Authentication Key for Secure Onboarding

Onboard new firewalls, Log Collectors, and WildFire appliances to the Panorama™ management server using a secure device registration authentication key generated on Panorama.
To strengthen your security posture when onboarding new firewalls, Dedicated Log Collectors, and WildFire appliances to a Panorama™ management server, PAN-OS 10.1 introduces improved mutual authentication between a new device and Panorama on first connection. You can configure an authentication key to have a specific lifetime, specify the count to determine the number of times the authentication key can be used to onboard new devices, specify one or more serial numbers for which the authentication key is valid, and specify for which devices the authentication key is valid. A device registration authentication key expires after 90 days. After 90 days, you are prompted re-certify the authentication key to maintain its validity, otherwise the authentication key becomes invalid and is no longer usable.
To securely onboard a new firewall, you must generate a unique device registration authentication key on Panorama. You then import this authentication key to the device to securely authenticate and connect to Panorama when the device is onboarded for the first time. A system log is generated each time a firewall uses the Panorama-generated authentication key is used. Additionally, the device uses the authentication key to authenticate Panorama when it delivers the device certificate that is used for all subsequent communications.
  1. Create the device registration authentication key.
    1. Select
      Panorama
      Device Registration Auth Key
      and
      Add
      a new authentication key.
    2. Configure the authentication key.
      • Name
        —Enter a descriptive name for the authentication key.
      • Lifetime
        —Enter the key lifetime to specify how long the authentication key may be used to onboard new firewalls or Log Collectors.
      • Count
        —Specify how many times the authentication key may be used to onboard new firewalls or Log Collectors.
      • Device Type
        —Specify whether the authentication key may be used for
        Firewalls
        ,
        Log Collectors
        , or
        Any
        device.
      • (
        Optional
        )
        Devices
        —Enter one or more device serial numbers to specify for which firewalls or Log Collectors the authentication key is valid.
    3. Click
      OK
      .
    4. Copy Auth Key
      and
      Close
      .
  2. You must add the device registration authentication key when you configure the Panorama server IP address on the firewall.
  3. Add a Dedicated Log Collector to Panorama as a managed collector.
    1. Add the device registration authentication key.
      admin>
      request authkey set <auth key>
  4. Add a WildFire appliance to manage with Panorama.
    1. Log in to the WildFire CLI and add the device registration authentication key.
      admin>
      request authkey set <auth key>
  5. Verify that the managed firewall, Log Collector, and WildFire appliance are connected to Panorama.
    1. Select
      Panorama
      Managed Devices
      Summary
      and verify that the
      Device State
      for the new device shows as
      Connected
      .
    2. Select
      Panorama
      Managed Collectors
      and verify that the Run Time
      Status
      for the Log Collector shows as
      Connected
      .
    3. Select
      Panorama
      Managed WildFire Appliances
      and verify that the
      Connected
      status for the WildFire appliance shows as
      Connected
      .

Recommended For You