Focus

Next-Generation Firewall

Set Up Connectivity with an HSM (SCM)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Set Up Connectivity with an HSM (SCM)

Learn how to set up a secure connection between your Strata Cloud Manager service and a hardware security module supported by Palo Alto Networks.

HSM clients are integrated with Strata Cloud Manager (SCM) for use with the following HSM vendors:

nCipher nShield Connect—The supported client versions are TBD.
SafeNet Network—The supported client versions are 6.2.1, 6.2.2, 6.3, 7.0, 7.1, and 7.2.
Thales CipherTrust Manager—The supported client version is 12.40.2, which also has backward compatibility up to version 11.50.

The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix.

Downgrading HSM servers might not be an option after you upgrade them.

Select ConfigurationNGFW and Prisma Access DeviceDevice SetupManagement.
In the Hardware Security Module box, select Customize.
Under Provider Configured, select one of the three HSM vendors.
Enter the HSM server information.
SafeNet Network HSM
1. Select + and enter the Module Name followed by an IPv4 address for the Server Address.
2. (HA only) Select High Availability, specify the Auto Recovery Retry value (maximum number of times the HSM client tries to recover its connection to an HSM server before failing over to an HSM HA peer server; range is 0 to 500; default is 0), and enter a High Availability Group Name.
  
  If you configure two or more HSM servers, the best practice is to enable High Availability; otherwise, SCM does not use the additional HSM servers.
3. Once you have entered all the HSM servers, select Save.
nCipher nCshield Connect
1. Select + and enter the Module Name followed by an IPv4 address for the Server Address.
2. Enter an IPv4 address for the Remote Filesystem Address.
3. Once you have entered all the HSM servers, select Save.
Thales CipherTrust Manager HSM
1. Enter the Module Name followed by an IPv4 address for the Server Address.
2. Select Save.
Once the HSM settings are saved, the Hardware Security Module box displays the provider and server of your HSM.

Next-Generation Firewall Docs

Set Up Connectivity with an HSM (SCM)

Next-Generation Firewall Docs

Set Up Connectivity with an HSM (SCM)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner