Configure the Master Key
Focus
Focus

Configure the Master Key

Table of Contents
End-of-Life (EoL)

Configure the Master Key

Every firewall and Panorama management server has a default master key that encrypts all the private keys and passwords in the configuration to secure them (such as the private key used for SSL Forward Proxy Decryption).
In a high availability (HA) configuration, you must use the same master key on both firewalls or Panorama in the pair. Otherwise, HA synchronization will not work properly.
If you are using Panorama to manage your firewalls, you must configure the same master key on Panorama and all managed firewalls. For managed firewalls in an HA configuration, you must configure the same master key for each HA peer. See Manage the Master Key from Panorama if the firewall is managed by a Panorama™ management server.
Be sure to store the master key in a safe location. You cannot recover the master key and the only way to restore the default master key is to Reset the Firewall to Factory Default Settings.
  1. Backup the configuration.
  2. (HA only) Disable Config Sync (required before deploying a new master key to any firewall HA pair).
    Before you deploy a new master key to any firewall HA pair, you must disable Config Sync. For Panorama-managed firewalls, if you do not disable Config Sync before deploying a new master key, Panorama loses connectivity to the primary firewall.
    1. Select DeviceHigh AvailabilityGeneral and edit the Setup.
    2. Disable (clear) Enable Config Sync and then click OK.
    3. Commit your configuration changes.
  3. Select DeviceMaster Key and Diagnostics and edit the Master Key section.
  4. Enter the Current Master Key if one exists.
  5. Define a new New Master Key and then Confirm New Master Key. The key must contain exactly 16 characters.
  6. To specify the master key Lifetime, enter the number of Days and/or Hours after which the key will expire.
    You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
  7. Enter a Time for Reminder that specifies the number of Days and Hours before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm.
    To ensure the expiration alarm displays, select DeviceLog Settings, edit the Alarm Settings, and Enable Alarms.
  8. Enable Auto Renew Master Key to configure the firewall to automatically renew the master key. To configure Auto Renew With Same Master Key, specify the number of Days and/or Hours to renew the same master key. The key extension allows the firewall to remain operational and continue securing your network; it is not a replacement for configuring a new key if the existing master key lifetime expires soon.
    Consider the number of days until your next available maintenance window when configuring the master key to automatically renew after the lifetime of the key expires.
  9. (Optional) For added security, select whether to use an HSM to encrypt the master key. For details, see Encrypt a Master Key Using an HSM.
  10. Click OK and Commit.
  11. (HA only) Re-enable Config Sync.
    1. Select DeviceHigh AvailabilityGeneral and edit the Setup.
    2. Enable (check) Enable Config Sync and then click OK.
    3. Commit your configuration changes.