Set Up Connectivity with a SafeNet Network HSM

To set up connectivity between the Palo Alto Networks firewall (HSM client) and a SafeNet Network HSM server, you must specify the IP address of the server, enter a password for authenticating the firewall to the server, and then register the firewall with the server. Before you being configuring your HSM client, create a partition for the firewall on the HSM server and then confirm that the SafeNet Network client version on the firewall is compatible with your SafeNet Network HSM server (see Set Up Connectivity with an HSM).
Before the HSM and firewall connect, the HSM authenticates the firewall based on the firewall IP address. Therefore, you must configure the firewall to use a static IP address—not a dynamic address assigned through DHCP. Operations on the HSM stop working if the firewall IP address changes during runtime.
HSM configurations are not synchronized between high availability (HA) firewall peers. Consequently, you must configure the HSM separately on each peer. In active/passive HA configurations, you must manually perform one failover to individually configure and authenticate each HA peer to the HSM. After this initial manual failover, user interaction is not required for failover to function properly.
  1. Define connection settings for each SafeNet Network HSM.
    1. Log in to the firewall web interface and select
      Device
      Setup
      HSM
      .
    2. Edit the Hardware Security Module Provider settings and set the
      Provider Configured
      to
      SafeNet Network HSM
      .
    3. Add
      each HSM server as follows. A high availability (HA) HSM configuration requires at least two servers; you can have a cluster of up to 16 HSM servers. All HSM servers in the cluster must run the same SafeNet version and must authenticate separately. You should use a SafeNet cluster only when you want to replicate the keys across the cluster. Alternatively, you can add up to 16 SafeNet HSM servers to function independently.
      1. Enter a
        Module Name
        (an ASCII string of up to 31 characters) for the HSM server.
      2. Enter an IPv4 address for the HSM
        Server Address
        .
    4. (
      HA only
      ) Select
      High Availability
      , specify the
      Auto Recovery Retry
      value (maximum number of times the HSM client tries to recover its connection to an HSM server before failing over to an HSM HA peer server; range is 0 to 500; default is 0), and enter a
      High Availability Group Name
      (an ASCII string up to 31 characters long).
      If you configure two or more HSM servers, the best practice is to enable
      High Availability
      . Otherwise the firewall does not use the additional HSM servers.
    5. Click
      OK
      and
      Commit
      your changes.
  2. (
    Optional
    ) Configure a service route to connect to the HSM if you don’t want the firewall to connect through the Management interface (default).
    If you configure a service route for the HSM, running the
    clear session all
    CLI command clears all existing HSM sessions, which brings all HSM states down and then up again. During the several seconds required for HSM to recover, all SSL/TLS operations will fail.
    1. Select
      Device
      Setup
      Services
      and click
      Service Route Configuration
      .
    2. Customize
      a service route. The
      IPv4
      tab is active by default.
    3. Click
      HSM
      in the Service column.
    4. Select a
      Source Interface
      for the HSM.
    5. Click
      OK
      and
      Commit
      your changes.
  3. Configure the firewall to authenticate to the HSM.
    1. Select
      Device
      Setup
      HSM
      and
      Setup Hardware Security Module
      .
    2. Select the HSM
      Server Name
      .
    3. Enter the
      Administrator Password
      to authenticate the firewall to the HSM.
    4. Click
      OK
      .
      The firewall tries to authenticate to the HSM and displays a status message.
    5. Click
      OK
      again.
  4. Register the firewall as an HSM client with the HSM server and assign the firewall to a partition on the HSM server.
    If the HSM has a firewall with the same
    <cl-name>
    already registered, you must first remove the duplicate registration by running the
    client delete -client
    <cl-name>
    command, where
    <cl-name>
    is the name of the registered client (firewall) you want to delete.
    1. Log in to the HSM from a remote system.
    2. Register the firewall using the
      client register -c
      <cl-name>
      -ip
      <fw-ip-addr>
      CLI command, where
      <cl-name>
      is a name that you assign to the firewall for use on the HSM and
      <fw-ip-addr>
      is the IP address for that firewall.
    3. Assign a partition to the firewall using the
      client assignpartition -c
      <cl-name>
      -p
      <partition-name>
      CLI command, where
      <cl-name>
      is the name you assigned to the firewall using the
      client register
      command and
      <partition-name>
      is the name of a previously configured partition that you want to assign to this firewall.
  5. Configure the firewall to connect to the HSM partition.
    1. Select
      Device
      Setup
      HSM
      and refresh ( refresh_icon.png ) the display.
    2. Setup HSM Partition
      (Hardware Security Operations settings).
    3. Enter the
      Partition Password
      to authenticate the firewall to the partition on the HSM.
    4. Click
      OK
      .
  6. (
    HA only
    ) Repeat the previous authentication, registration, and partition connection steps to add another HSM to the existing HA group.
    If you remove an HSM from your configuration, repeat the previous partition connection step to remove the deleted HSM from the HA group.
  7. Verify firewall connectivity and authentication with the HSM.
    1. Select
      Device
      Setup
      HSM
      and check the authentication and connection Status:
      • Green
        —The firewall is successfully authenticated and connected to the HSM.
      • Red
        —The firewall failed to authenticate to the HSM or network connectivity to the HSM is down.
    2. View the following columns in Hardware Security Module Status to determine the authentication status:
      • Serial Number
        —The serial number of the HSM partition if the firewall successfully authenticated to the HSM.
      • Partition
        —The partition name on the HSM that is assigned to the firewall.
      • Module State
        —The current state of the HSM connection. This value is always
        Authenticated
        if the Hardware Security Module Status displays the HSM.

Recommended For You