PAN-OS ® New Features Guide
    : Unique Master Key for a Managed Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Panorama Features
    5. Unique Master Key for a Managed Firewall
    Download PDF

    PAN-OS ® New Features Guide

    Unique Master Key for a Managed Firewall

    Table of Contents

    Unique Master Key for a Managed Firewall

    Configure a unique master key for the Panorama™ management server and for each managed firewall.
    Strengthen your security posture by configuring a unique master key for your Panorama™ management server and for each managed firewall. By configuring unique master keys, you can ensure that the a compromised master key does not compromise the configuration encryption for your entire deployment. Unique master keys are supported only for Panorama and managed firewalls. Log Collectors and WildFire appliances must share the same master key as Panorama. For Panorama or managed firewalls in a high availability (HA) configuration, you must deploy the same master key for both HA peers as the master key is not synchronized across HA peers. Panorama and managed firewalls support the deployment of unique master keys by default on upgrade to PAN-OS 10.1.
    Configuring a unique master key also eases the operational burden of updating your master keys. By configuring a unique master key for a managed firewall, you can update each master key individually without the need to coordinate changing the master key across a large number of managed firewalls.
    1. Log in to the Panorama web interface.
    2. (Optional) Select DeviceMaster Key and Diagnostic and edit the Master Key to Auto Renew With Same Master Key for your managed firewalls.
      Configure this setting to automatically renew the master key deployed on the managed firewalls associated with the selected template. Otherwise, the master key expires per the configured master key lifetime and you must deploy a new master key.
    3. Configure a unique master key for a managed firewall.
      1. Select PanoramaManaged DevicesSummary and Deploy Master Key.
      2. Select a managed firewall and Change the master key.
        If you want to deploy a unique master key for a specific set of managed firewalls, you can select those specific managed firewalls as well.
      3. Configure the master key.
      4. Review the Last Master Key Push column to verify that the master key was deployed successfully to all selected managed firewalls.
        A System log generates when you deploy a new master key from Panorama.
    4. Select PanoramaMaster Key and Diagnostics and configure a unique master key for Panorama.
    5. (Optional) Select PanoramaMaster Key and Diagnostic and edit the Master Key setting to configure the Panorama master key to Auto Renew With Same Master Key.
      Configure this setting to automatically renew the master key deployed on Panorama. Otherwise, the master key expires per the configured master key lifetime and you must deploy a new master key.
    6. Select Commit and Commit and Push.

    © 2024 Palo Alto Networks, Inc. All rights reserved.