How to configure or change the Master Key on a High Availability (HA) pair of firewalls

How to configure or change the Master Key on a High Availability (HA) pair of firewalls

34378
Created On 05/09/19 01:54 AM - Last Modified 09/23/21 23:34 PM


Objective


  • Create a new Master Key on a High Availability (HA) pair of firewalls
  • Change/Modify the existing Master Key on a pair of firewalls in a HA group


Environment


  • PAN-OS 8.x, 9.x and 10.x
  • High Availability (HA)
  • Master Key 


Procedure


*One important caveat when working with a HA pair and the Master Key is to turn off Config Sync on both firewalls.

Note that a config mismatch between the two HA devices while their master key doesn't match.
HA state (active/passive/etc) will not be affected by master key mismatch, but it is checked and logged when mismatch occurs. Disabling HA config sync is vital before configuring/changing master key. This operation should be completed as quickly as possible on the two devices to get the syncing operations back online. User should always double check the config sync status (HA dashboard) after re-enabling config sync.

  1. On both the Active and Passive firewalls, clear the Enable Config Sync checkbox
GUI: Device > High Availability > General > Setup
User-added image
 
  1. Commit the configuration on both firewalls
  2. Configure the Master Key on the Active firewall
GUI: Device > Master Key and Diagnostics
User-added image
Note: If you are changing the Master Key then you will need the Current Master Key. If the Current Master Key is not known then a factory reset will need to be performed to restore the default Master Key. 
 
  1. Click "OK". This will apply the Master Key immediately after, encrypting parts of the the configuration file
User-added image
  1. Repeat steps 3 and 4 on the Passive firewall
  2. Re-enable Config Sync on both firewalls starting with the Active firewall

GUI: Device > High Availability > General > Setup
User-added image

Note: Commit the configuration after re-enabling Config Sync on both firewalls

 



Additional Information


Per PAN-OS Administrator's Guide:
The master key must be identical on each firewall in the HA pair, but you must manually enter it on each firewall (Device > Master Key and Diagnostics).

Before changing the master key, you must disable config sync on both peers (Device > High Availability > General > Setup and clear the Enable Config Sync check box) and then re-enable it after you change the keys.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLw9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail