: Device > Master Key and Diagnostics
Focus
Focus

Device > Master Key and Diagnostics

Table of Contents
End-of-Life (EoL)

Device > Master Key and Diagnostics

  • DeviceMaster Key and Diagnostics
  • PanoramaMaster Key and Diagnostics
Edit the master key that encrypts all passwords and private keys on the firewall or Panorama (such as the RSA key for authenticating administrators who access the CLI). Encrypting passwords and keys improves security by ensuring their plaintext values are not exposed anywhere on the firewall or Panorama.
The only way to restore the default master key is to perform a factory reset
.
Palo Alto Networks recommends you configure a new master key instead of using the default key, store the key in a safe location, and periodically change it. For extra privacy, you can use a hardware security module to encrypt the master key (see Device > Setup > HSM). Configuring a unique master key on each firewall or Panorama management server ensures that an attacker who learns the master key for one appliance cannot access the passwords and private keys on any of your other appliances. However, you must use the same master key across multiple appliances in the following cases:
  • High availability (HA) configurations—If you deploy firewalls or Panorama in an HA configuration, use the same master key on both firewalls or Panorama management servers in the pair. Otherwise, HA synchronization does not work.
  • Panorama managing WildFire appliances and Log Collectors—You must configure the same master key on Panorama, WildFire appliances, and managed collectors. Otherwise, push operations from Panorama will fail.
To configure a master key, edit the Master Key settings and use the following table to determine the appropriate values:
Master Key and Diagnostics Settings
Description
Master Key
Enable to configure a unique master key. Disable (clear) to use the default master key.
Current Master Key
Specify the key that is currently used to encrypt all of the private keys and passwords on the firewall.
New Master Key
Confirm Master Key
To change the master key, enter a 16-character string and confirm the new key.
Life Time
Specify the number of Days and Hours after which the master key expires. Range is 1 to 438,000 days (50 years).
You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then perform a factory reset
.
Set the Lifetime to two years or less, depending on how many encryptions the device performs. The more encryptions a device performs, the short the Lifetime you should set. The critical consideration is to not run out of unique encryptions before you change the master key. Each master key can provide up to 2^^32 unique encryptions and then encryptions repeat, which is a security risk.
Set a Time for Reminder for the master key and when the reminder notification occurs, change the master key.
Time for Reminder
Enter the number of Days and Hours before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.
Set the reminder so that it gives you plenty of time to configure a new master key before it expires in a scheduled maintenance window. When the Time for Reminder expires and the firewall or Panorama sends a notification log, change the master key, don’t wait for the Lifetime to expire. For grouped devices, track every device (e.g., firewalls that Panorama manages and firewall HA pairs) and when the reminder value expires for the any device in the group, change the master key.
To ensure the expiration alarm displays, select DeviceLog Settings, edit the Alarm Settings, and Enable Alarms.
Stored on HSM
Enable this option only if the master key is encrypted on a Hardware Security Module (HSM). You cannot use HSM on a dynamic interface such as a DHCP client or PPPoE.
The HSM configuration is not synchronized between peer firewalls in HA mode. Therefore, each peer in an HA pair can connect to a different HSM source. If you are using Panorama and need to keep both peer configurations in sync, use Panorama templates to configure the HSM source on the managed firewalls.
The PA-220 does not support HSM.
Auto Renew Master Key
Enable to automatically renew the master key for a specified number of days and hours. Disable (clear) to allow the master key to expire after the configured key life time.
Auto Renew with Same Master Key by specifying the number of Days and Hours by which to extend the master key encryption (range is 1 hour to 730 days).
If you enable Auto Renew Master Key, set it so that the total time (lifetime plus the auto renew time) does not cause the device to run out of unique encryptions. For example, if you believe the device will consume the master key’s number of unique encryptions in two and a half years, you could set the Lifetime for two years, set the Time for Reminder to 60 days, and set the Auto Renew Master Key for 60-90 days to provide the extra time to configure a new master key before the Lifetime expires. However, the best practice is still to change the master key before the lifetime expires to ensure that no device repeats encryptions.
Common Criteria
In Common Criteria mode, additional options are available to run a cryptographic algorithm self-test and software integrity self-test. A scheduler is also included to specify the times at which the two self-tests will run.