Unique Master Key for a Managed Firewall

Configure a unique master key for the Panorama™ management server and for each managed firewall.
Strengthen your security posture by configuring a unique master key for your Panorama™ management server and for each managed firewall. By configuring unique master keys, you can ensure that the a compromised master key does not compromise the configuration encryption for your entire deployment. Unique master keys are supported only for Panorama and managed firewalls. Log Collectors and WildFire appliances must share the same master key as Panorama. For Panorama or managed firewalls in a high availability (HA) configuration, you must deploy the same master key for both HA peers as the master key is not synchronized across HA peers. Panorama and managed firewalls support the deployment of unique master keys by default on upgrade to PAN-OS 10.1.
Configuring a unique master key also eases the operational burden of updating your master keys. By configuring a unique master key for a managed firewall, you can update each master key individually without the need to coordinate changing the master key across a large number of managed firewalls.
  1. (
    Optional
    ) Select
    Device
    Master Key and Diagnostic
    and edit the
    Master Key
    to
    Auto Renew With Same Master Key
    for your managed firewalls.
    Configure this setting to automatically renew the master key deployed on the managed firewalls associated with the selected template. Otherwise, the master key expires per the configured master key lifetime and you must deploy a new master key.
  2. Configure a unique master key for a managed firewall.
    1. Select
      Panorama
      Managed Devices
      Summary
      and
      Deploy Master Key
      .
    2. Select a managed firewall and
      Change
      the master key.
      If you want to deploy a unique master key for a specific set of managed firewalls, you can select those specific managed firewalls as well.
    3. Configure the master key.
    4. Review the Last Master Key Push column to
      verify that the master key was deployed successfully to all selected managed firewalls.
      A System log generates when you deploy a new master key from Panorama.
  3. Select
    Panorama
    Master Key and Diagnostics
    and configure a unique master key for Panorama.
  4. (
    Optional
    ) Select
    Panorama
    Master Key and Diagnostic
    and edit the
    Master Key
    setting to configure the Panorama master key to
    Auto Renew With Same Master Key
    .
    Configure this setting to automatically renew the master key deployed on Panorama. Otherwise, the master key expires per the configured master key lifetime and you must deploy a new master key.
  5. Select
    Commit
    and
    Commit and Push
    .

Recommended For You