Protect API access with API key lifetime and the ability
to revoke API keys, in case of a compromise.
The API keys on the firewall and Panorama
enable you to authenticate API calls to the XML API and REST API.
Because these keys grant access to the firewall and Panorama that
are critical elements of your security posture, as a best practice,
specify an API key lifetime to enforce regular key rotation. After
you specify the key lifetime, when you regenerate an API key, each
key is unique.
In addition to setting a key lifetime that
prompts you to regenerate new keys periodically, you can also revoke
all currently valid API keys in the event one or more keys are compromised.
Revoking keys is a way to expire all currently valid keys.
Select DeviceSetupManagement.
Edit Authentication Settings to specify the API
Key Lifetime (min).
Set
the API key lifetime to protect against compromise and to reduce
the effects of an accidental exposure. By default, the API key lifetime
is set to 0, which means that the keys will never expire. To ensure
that your keys are frequently rotated and each key is unique when
regenerated, you must specify a validity period that ranges between
1—525600 minutes. Refer to the audit and compliance policies for
your enterprise to determine how you should specify the lifetime
for which your API keys are valid.
Commit the changes.
(To revoke all API keys) Select Expire
all API Keys to reset currently valid API keys.
If you have just set a key lifetime and want to reset all
API keys to adhere to the new term, you can expire all existing
keys.
On confirmation,
the keys are revoked and you can view the timestamp for when the API
Keys Last Expired.
