Configure the Master Key

Every firewall and Panorama management server has a default master key that encrypts all the private keys and passwords in the configuration to secure them (such as the private key used for SSL Forward Proxy Decryption).
In a high availability (HA) configuration, you must use the same master key on both firewalls or Panorama in the pair. Otherwise, HA synchronization will not work properly.
Additionally, if you are using Panorama to manage your firewalls, you must use the same master key on Panorama and all managed firewalls so that Panorama can push configurations to the firewalls.
Be sure to store the master key in a safe location. You cannot recover the master key and the only way to restore the default master key is to Reset the Firewall to Factory Default Settings.
  1. (
    HA only
    ) Disable HA.
    This step is required before you can deploy a new master key to a firewall HA pair. If you do not disable HA before deploying a new master key, Panorama will lose connectivity to the primary firewall.
    1. Select
      Device
      High Availability
      General
      and edit the Setup.
    2. Disable (clear) the
      Enable HA
      setting and click
      OK
      .
    3. Commit
      your configuration changes.
  2. Select
    Device
    Master Key and Diagnostics
    and edit the Master Key section.
  3. Enter the
    Current Master Key
    if one exists.
  4. Define a new
    New Master Key
    and then
    Confirm New Master Key
    . The key must contain exactly 16 characters.
  5. To specify the master key
    Lifetime
    , enter the number of
    Days
    and/or
    Hours
    after which the key will expire.
    You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
  6. Enter a
    Time for Reminder
    that specifies the number of
    Days
    and
    Hours
    before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.
    To ensure the expiration alarm displays, select
    Device
    Log Settings
    , edit the Alarm Settings, and
    Enable Alarms
    .
  7. Enable
    Auto Renew Master Key
    to configure the firewall to automatically renew the master key. To configure
    Auto Renew With Same Master Key
    , specify the number of
    Days
    and/or
    Hours
    to renew the same master key. The key extension allows the firewall to remain operational and continue securing your network; it is not a replacement for configuring a new key if the existing master key lifetime expires soon.
    Consider the number of days until your next available maintenance window when configuring the master key to automatically renew after the lifetime of the key expires.
  8. (
    Optional
    ) For added security, select whether to use an
    HSM
    to encrypt the master key. For details, see Encrypt a Master Key Using an HSM.
  9. Click
    OK
    and
    Commit
    .
  10. (
    HA only
    ) Re-enable HA.
    1. Select
      Device
      High Availability
      General
      and edit the Setup.
    2. Select
      Enable HA
      and click
      OK
      .
    3. Commit
      your configuration changes.

Recommended For You