Device > Master Key and Diagnostics
Select or to
configure the master key that encrypts all passwords and private keys
on the firewall or Panorama (such as the RSA key for authenticating administrators
who access the CLI). Encrypting passwords and keys improves security
by ensuring their plaintext values are not exposed anywhere on the
firewall or Panorama.
The only way to restore the default master key is to perform
a factory reset
.
.Palo Alto Networks recommends you configure a new master key
instead of using the default key, store the key in a safe location,
and periodically change it. For extra privacy, you can use a hardware
security module to encrypt the master key (see Device
> Setup > HSM). Configuring a unique master key on each firewall
or Panorama management server ensures that an attacker who learns
the master key for one appliance cannot access the passwords and
private keys on any of your other appliances. However, you must
use the same master key across multiple appliances in the following
cases:
- High availability (HA) configurations—If you deploy firewalls or Panorama in an HA configuration, use the same master key on both firewalls or Panorama management servers in the pair. Otherwise, HA synchronization does not work.
- Panorama pushes configurations to firewalls—If you use Panorama to push configurations to managed firewalls, use the same master key on Panorama and the managed firewalls. Otherwise, push operations from Panorama will fail.
To configure a master key, edit the Master Key settings and use
the following table to determine the appropriate values:
Master Key and Diagnostics
Settings | Description |
|---|---|
Current Master Key | Specify the key that is currently used to
encrypt all of the private keys and passwords on the firewall. |
New Master Key Confirm Master Key | To change the master key, enter a 16-character
string and confirm the new key. |
Life Time | Specify the number of Days and Hours after
which the master key expires (range is 1 to 730 days). You must configure a new master key before
the current key expires. If the master key expires, the firewall
or Panorama automatically reboots in Maintenance mode. You must
then perform a factory reset
. |
Time for Reminder | Enter the number of Days and Hours before
the master key expires when the firewall generates an expiration
alarm. The firewall automatically opens the System Alarms dialog
to display the alarm. To ensure the
expiration alarm displays, select , edit the Alarm
Settings, and Enable Alarms. |
Stored on HSM | Enable this option only if the master key
is encrypted on a Hardware Security Module (HSM). You cannot use
HSM on a dynamic interface such as a DHCP client or PPPoE. The
HSM configuration is not synchronized between peer firewalls in
HA mode. Therefore, each peer in an HA pair can connect to a different
HSM source. If you are using Panorama and need to keep both peer
configurations in sync, use Panorama templates to configure the
HSM source on the managed firewalls. The PA-200, PA-220, and PA-500 firewalls
do not support HSM. |
Common Criteria | In Common Criteria mode, additional options
are available to run a cryptographic algorithm self-test and software
integrity self-test. A scheduler is also included to specify the
times at which the two self-tests will run. |