then register
the firewall with the server. Before you being configuring your
HSM client, create a partition for the firewall on the HSM server
and then confirm that the SafeNet Network client version on the
firewall is compatible with your SafeNet Network HSM server (see
Set Up
Connectivity with an HSM).
Before the HSM and firewall
connect, the HSM authenticates the firewall based on the firewall
IP address. Therefore, you must
configure the firewall to use a static
IP address—not a dynamic address assigned through DHCP. Operations
on the HSM stop working if the firewall IP address changes during
runtime.
HSM configurations are not synchronized between
high availability (HA) firewall peers. Consequently, you must configure
the HSM separately on each peer. In active/passive HA configurations,
you must
manually perform one failover to individually
configure and authenticate each HA peer to the HSM. After this initial
manual failover, user interaction is not required for failover to function
properly.