Device > Master Key and Diagnostics
Select DeviceMaster Key and Diagnostics or PanoramaMaster Key and Diagnostics to configure the master key that encrypts all passwords and private keys on the firewall or Panorama (such as the RSA key for authenticating administrators who access the CLI). Encrypting passwords and keys improves security by ensuring their plaintext values are not exposed anywhere on the firewall or Panorama.
Palo Alto Networks recommends you configure a new master key instead of using the default key, store the key in a safe location, and periodically change it. For extra privacy, you can use a hardware security module to encrypt the master key (see Device > Setup > HSM). Configuring a unique master key on each firewall or Panorama management server ensures that an attacker who learns the master key for one appliance cannot access the passwords and private keys on any of your other appliances. However, you must use the same master key across multiple appliances in the following cases:
- High availability (HA) configurations—If you deploy firewalls or Panorama in an HA configuration, use the same master key on both firewalls or Panorama management servers in the pair. Otherwise, HA synchronization does not work.
- Panorama pushes configurations to firewalls—If you use Panorama to push configurations to managed firewalls, use the same master key on Panorama and the managed firewalls. Otherwise, push operations from Panorama will fail.
To configure a master key, edit the Master Key settings and use the following table to determine the appropriate values:
Master Key and Diagnostics Settings
Current Master Key
Specify the key that is currently used to encrypt all of the private keys and passwords on the firewall.
New Master Key
Confirm Master Key
To change the master key, enter a 16-character string and confirm the new key.
Specify the number of Days and Hours after which the master key expires (range is 1 to 730 days).
You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then perform a factory reset .
Time for Reminder
Enter the number of Days and Hours before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.
To ensure the expiration alarm displays, select DeviceLog Settings, edit the Alarm Settings, and Enable Alarms.
Stored on HSM
Enable this option only if the master key is encrypted on a Hardware Security Module (HSM). You cannot use HSM on a dynamic interface such as a DHCP client or PPPoE.
The HSM configuration is not synchronized between peer firewalls in HA mode. Therefore, each peer in an HA pair can connect to a different HSM source. If you are using Panorama and need to keep both peer configurations in sync, use Panorama templates to configure the HSM source on the managed firewalls.
The PA-200, PA-220, and PA-500 firewalls do not support HSM.
In Common Criteria mode, additional options are available to run a cryptographic algorithm self-test and software integrity self-test. A scheduler is also included to specify the times at which the two self-tests will run.
Configure the Master Key
Configure the Master Key Every firewall and Panorama management server has a default master key that encrypts all the private keys and passwords in the ...
Encrypt the Master Key
Encrypt the Master Key If you have not previously encrypted the master key on a firewall, use the following procedure to encrypt it. Use this ...
Encrypt a Master Key Using an HSM
Encrypt a Master Key Using an HSM A master key encrypts all private keys and passwords on the firewall and Panorama. If you have security ...
Secure Keys with a Hardware Security Module
Secure Keys with a Hardware Security Module A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage ...
Device > Setup > Operations
Device > Setup > Operations You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama. If you’re ...
Refresh the Master Key Encryption
Refresh the Master Key Encryption As a best practice, periodically refresh the master key encryption by rotating the wrapping key that encrypts it. The frequency ...
What Settings Don’t Sync in Active/Passive HA?
What Settings Don’t Sync in Active/Passive HA? You must configure the following settings on each firewall in an HA pair in an active/passive deployment. These ...
Get Your API Key
Get Your API Key To use the API, generate the API key required for authenticating API calls. Request parameters should be URL encoded when used ...
Use the Panorama Web Interface
Use the Panorama Web Interface The web interface on both Panorama and the firewall has the same look and feel. However, the Panorama web interface ...