What Are The Impacts When Deploying The Master Key on Panorama And Manged Firewalls

9495

Created On 04/14/20 05:03 AM - Last Modified 09/30/21 20:49 PM

Master Key

Deployment

8.1

9.0

9.1

PAN-OS

Panorama

Question

What Are The Impacts When Deploying The Master Key on Panorama And Manged Firewalls

Changing of a Master Key is All or Nothing. If you change the Master Key on Panorama, ALL managed devices must also be updated as well. All devices must now be updated with this same Master Key. There is NO ROLLBACK option. Once the key is changed, there is no revert option. To revert back to default master key, a factory reset is required.

If a Master Key is lost or missing, Panorama and Firewalls must be reset to factory default to recover/reset to the default master key.
Master key is used to encrypt part of the configuration such as LDAP binding password; certificate forward untrust and trust private-key; user-id collector secret password, Radius secret key, When archiving the configuration, make sure to remember the Master Key, which is used to encrypt the configuration. Master key will be required to restore the configuration on the device. Without the correct Master Key, parts of the configuration described above will be removed. This may render the configuration syntactically incorrect and result in a commit failure.
Master key cannot be viewed or exported from the device. Master key need to kept safe and shared with key Network Administrators for redundancy.

When the master key expires, all internal SSH keys, keys for SSL certificates etc. are zeroized, causing administrator authentication into the device to fail and the device reboots into maintenance mode. This is by design.

Re-keying or Change to the Master Key will result in downtime affecting all Firewalls.