How to update the Master Key on Panorama and synchronize with firewalls

How to update the Master Key on Panorama and synchronize with firewalls

24524
Created On 04/14/20 05:49 AM - Last Modified 01/09/25 02:07 AM


Objective


How to update the Master Key on Panorama and synchronize with firewalls?

Environment


  •  PAN-OS 8.1, 9.0 and 9.1
  •  Palo Alto Firewalls.

Procedure



Steps to Re-keying Master Key:
1. Make sure there are no pending changes on the Firewall and Panorama. Everything for Device-Group and Template should be synchronized.
2. Change the Master Key on Panorama either from CLI or GUI. 

Configuration using CLI:

> request master-key new-master-key <new_key_value> lifetime <lifetime_value>
The new master key should be a 64-bit encoded public key
The lifetime value is in hours (1-18250)

For example:
> request master-key new-master-key Paloalto12345678 lifetime 1

> show system master key-properties
Master key expires at: 2015/01/22 16:44:43
Reminders will begin at: 2015/01/15 16:44:43
Master key on hsm: no
 
Configuration via GUI:

Device > Master Key and Diagnostics
User-added image


NOTES:
  • Once the master key is created, the Palo Alto Networks firewall will auto-commit. The master key has to be 16 characters longs. 
  • If successful, the message "Master key changed successfully. All key material has been re-encrypted with new master key and committed" is seen.
  • If there are any changes prior to changing the Master Key then the message"Server Error: There are uncommitted changes. Please commit all pending changes and try again"  is seen.
 
  1. At this point, the Firewall can communicate with Panorama.   To re-synchronize, the Master Key on Firewall with Panorama, Disable Panorama configs on the firewall (Disable Device and Network Template & Disable Policy and Objects).  This wipes out all Panorama configs from the firewall.
  2. Commit the change to the firewall. Now Firewall experiences downtime.
  3. Change the Master Key on the firewall to match Panorama. See step 2 above.
  4. Re-enable Panorama Configs on firewall and commit(Enable Device and Network Template & Enable Policy and Objects)
  5. Push configurations from Panorama to the firewall for both Template and Device Group.Once Firewall gets the configuration from Panorama. Network services and ping are restored.  

Additional Information


Caveats to remember about updating the Master Keys.

  • Changing the Master Key will result in downtime.
  • If the master key is extended (not changed) then there is no downtime.
  • With 8.1, Master Key expiration went from 2 years to 50 years.
  • When the Master Key expires, all internal SSH keys, keys for SSL certificates, etc. are zeroized, causing administrator authentication into the device to fail. By design, the device reboots into maintenance mode.



Why is decryption key required when loading an imported configuration file
Configure the Master Key

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPboCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail