HSM Client Upgrade and SafeNet HSM Cluster
PAN-OS® 8.1 supports nCipher nShield client 12.30 and
SafeNet client versions 5.4.2 and 6.2.2. SafeNet HSM servers support
an HA cluster of up to 16 HSMs.
When you use your firewall as a hardware security
module (HSM) client to manage your digital keys, that firewall HSM
client can run SafeNet client versions 5.4.2 and 6.2.2 and nCipher
nShield client version 12.30. These newer HSM client versions provide
necessary compatibility with newer HSM server versions. Refer to
the HSM vendor documentation for the client-server compatibility matrix
and for any upgrade/downgrade considerations.
is possible that downgrading an HSM server won’t be an option after
you upgrade it. See HSM Client Upgrade and SafeNet HSM Cluster Support
nCipher nShield client
firewall is automatically upgraded from client version 11.62 to
12.30 in PAN-OS® 8.1. The firewall HSM client can support up to
two independent nCipher HSM servers.
SafeNet HSM client
the following information and task to configure your firewall as
View the current running HSM client version by selecting
Select HSM Client Version
(in the Hardware
Security Operations window). When you upgrade from a PAN-OS 8.0
release to PAN-OS 8.1, the firewall will use a specific SafeNet
client version as follows:
If your PAN-OS 8.0 release
uses SafeNet client version 5.2.1, upgrading to PAN-OS 8.1 results
in the firewall using SafeNet client version 5.4.2.
If your PAN-OS 8.0.2 or later PAN-OS 8.0 release uses SafeNet
client version 5.4.2 or 6.2.2, upgrading to PAN-OS 8.1 results in
the firewall using the same SafeNet client version it was using
before the upgrade. If the firewall was using SafeNet client version
5.4.2 and you want to install SafeNet client version 6.2.2, you
can perform the task below after you upgrade to PAN-OS 8.1
the number of SafeNet HSM servers supported in a high availability
(HA) configuration is enhanced from an HA pair of HSMs (two) to
a cluster of up to 16 HSMs. However, the HSM servers in the cluster
must all run the same SafeNet version and must authenticate separately.
Use a SafeNet HSM cluster only when you need to replicate the keys
across the cluster. Alternatively, you can add up to 16 SafeNet
HSM servers that function independently.
HSM client integration
is supported on Panorama and all firewall models except for PA-800
Series, PA-500, PA-220, PA-220-R, and PA-200 firewalls.