HSM clients are integrated with PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7000 Series, and VM-Series firewalls and with the Panorama management server (virtual appliance and M-Series appliances) for use with the following HSM vendors.
SafeNet Network —The supported client versions depend on the PAN-OS release: PAN-OS 7.1 releases and earlier releases (also PAN-OS 8.0 releases)—SafeNet Network client version 5.2.1. PAN-OS 7.1.10 and later PAN-OS 7.1 releases (also PAN-OS 8.0.2 and later PAN-OS 8.0 releases)—SafeNet Network client version 5.2.1, 5.4.2, and 6.2.2. On the firewall or Panorama, use the request hsm client-version CLI command to select the version that is compatible with your SafeNet HSM server. Thales nShield Connect —All PAN-OS releases support client version 11.62.
The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix.
Set Up Connectivity with a SafeNet Network HSM
To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and register the firewall with the server. Before starting the configuration, make sure you created a partition for the firewall on the HSM server. To ensure the SafeNet Network client version on the firewall is compatible with your SafeNet Network server, see Set up Connectivity with an HSM.
Before the HSM and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address, not a dynamic address assigned through DHCP. Operations on the HSM would stop working if the firewall IP address changed during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA deployments, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for the failover function.
Set up Connectivity with a SafeNet Network HSM
Define connection settings for each SafeNet Network HSM. Log in to the firewall web interface and select Device > Setup > HSM. Edit the Hardware Security Module Provider section and set the Provider Configured to SafeNet Network HSM. Add each HSM server as follows. A high availability (HA) HSM configuration requires two servers. Enter a Module Name for the HSM server. This can be any ASCII string of up to 31 characters. Enter an IPv4 address for the HSM Server Address. (HA only) Select High Availability, specify the Auto Recovery Retry value, and enter a High Availability Group Name. If two HSM servers are configured, the best practice is to enable High Availability. Otherwise the second HSM server is not used. Click OK and Commit.
( Optional ) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default). If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, bringing all HSM states down and then up again. During the several seconds required for the HSM to recover, all SSL/TLS operations will fail. Select Device > Setup > Services and click Service Route Configuration. Customize a service route. The IPv4 tab is active by default. Click HSM in the Service column. Select a Source Interface for the HSM. Click OK and Commit.
Configure the firewall to authenticate to the HSM. Select Device > Setup > HSM and Setup Hardware Security Module. Select the HSM Server Name. Enter the Administrator Password to authenticate the firewall to the HSM. Click OK. The firewall tries to authenticate to the HSM and displays a status message. Click OK.
Register the firewall as an HSM client with the HSM server and assign the firewall to a partition on the HSM server. If the HSM already has a firewall with the same <cl-name> registered, you must first remove the duplicate registration by running the client delete -client <cl-name> command, where <cl-name> is the name of the client (firewall) registration you want to delete. Log in to the HSM from a remote system. Register the firewall using the client register -c <cl-name> -ip <fw-ip-addr> command, where <cl-name> is a name that you assign to the firewall for use on the HSM and <fw-ip-addr> is the firewall IP address. The IP address must be static, not assigned through DHCP. Assign a partition to the firewall using the client assignpartition -c <cl-name> -p <partition-name> command, where <cl-name> is the name assigned to the firewall in the client register command and <partition-name> is the name of a previously configured partition that you want to assign to the firewall.
Configure the firewall to connect to the HSM partition. Select Device > Setup > HSM and click the Refresh icon. Setup HSM Partition in the Hardware Security Operations section. Enter the Partition Password to authenticate the firewall to the partition on the HSM. Click OK.
( HA only ) Configure an additional HSM for HA. Repeat the previous authentication, registration, and partition connection steps to add an additional HSM to the existing HA group. If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
Verify firewall connectivity and authentication with the HSM. Select Device > Setup > HSM and check the authentication and connection Status: Green—The firewall is successfully authenticated and connected to the HSM. Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down. View the following columns in the Hardware Security Module Status section to determine the authentication status: Serial Number —The serial number of the HSM partition if the firewall successfully authenticated to the HSM. Partition The partition name on the HSM that is assigned on the firewall. Module State —The current state of the HSM connection. The value is always Authenticated if the Hardware Security Module Status section displays the HSM.
