Palo Alto Networks Knowledgebase: Why is a Decryption Key Required When Loading an Imported Configuration File?

Why is a Decryption Key Required When Loading an Imported Configuration File?

9858
Created On 02/07/19 23:55 PM - Last Updated 02/07/19 23:56 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Details

The decryption key is required when the source Palo Alto Networks firewall (from where the configuration file was exported), has a Master Key configured. The same key that was used on the source firewall must be used on the destination firewall when importing the configuration.

pic1.JPG.jpg

The Master Key is used to encrypt private keys on the firewall, which includes the RSA key used to authenticate the server when logging into CLI and the private key used by the web server when logging into the web interface. Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied. The Master Key provides more security to those passwords.

The Master Key is configured at Device > Master Key and Diagnostics:

masterkey.JPG.jpg

owner: sodhegba



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClK4CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language