Set Up Connectivity with a Thales Luna HSM
Focus
Focus
Next-Generation Firewall

Set Up Connectivity with a Thales Luna HSM

Table of Contents

Set Up Connectivity with a Thales Luna HSM

Connect your NGFW to a Thales Luna Network HSM server to enable secure private key storage outside the firewall.
To establish connectivity between your Next-Generation Firewall (NGFW) and a Thales Luna (formerly SafeNet) Network HSM, you must configure HSM server details, setup authentication from the firewall to the server, register the firewall as an HSM client, creating a partition for the firewall on the HSM server and then confirm that the version of Luna HSM Client on the firewall is compatible with your Luna Network HSM server (see Set Up Connectivity with an HSM (PAN-OS)) before verifying connectivity.
Before the HSM and firewall connect, the HSM authenticates the firewall using the firewall IP address. Configure the firewall to use a static IP address—not a dynamic address assigned through DHCP. HSM operations stop working if the firewall IP address changes during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to configure and authenticate each HA peer to the HSM. After this initial manual failover, subsequent failovers do not require user interaction.
  1. Log in to the firewall web interface.
  2. Define connection settings for the Thales Luna Network HSM.
    1. Select DeviceSetupHSM.
    2. Edit the Hardware Security Module Details settings and set Provider Configured to SafeNet Network HSM.
    3. Add each HSM server.
      A high-availability HSM configuration requires at least two servers; you can cluster up to 16 HSM servers. All servers in the cluster must run the same Luna HSM version and authenticate separately. Use a Luna Network cluster only when you want to replicate the keys across the cluster.
      Alternatively, you can add up to 16 Luna Network HSM servers that function independently.
      1. Enter a Module Name (up to 31 ASCII characters) for the HSM server.
      2. Enter the IPv4 Server Address for the HSM.
      If you configure two or more HSM servers, the best practice is to enable High Availability; otherwise, the firewall does not use the additional HSM servers.
    4. (HA only) Enable High Availability and configure the following settings:
      • Auto Recovery Retry—Enter the maximum number of times the HSM client tries to recover its connection to an HSM server before failing over to a peer server (range is 0-500; default is 0)
      • High Availability Group Name—Enter a name for the HA group (up to 31 ASCII characters)
    5. Click OK and Commit your changes.
  3. (Optional) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the management interface (default).
    If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, which brings all HSM states down and then up again. During the several seconds required for recovery, all SSL/TLS operations fail.
    1. Select DeviceSetupServices and click Service Route Configuration.
    2. Customize a service route. The IPv4 tab is active by default.
    3. Click HSM in the Service column.
    4. Select a Source Interface for the HSM.
    5. Click OK and Commit your changes.
  4. Configure the firewall to authenticate to the HSM.
    1. Select DeviceSetup and Setup Hardware Security Module.
    2. Select the HSM Server Name.
    3. Select Automatic or Manual for your authentication and trust certificate.
    4. Enter the Administrator Password to authenticate the firewall to the HSM.
    5. Click OK.
      The firewall tries to authenticate to the HSM and displays a status message.
    6. Click OK again.
  5. Register the firewall as an HSM client and assign it to a partition on the HSM server.
    If a client (firewall) with the same <cl-name> is already registered on the HSM, you must delete the duplicate registration before registering the new client. Run the client delete -client <cl-name> command, where <cl-name> is the name of the registered client you want to delete.
    1. Log in to the HSM from a remote system.
    2. Register the firewall using the client register -c <cl-name> -ip <fw-ip-addr> CLI command, where <cl-name> is the name you assign to the firewall for use on the HSM and <fw-ip-addr> is the IP address for that firewall.
    3. Assign a partition to the firewall using the client assignpartition -c <cl-name> -p <partition-name> CLI command, where <cl-name> is the name you assigned to the firewall using the client register command and <partition-name> is the name of a previously configured partition that you want to assign to this firewall.
  6. Configure the firewall to connect to the HSM partition.
    1. Select DeviceSetupHSM and refresh (
      ) the display.
    2. Setup HSM Partition (Hardware security operations settings).
    3. Enter the Partition Password to authenticate the firewall to the partition on the HSM.
    4. Click OK.
  7. (HA only) Repeat the previous authentication, registration, and partition connection steps to add another HSM to the existing HA group.
    If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
  8. Verify firewall connectivity and authentication with the HSM.
    1. Select DeviceSetupHSM and check the authentication and connection Status:
      • Green—The firewall successfully authenticated and connected to the HSM.
      • Red—The firewall failed to authenticate or connect to the HSM.
    2. View the following columns in Hardware Security Module Status to determine the authentication status:
      • Serial Number—The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
      • Partition—The partition name on the HSM assigned to the firewall.
      • Module State—The current state of the HSM connection. This value is always Authenticated if the Hardware Security Module Status displays the HSM.