Device > Master Key and Diagnostics
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Device > Master Key and Diagnostics
- DeviceMaster Key and Diagnostics
- PanoramaMaster Key and Diagnostics
Edit the master key that encrypts all passwords and private keys
on the firewall or Panorama (such as the RSA key for authenticating
administrators who access the CLI). Encrypting passwords and keys
improves security by ensuring their plaintext values are not exposed
anywhere on the firewall or Panorama.
The only way to restore the default master key is to perform
a factory reset
.
Palo Alto Networks recommends you configure a new master key
instead of using the default key, store the key in a safe location,
and periodically change it. For extra privacy, you can use a hardware
security module to encrypt the master key (see Device
> Setup > HSM). Configuring a unique master key on each firewall
or Panorama management server ensures that an attacker who learns
the master key for one appliance cannot access the passwords and
private keys on any of your other appliances. However, you must
use the same master key across multiple appliances in the following
cases:
- High availability (HA) configurations—If you deploy firewalls or Panorama in an HA configuration, use the same master key on both firewalls or Panorama management servers in the pair. Otherwise, HA synchronization does not work.
- Panorama pushes configurations to firewalls—If you use Panorama to push configurations to managed firewalls, use the same master key on Panorama and the managed firewalls. Otherwise, push operations from Panorama will fail.
To configure a master key, edit the Master Key settings and use
the following table to determine the appropriate values:
Master Key and Diagnostics Settings | Description |
---|---|
Master Key | Enable to configure a unique master key.
Disable (clear) to use the default master key. |
Current Master Key | Specify the key that is currently used to
encrypt all of the private keys and passwords on the firewall. |
New Master Key Confirm Master Key | To change the master key, enter a 16-character
string and confirm the new key. |
Life Time | Specify the number of Days and Hours after
which the master key expires. Range is 1 to 438,000 days (50 years). You
must configure a new master key before the current key expires.
If the master key expires, the firewall or Panorama automatically
reboots in Maintenance mode. You must then perform a factory reset Set the Lifetime to
two years or less, depending on how many encryptions the device
performs. The more encryptions a device performs, the short the Lifetime you
should set. The critical consideration is to not run out of unique
encryptions before you change the master key. Each master key can
provide up to 2^^32 unique encryptions and then encryptions repeat,
which is a security risk. Set a Time for Reminder for
the master key and when the reminder notification occurs, change
the master key. |
Time for Reminder | Enter the number of Days and Hours before
the master key expires when the firewall generates an expiration
alarm. The firewall automatically opens the System Alarms dialog
to display the alarm. Set the reminder
so that it gives you plenty of time to configure a new master key
before it expires in a scheduled maintenance window. When the Time
for Reminder expires and the firewall or Panorama sends
a notification log, change the master key, don’t wait for the Lifetime to
expire. For grouped devices, track every device (e.g., firewalls
that Panorama manages and firewall HA pairs) and when the reminder
value expires for the any device in the group, change the master
key. To ensure the expiration alarm displays, select DeviceLog Settings,
edit the Alarm Settings, and Enable Alarms. |
Stored on HSM | Enable this option only if the master key
is encrypted on a Hardware Security Module (HSM). You cannot use
HSM on a dynamic interface such as a DHCP client or PPPoE. The
HSM configuration is not synchronized between peer firewalls in
HA mode. Therefore, each peer in an HA pair can connect to a different
HSM source. If you are using Panorama and need to keep both peer
configurations in sync, use Panorama templates to configure the
HSM source on the managed firewalls. The PA-220 does not support
HSM. |
Auto Renew Master Key | Enable to automatically renew the master
key for a specified number of days and hours. Disable (clear) to
allow the master key to expire after the configured key life time. Auto
Renew with Same Master Key by specifying the number
of Days and Hours by
which to extend the master key encryption (range is 1 hour to 730
days). If you enable Auto
Renew Master Key, set it so that the total time (lifetime
plus the auto renew time) does not cause the device to run out of
unique encryptions. For example, if you believe the device will
consume the master key’s number of unique encryptions in two and
a half years, you could set the Lifetime for
two years, set the Time for Reminder to 60
days, and set the Auto Renew Master Key for
60-90 days to provide the extra time to configure a new master key
before the Lifetime expires. However, the
best practice is still to change the master key before the lifetime
expires to ensure that no device repeats encryptions. |
Common Criteria | In Common Criteria mode, additional options
are available to run a cryptographic algorithm self-test and software
integrity self-test. A scheduler is also included to specify the
times at which the two self-tests will run. |