To set up connectivity between the Palo Alto
Networks firewall (HSM client) and a SafeNet Network HSM server,
you must specify the IP address of the server, enter a password
for authenticating the firewall to the server, and then register
the firewall with the server. Before you being configuring your
HSM client, create a partition for the firewall on the HSM server and then
confirm that the SafeNet Network client version on the firewall
is compatible with your SafeNet Network HSM server (see
Set
Up Connectivity with an HSM).
Before the HSM and firewall
connect, the HSM authenticates the firewall based on the firewall
IP address. Therefore, you must
configure the firewall to use a static
IP address—not a dynamic address assigned through DHCP. Operations on
the HSM stop working if the firewall IP address changes during runtime.
HSM
configurations are not synchronized between high availability (HA)
firewall peers. Consequently, you must configure the HSM separately
on each peer. In active/passive HA configurations, you must
manually perform one failover to individually
configure and authenticate each HA peer to the HSM. After this initial
manual failover, user interaction is not required for failover to function properly.