Block sessions if HSM not available
—If you use a Hardware
Security Module (HSM) to store your private keys, whether you use
one depends on your compliance rules about where the private key
must come from and how you want to handle encrypted traffic if the
HSM isn’t available. For example, if your company mandates the use
of an HSM for private key signing, then block sessions if the HSM
isn’t available. However, if your company is less strict about this,
then you can consider not blocking sessions if the HSM isn’t available.
(If the HSM is down, the firewall can process decryption for sites
for which it has cached the response from the HSM, but not for other
sites.) The best practice in this case depends on your company’s
policies. If the HSM is critical to your business, run the HSM in
a high-availability (HA) pair (PAN-OS 8.1 supports two members in
an HSM HA pair).