Set Up Connectivity with a Thales nShield Connect HSM
You must set up a remote filesystem (RFS) as a hub to synchronize key data for all the firewalls (HSM clients) in your organization that use the Thales nShield Connect HSM. To ensure the Thales nShield Connect client version on your firewalls is compatible with your Thales nShield Connect server, see Set up Connectivity with an HSM.
Before the HSM and firewalls connect, the HSM authenticates the firewalls based on their IP addresses. Therefore, you must configure the firewalls to use static IP addresses, not dynamic addresses assigned through DHCP. Operations on the HSM would stop working if the firewall IP addresses changed during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA deployments, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for the failover function.
Set up Connectivity with a Thales nShield Connect HSM
Define connection settings for each Thales nShield Connect HSM. Log in to the firewall web interface and select Device > Setup > HSM. Edit the Hardware Security Module Provider section and set the Provider Configured to Thales nShield Connect. Add each HSM server as follows. A high availability (HA) HSM configuration requires two servers. Enter a Module Name for the server. This can be any ASCII string of up to 31 characters. Enter an IPv4 address for the HSM Server Address. Enter an IPv4 address for the Remote Filesystem Address. Click OK and Commit.
( Optional ) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default). If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, bringing all HSM states down and then up again. During the several seconds required for the HSM to recover, all SSL/TLS operations will fail. Select Device > Setup > Services and click Service Route Configuration. Customize the service route. The IPv4 tab is active by default. Click HSM in the Service column. Select a Source Interface for HSM. Click OK and Commit.
Register the firewall as an HSM client with the HSM server. This step briefly describes the procedure for using the front panel interface of the Thales nShield Connect HSM. For more details, refer to the Thales documentation. Log in to the front panel display of the Thales nShield Connect HSM unit. Use the right-hand navigation button to select System > System configuration > Client config > New client. Enter the firewall IP address. Select System > System configuration > Client config > Remote file system and enter the IP address of the client computer where you set up the RFS.
Configure the RFS to accept connections from the firewall. Log in to the RFS from a Linux client. Obtain the electronic serial number (ESN) and the hash of the KNETI key, which authenticates the HSM to clients, by running the anonkneti <ip-address> command, where <ip-address> is the IP address of the HSM. The following is an example: anonkneti 192.0.2.1 B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c In this example, B1E2-2D4C-E6A2 is the ESN and 5a2e5107e70d525615a903f6391ad72b1c03352c is the hash of the KNETI key. Use the following command from a superuser account to set up the RFS: rfs-setup --force <ip-address> <ESN> <hash-Kneti-key> The <ip-address> is the HSM IP address, <ESN> is the electronic serial number, and <hash-Kneti-key> is the hash of the KNETI key. The following example uses the values obtained in this procedure: rfs-setup --force 192.0.2.1 B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c Use the following command to permit HSM client submissions on the RFS: rfs-setup --gang-client --write-noauth <FW-IPaddress> where <FW-IPaddress> is the firewall IP address.
Authenticate the firewall to the HSM. In the firewall web interface, select Device > Setup > HSM and Setup Hardware Security Module. Click OK. The firewall tries to authenticate to the HSM and displays a status message. Click OK.
Synchronize the firewall with the RFS. Select Device > Setup > HSM and Synchronize with Remote Filesystem.
Verify firewall connectivity and authentication with the HSM. Select Device > Setup > HSM and check the authentication and connection Status: Green—The firewall is successfully authenticated and connected to the HSM. Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down. Check the Hardware Security Module Status section to determine the authentication status. Name —The name of the HSM. IP address —The IP address of the HSM. Module State —The current state of the HSM connection: Authenticated or Not Authenticated .

Related Documentation