Focus

Next-Generation Firewall

Configure the Master Key Strata Cloud Manager

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure the Master Key Strata Cloud Manager

Login to Strata Cloud Manager.
Select System SettingsDevice Management.
The Device Management page displays the firewalls.
Select the required firewalls, click Deploy Master Key and, edit the Deploy Master Key section.
Enter the Current Master Key if one exists.
Define a new New Master Key, and then Confirm New Master Key. The key must contain exactly 16 characters.
To specify the master key Lifetime, enter the number of Days or Hours after which the key expires.

Configure a new master key before the current one expires. You can set the lifetime of the master key from 1 to 18,250 days. If the master key expires, the firewall automatically reboots in Maintenance mode. Then, you must reset the NGFW to factory default settings.

Set the Lifetime to two years or less, depending on how many encryptions the device performs. The more encryptions a device performs, the shorter the Lifetime you should set. The critical consideration is to not run out of unique encryptions before you change the master key. Each master key can provide up to 2³² unique encryptions based on the master key value and the Initialization Vector (IV) value. After 2³² unique encryptions, encryptions repeat (are no longer unique), which is a security risk.
Set a Time for Reminder value (see next step) for the master key and when the reminder notification occurs, change the master key.
Enter a Time for Reminder that specifies the number of Days and Hours before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.

Set the reminder so that it gives you plenty of time to configure a new master key before it expires in a scheduled maintenance window. When the Time for Reminder expires and the firewall sends a notification log, change the master key, do not wait for the Lifetime to expire.
(Optional) For added security, select whether to use an HSM to encrypt the master key. For details, see Encrypt and Refresh Master Keys Using an HSM.
Click Deploy Master Key.

Next-Generation Firewall Docs

Configure the Master Key Strata Cloud Manager

Next-Generation Firewall Docs

Configure the Master Key Strata Cloud Manager

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner