topic Re: load config partial / bad encryption or wrong masterkey in Panorama Discussions

load config partial / bad encryption or wrong masterkey

mb_equate — Thu, 27 Apr 2023 06:06:39 GMT

We're replacing an HA pair for a customer with new hardware and building new templates as the current devices have local overrides for almost the entire device & network config (looks like the result of an improper transition to Panorama).

The idea is we export the current device config and merge it into the new template. Both Panorama and the current devices should be sharing the same (non-default) master key, so the encrypted stuff like bind passwords and SSL keys should load without an issue, right?

On merging the partial config in a Panorama lab, we get the following errors:

template -> X -> config -> shared -> server-profile -> ldap -> Y -> bind-password bad encryption or wrong masterkey. Discarding.

template -> X -> config -> shared -> response-page -> Y is invalid. Invalid base64 data
template -> X -> config -> shared -> response-page -> Y invalid. Discarding.

template -> X -> config -> shared -> certificate -> Y -> private-key bad encryption or wrong masterkey. Discarding.

This suggests that the MK used to decrypt those from the source config is incorrect, but when we specify the key in the load command we get the same results. This is all assuming the devices use the same MK as Panorama, which I just learned is no longer a requirement since PAN-OS 10.0.

In the rare case that the device MK was still default, we attempt to use the default MK to merge the device config (p1a2...) and PAN-OS has difficulty loading its own config (bad encryption or wrong masterkey on Panorama config nodes) so that doesn't work either.

Question time.

1. Is it possible that the original device MK is still default, in which case how do we merge the config into a Panorama template which is non-default? Have already tried reverting the Panorama MK to default and loading, still no dice.

2. If Panorama and a managed device can now use different master keys (actually recommended now), how are values in a template encrypted with the Panorama masterkey decrypted by the managed device on a template push?

3. Is dark matter real or an excuse for an objection to revise Newtonian physics?

Re: load config partial / bad encryption or wrong masterkey

mb_equate — Thu, 27 Apr 2023 07:59:00 GMT

We've had confirmation that the masterkeys are all the same, which agrees with the encrypted strings from the device export and Panorama matching (e.g. bind-passwords).

We can also load part of the running config with encrypted strings:

admin@panorama# load config partial mode merge from-xpath devices/entry/template/entry[@name='Z']/config/shared/server-profile" to-xpath /config/devices/entry/template/entry[@name='X']/config/shared/server-profile from running-config.xml

Config loaded from running-config.xml

[edit]

But not from the device export, with the same strings:

admin@panoramarama# load config partial mode merge from-xpath shared/server-profile to-xpath /config/devices/entry/template/entry[@name='X']/config/shared/server-profile from fw.xml

Config loaded from fw.xml
template -> X -> config -> shared -> server-profile -> ldap -> Y -> bind-password bad encryption or wrong masterkey. Discarding.

[edit]

🤔

Re: load config partial / bad encryption or wrong masterkey

TomYoung — Thu, 27 Apr 2023 11:59:07 GMT

Hi @mb_equate ,

I have run into this also. I have fixed it a couple of ways. The easiest by far is just to manually configure the LDAP password after the load config partial. Then the commit and push will work fine.

The harder way is to configure the MK on both devices. As you have noticed, sometimes that works and sometimes it doesn't.

Thanks,

Tom

Re: load config partial / bad encryption or wrong masterkey

mb_equate — Fri, 05 May 2023 01:01:28 GMT

Turns out a linter we had running in vscode garbled the strings, reimporting an unadulterated config from the device solved the problem.