Device > Master Key and Diagnostics
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Device > Master Key and Diagnostics
- DeviceMaster Key and Diagnostics
- PanoramaMaster Key and Diagnostics
Edit the master key that encrypts all passwords and private keys
on the firewall or Panorama (such as the RSA key for authenticating administrators
who access the CLI). Encrypting passwords and keys improves security
by ensuring their plaintext values are not exposed anywhere on the
firewall or Panorama.
The only way to restore the default master key is to perform
a factory reset
![]()
.
Palo Alto Networks recommends you configure a new master key
instead of using the default key, store the key in a safe location,
and periodically change it. For extra privacy, you can use a hardware
security module to encrypt the master key (see Device
> Setup > HSM). Configuring a unique master key on each firewall
or Panorama management server ensures that an attacker who learns
the master key for one appliance cannot access the passwords and
private keys on any of your other appliances. However, you must
use the same master key across multiple appliances in the following
cases:
- High availability (HA) configurations—If you deploy firewalls or Panorama in an HA configuration, use the same master key on both firewalls or Panorama management servers in the pair. Otherwise, HA synchronization does not work.
- Panorama pushes configurations to firewalls—If you use Panorama to push configurations to managed firewalls, use the same master key on Panorama and the managed firewalls. Otherwise, push operations from Panorama will fail.
To configure a master key, edit the Master Key settings and use
the following table to determine the appropriate values:
Master Key and Diagnostics
Settings | Description |
|---|---|
Master Key | Enable to configure a unique master key.
Disable (clear) to use the default master key. |
Current Master Key | Specify the key that is currently used to
encrypt all of the private keys and passwords on the firewall. |
New Master Key Confirm Master Key | To change the master key, enter a 16-character
string and confirm the new key. |
Life Time | Specify the number of Days and Hours after
which the master key expires. Range is 1 to 438,000 days (50 years). You must configure a new master key before
the current key expires. If the master key expires, the firewall
or Panorama automatically reboots in Maintenance mode. You must
then perform a factory reset
|
Time for Reminder | Enter the number of Days and Hours before
the master key expires when the firewall generates an expiration
alarm. The firewall automatically opens the System Alarms dialog
to display the alarm. To ensure the
expiration alarm displays, select DeviceLog Settings, edit the Alarm
Settings, and Enable Alarms. |
Stored on HSM | Enable this option only if the master key
is encrypted on a Hardware Security Module (HSM). You cannot use
HSM on a dynamic interface such as a DHCP client or PPPoE. The
HSM configuration is not synchronized between peer firewalls in HA
mode. Therefore, each peer in an HA pair can connect to a different HSM
source. If you are using Panorama and need to keep both peer configurations
in sync, use Panorama templates to configure the HSM source on the
managed firewalls. The PA-220 does not support HSM. |
Auto Renew Master Key | Enable to automatically renew the master
key for a specified number of days and hours. Disable (clear) to
allow the master key to expire after the configured key life time. Auto
Renew with Same Master Key by specifying the number
of Days and Hours by
which to extend the master key encryption (range is 1 hour to 730
days). |
Common Criteria | In Common Criteria mode, additional options
are available to run a cryptographic algorithm self-test and software
integrity self-test. A scheduler is also included to specify the
times at which the two self-tests will run. |