What Are The Impacts When Deploying The Master Key on Panorama And Manged Firewalls
9752
Created On 04/14/20 05:03 AM - Last Modified 09/30/21 20:49 PM
Question
What Are The Impacts When Deploying The Master Key on Panorama And Manged Firewalls
Environment
- PAN-OS
- Palo Alto Firewalls
- Panorama configured with Master Key
Answer
- Changing of a Master Key is All or Nothing. If you change the Master Key on Panorama, ALL managed devices must also be updated as well. All devices must now be updated with this same Master Key. There is NO ROLLBACK option. Once the key is changed, there is no revert option. To revert back to default master key, a factory reset is required.
- If a Master Key is lost or missing, Panorama and Firewalls must be reset to factory default to recover/reset to the default master key.
- Master key is used to encrypt part of the configuration such as LDAP binding password; certificate forward untrust and trust private-key; user-id collector secret password, Radius secret key, When archiving the configuration, make sure to remember the Master Key, which is used to encrypt the configuration. Master key will be required to restore the configuration on the device. Without the correct Master Key, parts of the configuration described above will be removed. This may render the configuration syntactically incorrect and result in a commit failure.
- Master key cannot be viewed or exported from the device. Master key need to kept safe and shared with key Network Administrators for redundancy.
- When the master key expires, all internal SSH keys, keys for SSL certificates etc. are zeroized, causing administrator authentication into the device to fail and the device reboots into maintenance mode. This is by design.
- Re-keying or Change to the Master Key will result in downtime affecting all Firewalls.
Additional Information
Configure the Master Key
Why is Decryption Key Required when Loading an Imported Configuration File.
Master Key configuration for Panorama Managed Firewalls large deployments