Can Panorama manage master-key on the firewall?
10090
Created On 02/04/19 23:01 PM - Last Modified 03/22/19 20:29 PM
Question
Panorama, firewalls, Log Collectors, and WF-500 appliances use a master key to encrypt sensitive elements in a configuration. As part of a standard security practice, you must renew the key on each individual firewall, Log Collector, WildFire appliance, and Panorama when your master key expires
Environment
- Panorama
- Firewall
- PAN-OS 9.0
- Master key
Answer
Starting with PAN-OS 9.0, deploying a new master key to multiple firewalls can be performed centrally through the Panorama. Before PAN-OS 9.0, the master keys must be updated individually on each device.
A new “Deploy Master Key” button has been added:
- Managed Devices
- Managed Collectors
- Managed WildFire Appliances
The Deploy Master Key dialog box will display a list of all connected devices
- No filter for connection state
- Devices must be connected in order to deploy Master Keys
- Select devices for deployment, then click “Change”
Additional Information
How to create a master key on the CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsbCAC
Refer to the 9.0 PAN-OS® New Features Guide for more information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html