Focus

Next-Generation Firewall

Secure Keys with a Hardware Security Module

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Unique Master Key Encryption with AES-256-GCM

Set Up Connectivity with an HSM (PAN-OS)

Secure Keys with a Hardware Security Module

You can use hardware security modules to store and generate digital keys and encrypt master keys.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)	No prerequisites needed

A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage and generation of digital keys. They provide both logical and physical protection of these materials from unauthorized use and potential adversaries. This protection is why HSMs are used by organizations that need to meet Payment Card Industry Data Security Standard (PCI DSS) requirements or other compliance requirements.

HSM clients integrated with Palo Alto Networks firewalls and Panorama provide enhanced security for the private keys used in SSL/TLS decryption (both SSL Forward Proxy and SSL Inbound Inspection). HSMs also support encrypting master keys stored on an HSM. This provides additional protection.Using an HSM to encrypt master keys ensures that all keys that depend on the master key are protected

The following HSM vendors integrate with Palo Alto Networks firewalls:

SafeNet Network
Thales CipherTrust Manager
Entrust nShield

To secure keys with an HSM, you need to set up connectivity between your NGFW and the HSM server, register the NGFW as an HSM client with the HSM server, then configure the HSM settings to encrypt master keys and store private keys, and any additional steps specific to the HSM product.

Set Up Connectivity on PAN-OS

Set Up Connectivity with an HSM (PAN-OS)

Learn how to set up a secure connection between your NGFW and a hardware security module supported by Palo Alto Networks.

HSM clients are integrated with PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, PA-7000 Series, PA-7500 Series, and VM-Series firewalls and with the Panorama management server (both virtual and M-Series appliances) for use with the following HSM vendors:

nCipher nShield Connect—The supported client versions depend on the PAN-OS release
- PAN-OS 11.0 and 11.1 support client version 12.40.2 (backward compatible up to client version 11.50 for older appliances).
- PAN-OS 9.1, 9.0, and 8.1 support client version 12.30.
- PAN-OS 8.0 and earlier releases support client version 11.62.
SafeNet Network—The supported client versions depend on the PAN-OS release:
- PAN-OS 11.0 and 11.1 support client versions 5.4.2 and 7.2.
- PAN-OS 9.1 and 9.0 support client versions 5.4.2 and 6.3.
- PAN-OS 8.1 supports client versions 5.4.2 and 6.2.2.
- PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases) support client versions 5.2.1, 5.4.2, and 6.2.2.
Thales CipherTrust Manager—The supported client versions depend on the PAN-OS release:
- PAN-OS 11.1 supports client version 8.14.1.

The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix.

Downgrading HSM servers might not be an option after you upgrade them.

(SafeNet Network prerequisite) On the firewall or Panorama, use the following procedure to select the SafeNet Network client version that is compatible with your SafeNet HSM server.

Install the SafeNet Client RPM Packet Manager.
1. Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).
2. Select Version 5.4.2 (default) or 7.2 as appropriate for your HSM server version.
3. Click OK.
4. (Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.
5. If the master key isn’t on the firewall, the client version upgrade will fail. Close the message and make the master key local to the firewall:
  Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
  Click OK.
  Select DeviceMaster Key and Diagnostics to edit the Master Key.
  Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
  Click OK.
  Repeat the first four steps to Select HSM Client Version and reboot again.

Unique Master Key Encryption with AES-256-GCM

Set Up Connectivity with an HSM (PAN-OS)

Next-Generation Firewall Docs

Secure Keys with a Hardware Security Module

Next-Generation Firewall Docs

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM (PAN-OS)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner