Why is a Decryption Key Required When Loading an Imported Configuration File?

Why is a Decryption Key Required When Loading an Imported Configuration File?

34668
Created On 09/25/18 17:50 PM - Last Modified 01/01/25 06:29 AM


Symptom


Importing the backup config file back to the firewall. 

Environment


Any PA Firewall

Cause


The Master Key is used to encrypt private keys on the firewall, which includes the RSA key used to authenticate the server when logging into CLI and the private key used by the web server when logging into the web interface. Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied. The Master Key provides more security to those passwords.

Resolution


The decryption key is required when the source Palo Alto Networks firewall (from where the configuration file was exported), has a Master Key configured. The same key that was used on the source firewall must be used on the destination firewall when importing the configuration.

pic1.JPG.jpg

The Master Key is configured at Device > Master Key and Diagnostics:

masterkey.JPG.jpg
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClK4CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language