: KMS Support for VM-Series
Focus
Focus

KMS Support for VM-Series

Table of Contents

KMS Support for VM-Series

Integrate cloud-native key managers to store certificates.
This release integrates cloud-native key managers, Azure Key Vault and AWS Secrets Manager, to store certificates for VM-Series firewalls. Decryption policy rules are configured using Panorama or the CLI.
For environments using auto scaling, VM-Series instances boot up in a state with the necessary certificates retrieved and ready to decrypt traffic without additional manual configuration.
Consider the following when integrating cloud-native key managers:
  • Use a certificate in cloud-native key manager for outbound or inbound decryption.
  • Specify the key manager stored certificate as part of the bootstrap.
  • Specify the key manager-stored certificate as part of the decryption policy on PAN-OS (using VM-Series or through Panorama).
  • Add new certificates, or edit an existing certificate of a decryption profile at any time.
  • View and clear logs containing information about certificates in decryption profiles.
  • You don't have to specify platform-specific information beyond certificate details. The VM-Series instance uses the appropriate APIs to communicate with the platform’s native key manager.
    Azure Key Vault integration is only applicable to Azure rulestack policy management and isn't supported for Panorama managed Cloud NGFW.