End-of-Life (EoL)
Configure the Master Key
Every firewall and Panorama management server
has a default master key that encrypts all the private keys and
passwords in the configuration to secure them (such as the private
key used for SSL Forward Proxy Decryption).
If a high availability
(HA) configuration, you must use the same master key on both firewalls
or Panorama in the pair. Otherwise, HA synchronization will not
work properly.
Additionally, if you are using Panorama to
manage your firewalls, you must use the same master key on Panorama
and all managed firewalls so that Panorama can push configurations
to the firewalls.
For added security, Encrypt
a Master Key Using an HSM.
Be sure to store
the master key in a safe location. You cannot recover the master
key and the only way to restore the default master key is to Reset
the Firewall to Factory Default Settings.
- (HA only) Disable HA.This step is required before you can deploy a new master key to a firewall HA pair. If you do not disable HA before deploying a new master key, Panorama will lose connectivity to the primary firewall.
- Selectand edit the Setup.DeviceHigh AvailabilityGeneral
- Disable (clear) theEnable HAsetting and clickOK.
- Commityour configuration changes.
- Selectand edit the Master Key section.DeviceMaster Key and Diagnostics
- Enter theCurrent Master Keyif one exists.
- Define a newNew Master Keyand thenConfirm New Master Key. The key must contain exactly 16 characters.
- To specify the master keyLife Time, enter the number ofDaysand/orHoursafter which the key will expire.You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
- Enter aTime for Reminderthat specifies the number ofDaysandHoursbefore the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.To ensure the expiration alarm displays, select, edit the Alarm Settings, andDeviceLog SettingsEnable Alarms.
- (Optional) Select whether to use anHSMto encrypt the master key. For details, see Encrypt a Master Key Using an HSM.
- ClickOKandCommit.
- (HA only) Re-enable HA.
- Selectand edit the Setup.DeviceHigh AvailabilityGeneral
- SelectEnable HAand clickOK.
- Commityour configuration changes.
Recommended For You
Recommended Videos
Recommended videos not found.