Set Up Connectivity with an HSM
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Set Up Connectivity with an HSM
HSM clients are integrated with PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series,
PA-7000 Series, PA-7500 Series, and VM-Series firewalls
and with the Panorama management server (both virtual and M-Series appliances) for
use with the following HSM vendors:
- nCipher nShield Connect—The supported client versions depend on the PAN-OS release
- PAN-OS 11.0 and 11.1 support client version 12.40.2 (backward compatible up to client version 11.50 for older appliances).
- PAN-OS 9.1, 9.0, and 8.1 support client version 12.30.
- PAN-OS 8.0 and earlier releases support client version 11.62.
- SafeNet Network—The supported client versions depend on the PAN-OS release:
- PAN-OS 11.0 and 11.1 support client versions 5.4.2 and 7.2.
- PAN-OS 9.1 and 9.0 support client versions 5.4.2 and 6.3.
- PAN-OS 8.1 supports client versions 5.4.2 and 6.2.2.
- PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases) support client versions 5.2.1, 5.4.2, and 6.2.2.
- Thales CipherTrust Manager—The supported client versions depend on the PAN-OS release:
- PAN-OS 11.1 supports client version 8.14.1.
The HSM server version must be compatible with these client versions. Refer to the HSM vendor
documentation for the client-server version compatibility matrix.
Downgrading
HSM servers might not be an option after you upgrade them.
- Set Up Connectivity with a SafeNet Network HSM
- Set Up Connectivity with an nCipher nShield Connect HSM
- Set Up Connectivity with a Thales CipherTrust Manager HSM
(SafeNet Network prerequisite) On the firewall or Panorama, use the
following procedure to select the SafeNet Network client version that is compatible
with your SafeNet HSM server.
- Install the SafeNet Client RPM Packet Manager.
- Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).Select Version 5.4.2 (default) or 7.2 as appropriate for your HSM server version.Click OK.(Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.If the master key isn’t on the firewall, the client version upgrade will fail. Close the message and make the master key local to the firewall:
- Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
- Click OK.
- Select DeviceMaster Key and Diagnostics to edit the Master Key.
- Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
- Click OK.
- Repeat the first four steps to Select HSM Client Version and reboot again.