KMS Support for VM-Series
Integrate cloud-native key managers to store certificates.
This release integrates cloud-native key managers, Azure Key Vault and AWS Secrets Manager, to
store certificates for VM-Series firewalls. Decryption policy rules are configured using
Panorama or the CLI.
For environments using auto scaling, VM-Series instances boot up in a state with the necessary
certificates retrieved and ready to decrypt traffic without additional manual
configuration.
Consider the following when integrating cloud-native key managers:
Use a certificate in cloud-native key manager for outbound or inbound decryption.
Specify the key manager stored certificate as part of the bootstrap.
Specify the key manager-stored certificate as part of the decryption policy on PAN-OS (using
VM-Series or through Panorama).
Add new certificates, or edit an existing certificate of
a decryption profile at any time.
View and clear logs containing information about certificates
in decryption profiles.
You don't have to specify platform-specific information beyond certificate details. The VM-Series
instance uses the appropriate APIs to communicate with the platform’s native key
manager.
Azure Key Vault integration is only applicable to Azure
rulestack policy management and isn't supported for Panorama managed Cloud
NGFW.
