Set Up Connectivity with a Thales CipherTrust Manager HSM
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Set Up Connectivity with a Thales CipherTrust Manager HSM
Set up HSM connectivity to use Thales CipherTrust Manager.
To set up connectivity between the Palo Alto Networks firewall (HSM client) and a
Thales CipherTrust Manager HSM server, you must specify the IP address of the
server, enter a password for authenticating the firewall to the server, and then
register the firewall with the server. Before you begin configuring your HSM client,
create a partition for the firewall on the HSM server and then confirm that the
Thales CipherTrust Manager client version on the firewall is compatible with your
Thales CipherTrust Manager HSM server (see Set Up Connectivity with an HSM).
Before the hardware security module (HSM) and firewall connect, the HSM authenticates
the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address—not a
dynamic address assigned through DHCP. Operations on the HSM stop working if the
firewall IP address changes during runtime.
HSM configurations are not synchronized between high availability (HA) firewall
peers. Consequently, you must configure the HSM separately on each peer. In
active/passive HA configurations, you must manually perform one failover to individually
configure and authenticate each HA peer to the HSM. After this initial manual
failover, user interaction is not required for a failover to function
properly.
- Define connection settings for each Thales CipherTrust Manager HSM.
- Log in to the firewall web interface and select DeviceSetupHSM.Edit the hardware security module provider settings and set the Provider Configured to Thales CipherTrust Manager.Add each HSM server as follows. An HA HSM configuration requires two servers.
- Enter a Module Name for the HSM server. This can be any ASCII string of up to 31 characters.
- Enter an IPv4 address for the HSM Server Address.
Click OK and Commit your changes.Set Up HSM Connectivity Account.- Enter the Server Name. This should match the Module Name from the connection setting.Import the certificates you generated in Thales CipherTrust Manager.
- HSM Server CA Certificate—Import a Base64 encoded certificate (PEM).
- HSM Client Certificate—Import a Base64 encoded certificate (PEM).
- HSM Client Private Key—Import a Base64 encoded certificate (PEM) and enter a Passphrase fewer than 32 characters.
Click OK.Restart HSM Connection to refresh the PAN-OS state. This removes the old certificates and adds the new certificates.- Click OK.Wait for the module state to display as Reachable.Set Up HSM Crypto User Account to match the Thales CipherTrust Manager account you want to use.
- Enter a Username.Enter a Password.Click OK.The success dialog displays and the Status changes to green in the dashboard.Show Detailed Information to view the new fields.Confirm that your certificate is imported and valid.
- Select DeviceCertification ManagementCertificates, then Device Certificates.Confirm that the Key displays a lock and the Status is valid.