End-of-Life (EoL)
Configure the Master Key
Every firewall and Panorama management server
has a default master key that encrypts all the private keys and
passwords in the configuration to secure them (such as the private
key used for SSL Forward Proxy Decryption).
Change
the default master key as soon as possible to ensure that you use
a unique master key for encryption.
In a high availability
(HA) configuration, you must use the same master key on both firewalls
or Panorama in the pair. Otherwise, HA synchronization will not
work properly.
If you are using Panorama to manage your firewalls,
you must configure the same master key on Panorama and all managed
firewalls. For managed firewalls in an HA configuration, you must
configure the same master key for each HA peer. See Manage the Master Key from Panorama if
the firewall is managed by a Panorama™ management server.
Be
sure to store the master key in a safe location. You cannot recover
the master key and the only way to restore the default master key
is to Reset
the Firewall to Factory Default Settings.
- (HA only) Disable Config Sync (required before deploying a new master key to any firewall HA pair).Before you deploy a new master key to any firewall HA pair, you must disable Config Sync. For Panorama-managed firewalls, if you do not disable Config Sync before deploying a new master key, Panorama loses connectivity to the primary firewall.
- Selectand edit theDeviceHigh AvailabilityGeneralSetup.
- Disable (clear)Enable Config Syncand then clickOK.
- Commityour configuration changes.
- Selectand edit the Master Key section.DeviceMaster Key and Diagnostics
- Enter theCurrent Master Keyif one exists.
- Define a newNew Master Keyand thenConfirm New Master Key. The key must contain exactly 16 characters.
- To specify the master keyLifetime, enter the number ofDaysand/orHoursafter which the key will expire.You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.Set theLifetimeto two years or less, depending on how many encryptions the device performs. The more encryptions a device performs, the shorter theLifetimeyou should set. The critical consideration is to not run out of unique encryptions before you change the master key. Each master key can provide up to 232unique encryptions based on the master key value and the Initialization Vector (IV) value. After 232unique encryptions, encryptions repeat (are no longer unique), which is a security risk.Set aTime for Remindervalue (see next step) for the master key and when the reminder notification occurs, change the master key.
- Enter aTime for Reminderthat specifies the number ofDaysandHoursbefore the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.Set the reminder so that it gives you plenty of time to configure a new master key before it expires in a scheduled maintenance window. When theTime for Reminderexpires and the firewall or Panorama sends a notification log, change the master key, don’t wait for theLifetimeto expire. For grouped devices, track every device (e.g., firewalls that Panorama manages and firewall HA pairs) and when the reminder value expires for the any device in the group, change the master key.To ensure the expiration alarm displays, select, edit the Alarm Settings, andDeviceLog SettingsEnable Alarms.
- EnableAuto Renew Master Keyto configure the firewall to automatically renew the master key. To configureAuto Renew With Same Master Key, specify the number ofDaysand/orHoursto renew the same master key. The key extension allows the firewall to remain operational and continue securing your network; it is not a replacement for configuring a new key if the existing master key lifetime expires soon.Automatically renewing the master key has benefits and risks. The benefit is that extending the master keyLifetimeprotects against failure to change the master key before its lifetime expires. The risk is that encryptions will repeat and cause a security risk if the number of encryptions the device performs with the master key exceeds the number of unique encryptions the master key can generate (232unique encryptions).If the Master Key expires (you do not automatically renew it and you do not replace it in a timely manner), the device goes into maintenance mode.If you enableAuto Renew Master Key, set it so that the total time (lifetime plus the auto renew time) does not cause the device to run out of unique encryptions. For example, if you believe the device will consume the master key’s number of unique encryptions in two and a half years, you could set theLifetimefor two years, set theTime for Reminderto 60 days, and set theAuto Renew Master Keyfor 60-90 days to provide the extra time to configure a new master key before theLifetimeexpires. However, the best practice is still to change the master key before the lifetime expires to ensure that no device repeats encryptions.Consider the number of days until your next available maintenance window when configuring the master key to automatically renew after the lifetime of the key expires.
- (Optional) For added security, select whether to use anHSMto encrypt the master key. For details, see Encrypt a Master Key Using an HSM.
- ClickOKandCommit.
- (HA only) Re-enable Config Sync.
- Selectand edit theDeviceHigh AvailabilityGeneralSetup.
- Enable (check)Enable Config Syncand then clickOK.
- Commityour configuration changes.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.