Master key operations on Panorama HA

Reply

Master key operations on Panorama HA

Hi,

 

I have a question regarding changing master key for firewalls from Panorama and its consequences. My situation is the following:

- Two Panorama servers in HA

- Two PAN Firewalls in HA (let's call it as HA cluster 1), already managed by Panorama

 

Seems that I changed the default master key for the firewalls but I don't remember what is the current master key.

 

The problem is that now I have to deploy two new firewalls in HA (let's call it as HA cluster 2) to be managed by Panorama. I know that Panorama and all managed devices should have same master so I want to change the default master key of HA cluster 2 to a new one, but as I don't know the current master key for the HA cluster 1, how I should proceed?

 

More questions I have:

- How affects to Panorama having two different master keys for HA managed devices?

- There is some cautions I should have prior to change the master key for the second firewalls cluster (HA cluster 2)?

 

I'm not sure if I should factory default the already deployed cluster (HA cluster 1) to reset the master key, and then deploy same master key to both HA cluster managed by Panorama.

 

Thanks in advance!

Alberto

L4 Transporter

Re: Master key operations on Panorama HA

If both HA clusters are planned to be managed by the Panorama, there can only be a single master key (that I am aware of)

 

Create a new master key on Panorama and then push the changes (via template) to update the new master key on both clusters.

Re: Master key operations on Panorama HA

Hi @SteveCantwell ,

 

You're right all devices managed must have same master key. To do that we will have to factory reset our two Panorama in HA and our already managed HA firewall cluster to reset the master key and then be able to set a new master key and deploy it to all devices from Panorama following this link.

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage-the-master-key...

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!