Configure API Key Lifetime
Protect API access with API key lifetime and the ability to revoke API keys, in case of a compromise.
The API keys on the firewall and Panorama enable you to authenticate API calls to the XML API and REST API. Because these keys grant access to the firewall and Panorama that are critical elements of your security posture, as a best practice, specify an API key lifetime to enforce regular key rotation. After you specify the key lifetime, when you regenerate an API key, each key is unique.
In addition to setting a key lifetime that prompts you to regenerate new keys periodically, you can also revoke all currently valid API keys in the event one or more keys are compromised. Revoking keys is a way to expire all currently valid keys.
- Select DeviceSetupManagement.
- Edit Authentication Settings to specify the API
Key Lifetime (min).Set the API key lifetime to protect against compromise and to reduce the effects of an accidental exposure. By default, the API key lifetime is set to 0, which means that the keys will never expire. To ensure that your keys are frequently rotated and each key is unique when regenerated, you must specify a validity period that ranges between 1—525600 minutes. Refer to the audit and compliance policies for your enterprise to determine how you should specify the lifetime for which your API keys are valid.
- Commit the changes.
- (To revoke all API keys) Select Expire
all API Keys to reset currently valid API keys.If you have just set a key lifetime and want to reset all API keys to adhere to the new term, you can expire all existing keys. On confirmation, the keys are revoked and you can view the timestamp for when the API Keys Last Expired.
API Key Lifetime
In PAN-OS 9.0 you can use an API key with a limited lifetime allowing you to enforce key rotation at a regular cadence to safeguardyour ...
API Authentication and Security
API Authentication and Security To use the API (XML or REST), you must enable API access for your administrators and get your API key . ...
Get Your API Key
Get Your API Key To use the API, you must generate the API key required for authenticating API calls. Then, when you use this API ...
Configure the Master Key
Configure the Master Key Every firewall and Panorama management server has a default master key that encrypts all the private keys and passwords in the ...
Manage the Licensing API Key
Manage the Licensing API Key To get the API key required to use the licensing API, your account must have super user privileges on the ...
Temporary Master Key Expiration Extension
Extend the life time of the Master Key after expiration. ...
Configure Administrative Accounts and Authentication
Configure Administrative Accounts and Authentication If you have already configured an authentication profile (see Configure an Authentication Profile and Sequence ) or you don’t require ...
Manage the Master Key with Panorama Interconnect
Deploy new, or renew expiring master keys, to firewalls, log collectors, and WF-500 appliances from the Panorama™ management server when using the Panorama Interconnect plugin. ...