Set Up Connectivity with an HSM
HSM clients are integrated with PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM-Series firewalls and with the Panorama management server (both virtual and M-Series appliances) for use with the following HSM vendors:
- Thales nShield Connect—PAN-OS 8.1 supports Thales nShield client version 12.30. PAN-OS 8.0 and earlier releases support client version 11.62, instead.
- SafeNet Network—The supported client versions depend on the PAN-OS release:
- PAN-OS 8.1—SafeNet Network client versions 5.4.2 and 6.2.2.
- PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases)—SafeNet Network client versions 5.2.1, 5.4.2, and 6.2.2.
The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix. On the firewall or Panorama, use the following procedure to select the SafeNet Network client version that is compatible with your SafeNet HSM server.
Downgrading HSM servers might not be an option after you upgrade them.
- Install the SafeNet Client RPM Packet
- Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).
- Select Version 5.4.2(default) or 6.2.2 as appropriate for your HSM server version.
- Click OK.
- (Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.
- If the master key isn’t on the firewall, the client
version upgrade will fail. Close the message
and make the master key local to the firewall:
- Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
- Click OK.
- Select DeviceMaster Key and Diagnostics to edit the Master Key.
- Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
- Click OK.
- Repeat the first four steps to Select HSM Client Version and reboot again.
HSM Client Upgrade and SafeNet HSM Cluster Support
PAN-OS® 8.1 supports Thales nShield client 12.30 and SafeNet client versions 5.4.2 and 6.2.2. SafeNet HSM servers support an HA cluster of up to 16 ...
Hardware Security Operations
Hardware Security Operations To perform an operation on the Hardware Security Module (HSM) or the firewall connected to the HSM, select Device Setup HSM and ...
Hardware Security Module Provider Configuration and Status
Hardware Security Module Provider Configuration and Status The Hardware Security Module Provider section shows the HSM configuration settings and the connectivity status of the HSM. ...
Hardware Security Module Provider Settings
Hardware Security Module Provider Settings To configure a Hardware Security Module (HSM) on the firewall, edit the Hardware Security Module Provider settings: Hardware Security Module ...
Set Up Connectivity with a Thales nShield Connect HSM
Set Up Connectivity with a Thales nShield Connect HSM You must set up a remote file system (RFS) as a hub to synchronize key data ...
Upgrade/Downgrade Considerations The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade ...
Refresh the Master Key Encryption
Refresh the Master Key Encryption As a best practice, periodically refresh the master key encryption by rotating the wrapping key that encrypts it. The frequency ...
Set Up Connectivity with a SafeNet Network HSM
Set Up Connectivity with a SafeNet Network HSM To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM ...