This document describes how to set up a master key on the Palo Alto Networks firewall.
Found under Device > