HSM Client Upgrade and SafeNet HSM Cluster Support

PAN-OS® 8.1 supports Thales nShield client 12.30 and SafeNet client versions 5.4.2 and 6.2.2. SafeNet HSM servers support an HA cluster of up to 16 HSMs.
When you use your firewall as a hardware security module (HSM) client to manage your digital keys, that firewall HSM client can run SafeNet client versions 5.4.2 and 6.2.2 and Thales nShield client version 12.30. These newer HSM client versions provide necessary compatibility with newer HSM server versions. Refer to the HSM vendor documentation for the client-server compatibility matrix and for any upgrade/downgrade considerations.
It is possible that downgrading an HSM server won’t be an option after you upgrade it. See HSM Client Upgrade and SafeNet HSM Cluster Support in Upgrade/Downgrade Considerations.
Thales nShield client
—Your firewall is automatically upgraded from client version 11.62 to 12.30 in PAN-OS® 8.1. The firewall HSM client can support up to two independent Thales HSM servers.
SafeNet HSM client
—Use the following information and task to configure your firewall as needed.
View the current running HSM client version by selecting
Device
Setup
HSM
and then
Select HSM Client Version
(in the Hardware Security Operations window). When you upgrade from a PAN-OS 8.0 release to PAN-OS 8.1, the firewall will use a specific SafeNet client version as follows:
  • If your PAN-OS 8.0 release uses SafeNet client version 5.2.1, upgrading to PAN-OS 8.1 results in the firewall using SafeNet client version 5.4.2.
  • If your PAN-OS 8.0.2 or later PAN-OS 8.0 release uses SafeNet client version 5.4.2 or 6.2.2, upgrading to PAN-OS 8.1 results in the firewall using the same SafeNet client version it was using before the upgrade. If the firewall was using SafeNet client version 5.4.2 and you want to install SafeNet client version 6.2.2, you can perform the task below after you upgrade to PAN-OS 8.1
Additionally, the number of SafeNet HSM servers supported in a high availability (HA) configuration is enhanced from an HA pair of HSMs (two) to a cluster of up to 16 HSMs. However, the HSM servers in the cluster must all run the same SafeNet version and must authenticate separately. Use a SafeNet HSM cluster only when you need to replicate the keys across the cluster. Alternatively, you can add up to 16 SafeNet HSM servers that function independently.
HSM client integration is supported on Panorama and all firewall models except for PA-800 Series, PA-500, PA-220, PA-220-R, and PA-200 firewalls.
  1. Install the SafeNet Client RPM Packet Manager as described when you Set Up Connectivity with an HSM.
  2. Set up connectivity with SafeNet HSM servers as described when you Set Up Connectivity with a SafeNet Network HSM. You can establish HA with a cluster of up to 16 HSM servers.

Related Documentation