Set Up Connectivity with a SafeNet Network HSM

To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and register the firewall with the server. Before starting the configuration, make sure you created a partition for the firewall on the HSM server. To ensure the SafeNet Network client version on the firewall is compatible with your SafeNet Network server, see Set up Connectivity with an HSM.
Before the HSM and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address, not a dynamic address assigned through DHCP. Operations on the HSM would stop working if the firewall IP address changed during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA deployments, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for the failover function.
  1. Define connection settings for each SafeNet Network HSM.
    1. Log in to the firewall web interface and select DeviceSetupHSM.
    2. Edit the Hardware Security Module Provider section and set the Provider Configured to SafeNet Network HSM.
    3. Add each HSM server as follows. A high availability (HA) HSM configuration requires two servers.
      1. Enter a Module Name for the HSM server. This can be any ASCII string of up to 31 characters.
      2. Enter an IPv4 address for the HSM Server Address.
    4. (HA only) Select High Availability, specify the Auto Recovery Retry value, and enter a High Availability Group Name.
      If two HSM servers are configured, the best practice is to enable High Availability. Otherwise the second HSM server is not used.
    5. Click OK and Commit.
  2. (Optional) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default).
    If you configure a service route for the HSM, running the clear session all CLI command clears all existing HSM sessions, bringing all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
    1. Select DeviceSetupServices and click Service Route Configuration.
    2. Customize a service route. The IPv4 tab is active by default.
    3. Click HSM in the Service column.
    4. Select a Source Interface for the HSM.
    5. Click OK and Commit.
  3. Configure the firewall to authenticate to the HSM.
    1. Select DeviceSetupHSM and Setup Hardware Security Module.
    2. Select the HSM Server Name.
    3. Enter the Administrator Password to authenticate the firewall to the HSM.
    4. Click OK.
      The firewall tries to authenticate to the HSM and displays a status message.
    5. Click OK.
  4. Register the firewall as an HSM client with the HSM server and assign the firewall to a partition on the HSM server.
    If the HSM already has a firewall with the same <cl-name> registered, you must first remove the duplicate registration by running the client delete -client <cl-name> command, where <cl-name> is the name of the client (firewall) registration you want to delete.
    1. Log in to the HSM from a remote system.
    2. Register the firewall using the client register -c <cl-name> -ip <fw-ip-addr> command, where <cl-name> is a name that you assign to the firewall for use on the HSM and <fw-ip-addr> is the firewall IP address.
    3. Assign a partition to the firewall using the client assignpartition -c <cl-name> -p <partition-name> command, where <cl-name> is the name assigned to the firewall in the client register command and <partition-name> is the name of a previously configured partition that you want to assign to the firewall.
  5. Configure the firewall to connect to the HSM partition.
    1. Select DeviceSetupHSM and click the Refresh refresh_icon.png icon.
    2. Setup HSM Partition in the Hardware Security Operations section.
    3. Enter the Partition Password to authenticate the firewall to the partition on the HSM.
    4. Click OK.
  6. (HA only) Repeat the previous authentication, registration, and partition connection steps to add another HSM to the existing HA group.
    If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
  7. Verify firewall connectivity and authentication with the HSM.
    1. Select DeviceSetupHSM and check the authentication and connection Status:
      • Green—The firewall is successfully authenticated and connected to the HSM.
      • Red—The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
    2. View the following columns in the Hardware Security Module Status section to determine the authentication status:
      • Serial Number—The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
      • Partition—The partition name on the HSM that is assigned on the firewall.
      • Module State—The current state of the HSM connection. The value is always Authenticated if the Hardware Security Module Status section displays the HSM.

Related Documentation