Unique Master Key for a Managed Firewall
Expand all | Collapse all
Unique Master Key for a Managed Firewall
Configure a unique master key for the Panorama™ management
server and for each managed firewall.
Strengthen your security posture by configuring
a unique
master key for your Panorama™
management server and for each managed firewall. By configuring unique
master keys, you can ensure that the a compromised master key does
not compromise the configuration encryption for your entire deployment.
Unique master keys are supported only for Panorama and managed firewalls.
Log Collectors and WildFire appliances must share the same master
key as Panorama. For Panorama or managed firewalls in a high availability
(HA) configuration, you must deploy the same master key for both
HA peers as the master key is not synchronized across HA peers.
Panorama and managed firewalls support the deployment of unique
master keys by default on upgrade to PAN-OS 10.1.
Configuring
a unique master key also eases the operational burden of updating
your master keys. By configuring a unique master key for a managed
firewall, you can update each master key individually without the
need to coordinate changing the master key across a large number
of managed firewalls.
(
Optional
) Select and
edit the
Master Key
to
Auto Renew
With Same Master Key
for your managed firewalls.
Configure this setting to automatically renew the master
key deployed on the managed firewalls associated with the selected
template. Otherwise, the master key expires per the configured master
key lifetime and you must deploy a new master key.
Configure a unique master key for a managed firewall.
Select and
Deploy
Master Key
.
Select a managed firewall and
Change
the
master key.
If you want to deploy a unique master key for a specific
set of managed firewalls, you can select those specific managed
firewalls as well.
Configure the master key.
Review
the Last Master Key Push column to
verify
that the master key was deployed successfully to all selected managed
firewalls.
A System log generates when you deploy a new master key
from Panorama.
Select and
configure a unique master key for Panorama.
(
Optional
) Select and
edit the
Master Key
setting to configure
the Panorama master key to
Auto Renew With Same Master
Key
.
Configure this setting to automatically renew the master
key deployed on Panorama. Otherwise, the master key expires per
the configured master key lifetime and you must deploy a new master
key.
Select
Commit
and
Commit
and Push
.