PA firewall with unknown master key and recovery procedure

L1 Bithead

PA firewall with unknown master key and recovery procedure

Hi Team

 

We have a firewall working in Active/Standby configuration. The firewalls has been configured with Master Key .We lost the master key secret ( in other context we not sure the current master key is default or custom configured but noticed its going to expire in 50 days) and would like to know how to restore the device before the master key expires or how we can recover the master key to reset new key for proper functioning.  As per the KB article, the device goes to maintenance mode after the key expire and the only way to restore the device using manual configuration of all rules and objects. Are there any other way we can restore/import the backup config to the newly factory reset firewall ?

L7 Applicator

Re: PA firewall with unknown master key and recovery procedure

@Unisys-SOC,

Do you have access to another firewall? If you do then you could create a user on both firewalls and verify the phash value in the running-config; if the value is the same then your master key is the same on both devices. 

Short of that you would need to just ensure that you have a backup of the running-config and I would schedule a maintenanance window where you can take your standby and rebuild the configuration with that running-config and prepare it to become the active firewall. The only gotcha at that point is that you'll have to manually set the passwords as the hashes would no longer match, but that shouldn't be really matter. 

L1 Bithead

Re: PA firewall with unknown master key and recovery procedure

Thanks for your response. I would like to clarify more queries on this topic.

Both the firewalls have the same master key and the configuration sync (a-p) and Policy install from Panorama is working fine.

Issue is master key is going to expire on both the unit at the same time and would like to restore the devices.

 

Q1.  Is it possible to sync the factory reset unit to existing active unit and synchronize all the config and promote the slave as active , but in this case will the master key get replicated with same lifetime and key ?

 

Q2. We have many VPN's terminated and its quite tedious process to reset all PSK  (as per your last update we to manually update passwords this also includes VPN keys correct ?)

 

Q3: Is there anyway we can retreive the master key from Panorama ?

 

Thanks for your assistance.

L7 Applicator

Re: PA firewall with unknown master key and recovery procedure

@Unisys-SOC,

My suggestion wasn't for the HA pair, it was for any other PA that you have access to. If the Master Key wasn't modified, or if you belive that it should be the same across most units you could follow my above suggestion on a completely seperate firewall and see if the phash value matches; if it does then you have the same Master Key across both units. This can't be done on an HA pair, you need a completely seperate firewall. 

 

Q1) Unless both units have the same Master Key the phash value that is passed wouldn't match, so this idea wouldn't work. 

 

Q2) PSKs should be documented in a password repository somewhere ideally, so you would simply need to reinput them when you reset the firewall. If this isn't the case you would have to actually configure both sides of the tunnel. 

 

Q3) The Master Key isn't recoverable, at all. If you don't have the Master Key and have no idea what it is there isn't a way for it to be recovered. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!