Configure API Key Lifetime

Protect API access with API key lifetime and the ability to revoke API keys, in case of a compromise.
The API keys on the firewall and Panorama enable you to authenticate API calls to the XML API and REST API. Because these keys grant access to the firewall and Panorama that are critical elements of your security posture, as a best practice, specify an API key lifetime to enforce regular key rotation. After you specify the key lifetime, when you regenerate an API key, each key is unique.
In addition to setting a key lifetime that prompts you to regenerate new keys periodically, you can also revoke all currently valid API keys in the event one or more keys are compromised. Revoking keys is a way to expire all currently valid keys.
  1. Select DeviceSetupManagement.
  2. Edit Authentication Settings to specify the API Key Lifetime (min).
    api-key-lifetime.png
    Set the API key lifetime to protect against compromise and to reduce the effects of an accidental exposure. By default, the API key lifetime is set to 0, which means that the keys will never expire. To ensure that your keys are frequently rotated and each key is unique when regenerated, you must specify a validity period that ranges between 1—525600 minutes. Refer to the audit and compliance policies for your enterprise to determine how you should specify the lifetime for which your API keys are valid.
  3. Commit the changes.
  4. (To revoke all API keys) Select Expire all API Keys to reset currently valid API keys.
    If you have just set a key lifetime and want to reset all API keys to adhere to the new term, you can expire all existing keys.
    api-keys-expire.png
    On confirmation, the keys are revoked and you can view the timestamp for when the API Keys Last Expired.

Related Documentation