Set Up Connectivity with a SafeNet Network HSM
Table of Contents
Set Up Connectivity with a SafeNet Network HSM
To set up connectivity between the Palo Alto
Networks firewall (HSM client) and a SafeNet Network HSM server,
you must specify the IP address of the server, enter a password
for authenticating the firewall to the server, and then register
the firewall with the server. Before you being configuring your
HSM client, create a partition for the firewall on the HSM server and then
confirm that the SafeNet Network client version on the firewall
is compatible with your SafeNet Network HSM server (see Set
Up Connectivity with an HSM).
Before the HSM and firewall
connect, the HSM authenticates the firewall based on the firewall
IP address. Therefore, you must configure the firewall to use a static
IP address—not a dynamic address assigned through DHCP. Operations on
the HSM stop working if the firewall IP address changes during runtime.
HSM
configurations are not synchronized between high availability (HA)
firewall peers. Consequently, you must configure the HSM separately
on each peer. In active/passive HA configurations, you must manually perform one failover to individually
configure and authenticate each HA peer to the HSM. After this initial
manual failover, user interaction is not required for failover to function properly.
- Define connection settings for each SafeNet Network
HSM.
- Log in to the firewall web interface and select .
- Edit the Hardware Security Module Provider settings and set the Provider Configured to SafeNet Network HSM.
- Add each HSM server as follows.
A high availability (HA) HSM configuration requires at least two
servers; you can have a cluster of up to 16 HSM servers. All HSM
servers in the cluster must run the same SafeNet version and must
authenticate separately. You should use a SafeNet cluster only when
you want to replicate the keys across the cluster. Alternatively,
you can add up to 16 SafeNet HSM servers to function independently.
- Enter a Module Name (an ASCII string of up to 31 characters) for the HSM server.
- Enter an IPv4 address for the HSM Server Address.
- (HA only) Select High Availability,
specify the Auto Recovery Retry value (maximum
number of times the HSM client tries to recover its connection to
an HSM server before failing over to an HSM HA peer server; range
is 0 to 500; default is 0), and enter a High Availability
Group Name (an ASCII string up to 31 characters long).If you configure two or more HSM servers, the best practice is to enable High Availability. Otherwise the firewall does not use the additional HSM servers.
- Click OK and Commit your changes.
- (Optional) Configure a
service route to connect to the HSM if you don’t want the firewall
to connect through the Management interface (default).If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, which brings all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
- Select and click Service Route Configuration.
- Customize a service route. The IPv4 tab is active by default.
- Click HSM in the Service column.
- Select a Source Interface for the HSM.
- Click OK and Commit your changes.
- Configure the firewall to authenticate to the HSM.
- Select and Setup Hardware Security Module.
- Select the HSM Server Name.
- Enter the Administrator Password to authenticate the firewall to the HSM.
- Click OK.The firewall tries to authenticate to the HSM and displays a status message.
- Click OK again.
- Register the firewall as an HSM client with the HSM server
and assign the firewall to a partition on the HSM server.If the HSM has a firewall with the same <cl-name> already registered, you must first remove the duplicate registration by running the client delete -client <cl-name> command, where <cl-name> is the name of the registered client (firewall) you want to delete.
- Log in to the HSM from a remote system.
- Register the firewall using the client register -c <cl-name> -ip <fw-ip-addr> CLI command, where <cl-name> is a name that you assign to the firewall for use on the HSM and <fw-ip-addr> is the IP address for that firewall.
- Assign a partition to the firewall using the client assignpartition -c <cl-name> -p <partition-name> CLI command, where <cl-name> is the name you assigned to the firewall using the client register command and <partition-name> is the name of a previously configured partition that you want to assign to this firewall.
- Configure the firewall to connect to the HSM partition.
- Select and refresh
( ) the display.
![]()
- Setup HSM Partition (Hardware Security Operations settings).
- Enter the Partition Password to authenticate the firewall to the partition on the HSM.
- Click OK.
- Select and refresh
(
- (HA only) Repeat the previous authentication,
registration, and partition connection steps to add another HSM
to the existing HA group.If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
- Verify firewall connectivity and authentication with
the HSM.
- Select and
check the authentication and connection Status:
- Green—The firewall is successfully authenticated and connected to the HSM.
- Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
- View the following columns in Hardware Security Module
Status to determine the authentication status:
- Serial Number—The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
- Partition—The partition name on the HSM that is assigned to the firewall.
- Module State—The current state of the HSM connection. This value is always Authenticated if the Hardware Security Module Status displays the HSM.
- Select and
check the authentication and connection Status:
