HSM Client Upgrade and SafeNet HSM Cluster Support
PAN-OS® 8.1 supports Thales nShield client 12.30 and SafeNet client versions 5.4.2 and 6.2.2. SafeNet HSM servers support an HA cluster of up to 16 HSMs.
When you use your firewall as a hardware security module (HSM) client to manage your digital keys, that firewall HSM client can run SafeNet client versions 5.4.2 and 6.2.2 and Thales nShield client version 12.30. These newer HSM client versions provide necessary compatibility with newer HSM server versions. Refer to the HSM vendor documentation for the client-server compatibility matrix and for any upgrade/downgrade considerations.
It is possible that downgrading an HSM server won’t be an option after you upgrade it. See HSM Client Upgrade and SafeNet HSM Cluster Support in Upgrade/Downgrade Considerations.
Thales nShield client—Your firewall is automatically upgraded from client version 11.62 to 12.30 in PAN-OS® 8.1. The firewall HSM client can support up to two independent Thales HSM servers.
SafeNet HSM client—Use the following information and task to configure your firewall as needed.
View the current running HSM client version by selecting DeviceSetupHSM and then Select HSM Client Version (in the Hardware Security Operations window). When you upgrade from a PAN-OS 8.0 release to PAN-OS 8.1, the firewall will use a specific SafeNet client version as follows:
- If your PAN-OS 8.0 release uses SafeNet client version 5.2.1, upgrading to PAN-OS 8.1 results in the firewall using SafeNet client version 5.4.2.
- If your PAN-OS 8.0.2 or later PAN-OS 8.0 release uses SafeNet client version 5.4.2 or 6.2.2, upgrading to PAN-OS 8.1 results in the firewall using the same SafeNet client version it was using before the upgrade. If the firewall was using SafeNet client version 5.4.2 and you want to install SafeNet client version 6.2.2, you can perform the task below after you upgrade to PAN-OS 8.1
Additionally, the number of SafeNet HSM servers supported in a high availability (HA) configuration is enhanced from an HA pair of HSMs (two) to a cluster of up to 16 HSMs. However, the HSM servers in the cluster must all run the same SafeNet version and must authenticate separately. Use a SafeNet HSM cluster only when you need to replicate the keys across the cluster. Alternatively, you can add up to 16 SafeNet HSM servers that function independently.
HSM client integration is supported on Panorama and all firewall models except for PA-800 Series, PA-500, PA-220, PA-220-R, and PA-200 firewalls.
Set Up Connectivity with an HSM
Set Up Connectivity with an HSM HSM clients are integrated with PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM-Series firewalls and ...
Upgrade/Downgrade Considerations The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade ...
Decryption Features Decryption Broker Automatic SAN Support for SSL Decryption HSM Client Upgrade and SafeNet HSM Cluster Support ECDSA Certificate Support for SSL Decryption with ...
Hardware Security Module Provider Settings
Hardware Security Module Provider Settings To configure a Hardware Security Module (HSM) on the firewall, edit the Hardware Security Module Provider settings: Hardware Security Module ...
Hardware Security Operations
Hardware Security Operations To perform an operation on the Hardware Security Module (HSM) or the firewall connected to the HSM, select Device Setup HSM and ...
Set Up Connectivity with a SafeNet Network HSM
Set Up Connectivity with a SafeNet Network HSM To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM ...
Hardware Security Module Status
Hardware Security Module Status The Hardware Security Module Status includes the following information about HSMs that have been successfully authenticated. The display is different depending ...
Hardware Security Module Provider Configuration and Status
Hardware Security Module Provider Configuration and Status The Hardware Security Module Provider section shows the HSM configuration settings and the connectivity status of the HSM. ...