Next-Generation Firewall
Secure Keys with a Hardware Security Module
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Secure Keys with a Hardware Security Module
You can use hardware security modules to store and generate digital keys and encrypt
master keys.
Where Can I Use This? | What Do I Need? |
---|---|
NGFW (Managed by PAN-OS or Panorama) |
|
A hardware security module (HSM) is a physical device that manages digital keys. An HSM
provides secure storage and generation of digital keys. They provide both logical and
physical protection of these materials from unauthorized use and potential adversaries.
This protection is why HSMs are used by organizations that need to meet Payment Card
Industry Data Security Standard (PCI DSS) requirements or other compliance
requirements.
HSM clients integrated with Palo Alto Networks firewalls and Panorama provide enhanced
security for the private keys used in SSL/TLS decryption (both SSL Forward Proxy and SSL
Inbound Inspection). HSMs also support encrypting master keys stored on an
HSM. This provides additional protection.Using an HSM to encrypt master keys ensures that all keys that
depend on the master key are protected
The following HSM vendors integrate with Palo Alto Networks firewalls:
- SafeNet Network
- Thales CipherTrust Manager
- Entrust nShield
To secure keys with an HSM, you need to set up connectivity between your NGFW and the HSM server,
register the NGFW as an HSM client with the
HSM server, then configure the HSM settings to encrypt master keys and store private
keys, and any additional steps specific to the HSM product.
Set Up Connectivity with an HSM (PAN-OS)
Learn how to set up a secure connection between your NGFW and a hardware security
module supported by Palo Alto Networks.
HSM clients are integrated with PA-3200 Series, PA-3400 Series, PA-5200 Series,
PA-5400 Series, PA-7000 Series, PA-7500 Series, and
VM-Series firewalls and with the Panorama management server (both virtual and
M-Series appliances) for use with the following HSM vendors:
- nCipher nShield Connect—The supported client versions depend on the PAN-OS release
- PAN-OS 11.0 and 11.1 support client version 12.40.2 (backward compatible up to client version 11.50 for older appliances).
- PAN-OS 9.1, 9.0, and 8.1 support client version 12.30.
- PAN-OS 8.0 and earlier releases support client version 11.62.
- SafeNet Network—The supported client versions depend on the PAN-OS release:
- PAN-OS 11.0 and 11.1 support client versions 5.4.2 and 7.2.
- PAN-OS 9.1 and 9.0 support client versions 5.4.2 and 6.3.
- PAN-OS 8.1 supports client versions 5.4.2 and 6.2.2.
- PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases) support client versions 5.2.1, 5.4.2, and 6.2.2.
- Thales CipherTrust Manager—The supported client versions depend on the PAN-OS release:
- PAN-OS 11.1 supports client version 8.14.1.
The HSM server version must be compatible with these client versions. Refer to
the HSM vendor documentation for the client-server version compatibility
matrix.
Downgrading HSM servers might not be an option after you
upgrade them.
- Set Up Connectivity with a SafeNet Network HSM
- Set Up Connectivity with an nCipher nShield Connect HSM
- Set Up Connectivity with a Thales CipherTrust Manager HSM
(SafeNet Network prerequisite) On the firewall or Panorama, use the
following procedure to select the SafeNet Network client version that is compatible
with your SafeNet HSM server.
- Install the SafeNet Client RPM Packet Manager.
- Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).Select Version 5.4.2 (default) or 7.2 as appropriate for your HSM server version.Click OK.(Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.If the master key isn’t on the firewall, the client version upgrade will fail. Close the message and make the master key local to the firewall:
- Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
- Click OK.
- Select DeviceMaster Key and Diagnostics to edit the Master Key.
- Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
- Click OK.
- Repeat the first four steps to Select HSM Client Version and reboot again.