topic Re: cfg export + master key hash in General Topics https://live.paloaltonetworks.com/t5/general-topics/cfg-export-master-key-hash/m-p/261560#M74156 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/14291">@Rboehme</a>,</P><P>That's not how it works. If you don't know what the previous master key was set to at the time of the crash, it doesn't matter that you have the hash values. The hash values are created with the device's master key, so a hash value without the same master key in use is absolutely pointless as the system is unable to read it. The master key between the devices either need to match, or you will need to regenerate all passwords and keys.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 May 2019 21:40:29 GMT BPry 2019-05-17T21:40:29Z cfg export + master key hash https://live.paloaltonetworks.com/t5/general-topics/cfg-export-master-key-hash/m-p/261544#M74150 <P>Dear Community,</P><P>&nbsp;</P><P>I have found this side note in an article regarding the master key on the firewall.</P><P>&nbsp;</P><P><EM>"Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied."</EM></P><P>&nbsp;</P><P>Basically its the exact answer of the question I originally had. I am facing a situation where a firewall crashed. I have received the new firewall and have the certificates and the running config saved locally.&nbsp;</P><P>&nbsp;</P><P>When trying to import the config the firewall skips basically every entries in regards to password or keys and shows this as error messages. I do understand the firewall is unable to decrypt those data without a matching master key.</P><P>&nbsp;</P><P>However from <STRONG>where&nbsp;</STRONG>do I retrive the master key hash and do I assume correclty to use the hash as the password for the imported config?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Kind regards,</P><P>&nbsp;</P><P>Rene</P> Fri, 17 May 2019 21:11:57 GMT https://live.paloaltonetworks.com/t5/general-topics/cfg-export-master-key-hash/m-p/261544#M74150 Rboehme 2019-05-17T21:11:57Z Re: cfg export + master key hash https://live.paloaltonetworks.com/t5/general-topics/cfg-export-master-key-hash/m-p/261560#M74156 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/14291">@Rboehme</a>,</P><P>That's not how it works. If you don't know what the previous master key was set to at the time of the crash, it doesn't matter that you have the hash values. The hash values are created with the device's master key, so a hash value without the same master key in use is absolutely pointless as the system is unable to read it. The master key between the devices either need to match, or you will need to regenerate all passwords and keys.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 May 2019 21:40:29 GMT https://live.paloaltonetworks.com/t5/general-topics/cfg-export-master-key-hash/m-p/261560#M74156 BPry 2019-05-17T21:40:29Z