1. Home
    2. PAN-OS
    3. Version 8.0
    4. PAN-OS® Administrator’s Guide
    5. Certificate Management
    6. Configure the Master Key
    End-of-Life (EoL)

    Configure the Master Key

    Every firewall and Panorama management server has a default master key that encrypts all the private keys and passwords in the configuration to secure them (such as the private key used for SSL Forward Proxy Decryption).
    If a high availability (HA) configuration, you must use the same master key on both firewalls or Panorama in the pair. Otherwise, HA synchronization will not work properly.
    Additionally, if you are using Panorama to manage your firewalls, you must use the same master key on Panorama and all managed firewalls so that Panorama can push configurations to the firewalls.
    Be sure to store the master key in a safe location. You cannot recover the master key and the only way to restore the default master key is to Reset the Firewall to Factory Default Settings.
    1. (
      HA only
      ) Disable HA.
      This step is required before you can deploy a new master key to a firewall HA pair. If you do not disable HA before deploying a new master key, Panorama will lose connectivity to the primary firewall.
      1. Select
        Device
        High Availability
        General
         and edit the Setup.
      2. Disable (clear) the
        Enable HA
         setting and click
        OK
        .
      3. Commit
         your configuration changes.
    2. Select
      Device
      Master Key and Diagnostics
       and edit the Master Key section.
    3. Enter the
      Current Master Key
       if one exists.
    4. Define a new
      New Master Key
       and then
      Confirm New Master Key
      . The key must contain exactly 16 characters.
    5. To specify the master key
      Life Time
      , enter the number of
      Days
       and/or
      Hours
       after which the key will expire.
      You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
    6. Enter a
      Time for Reminder
       that specifies the number of
      Days
       and
      Hours
       before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.
      To ensure the expiration alarm displays, select
      Device
      Log Settings
      , edit the Alarm Settings, and
      Enable Alarms
      .
    7. (
      Optional
      ) Select whether to use an
      HSM
       to encrypt the master key. For details, see Encrypt a Master Key Using an HSM.
    8. Click
      OK
       and
      Commit
      .
    9. (
      HA only
      ) Re-enable HA.
      1. Select
        Device
        High Availability
        General
         and edit the Setup.
      2. Select
        Enable HA
         and click
        OK
        .
      3. Commit
         your configuration changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo