Set Up Connectivity with an HSM
HSM clients are integrated with PA-3000 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM-Series firewalls and with the Panorama management server (both virtual and M-Series appliances) for use with the following HSM vendors:
- Thales nShield Connect—PAN-OS 9.0 and 8.1 support Thales nShield client version 12.30. PAN-OS 8.0 and earlier releases support client version 11.62, instead.
- SafeNet Network—The supported client versions depend on the PAN-OS release:
- PAN-OS 9.0—SafeNet Network client versions 5.4.2 and 6.3.
- PAN-OS 8.1—SafeNet Network client versions 5.4.2 and 6.2.2.
- PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases)—SafeNet Network client versions 5.2.1, 5.4.2, and 6.2.2.
The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix. On the firewall or Panorama, use the following procedure to select the SafeNet Network client version that is compatible with your SafeNet HSM server.
Downgrading HSM servers might not be an option after you upgrade them.
- Install the SafeNet Client RPM Packet
- Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).
- Select Version 5.4.2 (default) or 6.2.2 as appropriate for your HSM server version.
- Click OK.
- (Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.
- If the master key isn’t on the firewall, the client
version upgrade will fail. Close the message
and make the master key local to the firewall:
- Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
- Click OK.
- Select DeviceMaster Key and Diagnostics to edit the Master Key.
- Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
- Click OK.
- Repeat the first four steps to Select HSM Client Version and reboot again.
Hardware Security Operations
Hardware Security Operations To perform an operation on the Hardware Security Module (HSM) or the firewall connected to the HSM, select Device Setup HSM and ...
Hardware Security Module Provider Configuration and Status
Hardware Security Module Provider Configuration and Status The Hardware Security Module Provider section shows the HSM configuration settings and the connectivity status of the HSM. ...
Hardware Security Module Provider Settings
Hardware Security Module Provider Settings To configure a Hardware Security Module (HSM) on the firewall, edit the Hardware Security Module Provider settings: Hardware Security Module ...
Set Up Connectivity with a Thales nShield Connect HSM
Set Up Connectivity with a Thales nShield Connect HSM You must set up a remote file system (RFS) as a hub to synchronize key data ...
Refresh the Master Key Encryption
Refresh the Master Key Encryption As a best practice, periodically refresh the master key encryption by rotating the wrapping key that encrypts it. The frequency ...
Set Up Connectivity with a SafeNet Network HSM
Set Up Connectivity with a SafeNet Network HSM To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM ...
Store Private Keys on an HSM
Store Private Keys on an HSM For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for: SSL ...
Secure Keys with a Hardware Security Module
Secure Keys with a Hardware Security Module A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage ...
Hardware Security Module Status
Hardware Security Module Status The Hardware Security Module Status includes the following information about HSMs that have been successfully authenticated. The display is different depending ...