Deploy new, or renew expiring master keys, to firewalls,
log collectors, and WF-500 appliances from the Panorama™ management
server.
| Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Panorama)
|
- Device management license
|
Panorama, firewalls, Log Collectors, and WF-500 appliances use a master key
to encrypt sensitive elements in the configuration and they have a default master
key they use to encrypt passwords and configuration elements. As part of a standard
security practice, you should replace the default master key and change the key on
each individual firewall, Log Collector, WildFire appliance, and Panorama before it
expires.
To strengthen your security
posture, configuring a unique master key for Panorama and for each
managed firewall. By configuring unique master keys, you can ensure that
a compromised master key does not compromise the configuration encryption of
your entire deployment. Unique master keys are supported only for
Panorama and managed firewalls. Log Collectors and WildFire appliances
must share the same master key as Panorama. For Panorama or managed
firewalls in a high availability (HA) configuration, you must deploy
the same master key for both HA peers as the master key is not synchronized
across HA peers.
The default encryption algorithm that the master key uses to encrypt data is
AES-256-CBC—the same algorithm that the master key used prior to PAN-OS 10.0.
AES-256-CBC is the default encryption level because when you manage firewalls with
Panorama, the managed firewalls may be on different PAN-OS releases, and firewalls
on PAN-OS releases earlier than PAN-OS 10.0 do not support AES-256-GCM. This is why
Panorama must use the lowest level of encryption that its managed devices can use.
For example, if some managed devices run PAN-OS 10.0 and some run earlier versions,
Panorama must use AES-256-CBC. However, if all managed devices run PAN-OS 10.0 or
later, then Panorama and all of its managed devices can use AES-256-GCM.
Palo Alto Networks recommends using AES 256-GCM level 2 for master key
encryption.
Configuring a unique master key also eases
the operational burden of updating your master keys. By configuring
a unique master key for a managed firewall, you can update each
master key individually without the need to coordinate changing
the master key across a large number of managed firewalls.
When a master key expires, you must enter
the current master key in order to configure a new master key.
Be
sure to keep track of the master key you deploy to your managed
firewalls, Log Collectors, and WildFire appliances because master
keys cannot be recovered. you must reset to factory default if you
cannot provide the current master key when it expires.