Set Up Connectivity with a SafeNet Network
To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and register the firewall with the server. Before starting the configuration, make sure you created a partition for the firewall on the HSM server. To ensure the SafeNet Network client version on the firewall is compatible with your SafeNet Network server, see Set up Connectivity with an HSM.
Before the HSM and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address, not a dynamic address assigned through DHCP. Operations on the HSM would stop working if the firewall IP address changed during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA deployments, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for the failover function.
- Define connection settings for each SafeNet Network HSM.
- Log in to the firewall web interface and select.DeviceSetupHSM
- Edit the Hardware Security Module Provider section and set theProvider ConfiguredtoSafeNet Network HSM.
- Addeach HSM server as follows. A high availability (HA) HSM configuration requires two servers.
- Enter aModule Namefor the HSM server. This can be any ASCII string of up to 31 characters.
- Enter an IPv4 address for the HSMServer Address.
- (HA only) SelectHigh Availability, specify theAuto Recovery Retryvalue, and enter aHigh Availability Group Name.If two HSM servers are configured, the best practice is to enableHigh Availability. Otherwise the second HSM server is not used.
- (Optional) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default).If you configure a service route for the HSM, running theclear session allCLI command clears all existing HSM sessions, bringing all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
- Selectand clickDeviceSetupServicesService Route Configuration.
- Customizea service route. TheIPv4tab is active by default.
- ClickHSMin theServicecolumn.
- Select aSource Interfacefor the HSM.
- Configure the firewall to authenticate to the HSM.
- SelectandDeviceSetupHSMSetup Hardware Security Module.
- Select the HSMServer Name.
- Enter theAdministrator Passwordto authenticate the firewall to the HSM.
- ClickOK.The firewall tries to authenticate to the HSM and displays a status message.
- Register the firewall as an HSM client with the HSM server and assign the firewall to a partition on the HSM server.If the HSM already has a firewall with the same<cl-name>registered, you must first remove the duplicate registration by running theclient delete -clientcommand, where<cl-name><cl-name>is the name of the client (firewall) registration you want to delete.
- Log in to the HSM from a remote system.
- Register the firewall using theclient register -ccommand, where<cl-name>-ip<fw-ip-addr><cl-name>is a name that you assign to the firewall for use on the HSM and<fw-ip-addr>is the firewall IP address.
- Assign a partition to the firewall using theclient assignpartition -ccommand, where<cl-name>-p<partition-name><cl-name>is the name assigned to the firewall in theclient registercommand and<partition-name>is the name of a previously configured partition that you want to assign to the firewall.
- Configure the firewall to connect to the HSM partition.
- Selectand click the Refresh icon.DeviceSetupHSM
- Setup HSM Partitionin the Hardware Security Operations section.
- Enter thePartition Passwordto authenticate the firewall to the partition on the HSM.
- (HA only) Repeat the previous authentication, registration, and partition connection steps to add another HSM to the existing HA group.If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
- Verify firewall connectivity and authentication with the HSM.
- Selectand check the authentication and connection Status:DeviceSetupHSM
- Green—The firewall is successfully authenticated and connected to the HSM.
- Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
- View the following columns in the Hardware Security Module Status section to determine the authentication status:
- Serial Number—The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
- Partition—The partition name on the HSM that is assigned on the firewall.
- Module State—The current state of the HSM connection. The value is alwaysAuthenticatedif the Hardware Security Module Status section displays the HSM.
Recommended For You
Recommended videos not found.