Connect your NGFW to a Thales Luna Network HSM server to enable secure private key
storage outside the firewall.
To establish connectivity between your Next-Generation Firewall (NGFW) and a Thales Luna
(formerly SafeNet) Network HSM, you must configure HSM server details, setup
authentication from the firewall to the server, register the firewall as an HSM
client, creating a partition for the firewall on the HSM server and then confirm
that the version of Luna HSM Client on the firewall is compatible with your Luna
Network HSM server (see
Set Up Connectivity with an HSM (PAN-OS)) before verifying connectivity.
Before the HSM and firewall connect, the HSM authenticates the firewall using the firewall IP
address.
Configure the firewall to use a static IP address—not a
dynamic address assigned through DHCP. HSM operations stop working if the firewall
IP address changes during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers.
Consequently, you must configure the HSM separately on each peer. In
active/passive HA configurations, you must
manually perform one failover to configure and
authenticate each HA peer to the HSM. After this initial manual failover,
subsequent failovers do not require user interaction.