Set Up Connectivity with an HSM

HSM clients are integrated with PA-3200 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM-Series firewalls and with the Panorama management server (both virtual and M-Series appliances) for use with the following HSM vendors:
  • nCipher nShield Connect
    —PAN-OS 8.1 supports nCipher nShield client version 12.30. PAN-OS 8.0 and earlier releases support client version 11.62, instead.
  • SafeNet Network
    —The supported client versions depend on the PAN-OS release:
    • PAN-OS 8.1—SafeNet Network client versions 5.4.2 and 6.2.2.
    • PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases)—SafeNet Network client versions 5.2.1, 5.4.2, and 6.2.2.
The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix. On the firewall or Panorama, use the following procedure to select the SafeNet Network client version that is compatible with your SafeNet HSM server.
Downgrading HSM servers might not be an option after you upgrade them.
  • Install the SafeNet Client RPM Packet Manager.
    1. Select
      Select HSM Client Version
      (Hardware Security Operations settings).
    2. Select
      Version 5.4.2
      (default) or
      as appropriate for your HSM server version.
    3. Click
    4. (Required only if you change the HSM version on the firewall)
      If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click
    5. If the master key isn’t on the firewall, the client version upgrade will fail.
      the message and make the master key local to the firewall:
      • Edit the Hardware Security Module Provider and disable (clear) the
        Master Key Secured by HSM
      • Click
      • Select
        Master Key and Diagnostics
        to edit the Master Key.
      • Enter the
        Current Master Key
        ; you can then enter that same key to be the
        New Master Key
        and then
        Confirm New Master Key
      • Click
      • Repeat the first four steps to
        Select HSM Client Version
        and reboot again.

Recommended For You