>
    Strata Copilot
    Set Up Connectivity with a SafeNet Network HSM
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    5. Set Up Connectivity with an HSM (PAN-OS)
    6. Set Up Connectivity with a SafeNet Network HSM
    Download PDF
    Next-Generation Firewall

    Set Up Connectivity with a SafeNet Network HSM

    Table of Contents

    Set Up Connectivity with a SafeNet Network HSM

    Learn how to securely connect your NGFW (HSM client) and a SafeNet Network HSM server.
    To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and then register the firewall with the server. Before you begin configuring your HSM client, create a partition for the firewall on the HSM server and then confirm that the SafeNet Network client version on the firewall is compatible with your SafeNet Network HSM server (see Set Up Connectivity with an HSM (PAN-OS)).
    Before the hardware security module (HSM) and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address—not a dynamic address assigned through DHCP. Operations on the HSM stop working if the firewall IP address changes during runtime.
    HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for a failover to function properly.
    1. Define connection settings for each SafeNet Network HSM.
      1. Log in to the firewall web interface and select DeviceSetupHSM.
      2. Edit the hardware security module provider settings and set the Provider Configured to SafeNet Network HSM.
      3. Add each HSM server as follows. A high availability (HA) HSM configuration requires at least two servers; you can have a cluster of up to 16 HSM servers. All HSM servers in the cluster must run the same SafeNet version and must authenticate separately. Use a SafeNet cluster only when you want to replicate the keys across the cluster. Alternatively, you can add up to 16 SafeNet HSM servers to function independently.
        1. Enter a Module Name (an ASCII string of up to 31 characters) for the HSM server.
        2. Enter an IPv4 address for the HSM Server Address.
      4. (HA only) Select High Availability, specify the Auto Recovery Retry value (maximum number of times the HSM client tries to recover its connection to an HSM server before failing over to an HSM HA peer server; range is 0 to 500; default is 0), and enter a High Availability Group Name (an ASCII string up to 31 characters long).
        If you configure two or more HSM servers, the best practice is to enable High Availability; otherwise, the firewall does not use the additional HSM servers.
      5. Click OK and Commit your changes.
    2. (Optional) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the management interface (default).
      If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, which brings all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
      1. Select DeviceSetupServices and click Service Route Configuration.
      2. Customize a service route. The IPv4 tab is active by default.
      3. Click HSM in the Service column.
      4. Select a Source Interface for the HSM.
      5. Click OK and Commit your changes.
    3. Configure the firewall to authenticate to the HSM.
      1. Select DeviceSetup and Setup Hardware Security Module.
      2. Select the HSM Server Name.
      3. Select Automatic or Manual for your authentication and trust certificate.
      4. Enter the Administrator Password to authenticate the firewall to the HSM.
      5. Click OK.
        The firewall tries to authenticate to the HSM and displays a status message.
      6. Click OK again.
    4. Register the firewall as an HSM client with the HSM server and assign the firewall to a partition on the HSM server.
      If the HSM has a firewall with the same <cl-name> already registered, you must first remove the duplicate registration by running the client delete -client <cl-name> command, where <cl-name> is the name of the registered client (firewall) you want to delete.
      1. Log in to the HSM from a remote system.
      2. Register the firewall using the client register -c <cl-name> -ip <fw-ip-addr> CLI command, where <cl-name> is a name that you assign to the firewall for use on the HSM and <fw-ip-addr> is the IP address for that firewall.
      3. Assign a partition to the firewall using the client assignpartition -c <cl-name> -p <partition-name> CLI command, where <cl-name> is the name you assigned to the firewall using the client register command and <partition-name> is the name of a previously configured partition that you want to assign to this firewall.
    5. Configure the firewall to connect to the HSM partition.
      1. Select DeviceSetupHSM and refresh (
        ) the display.
      2. Setup HSM Partition (Hardware security operations settings).
      3. Enter the Partition Password to authenticate the firewall to the partition on the HSM.
      4. Click OK.
    6. (HA only) Repeat the previous authentication, registration, and partition connection steps to add another HSM to the existing HA group.
      If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
    7. Verify firewall connectivity and authentication with the HSM.
      1. Select DeviceSetupHSM and check the authentication and connection Status:
        • Green—The firewall is successfully authenticated and connected to the HSM.
        • Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
      2. View the following columns in Hardware Security Module Status to determine the authentication status:
        • Serial Number—The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
        • Partition—The partition name on the HSM that is assigned to the firewall.
        • Module State—The current state of the HSM connection. This value is always Authenticated if the Hardware Security Module Status displays the HSM.

    © 2026 Palo Alto Networks, Inc. All rights reserved.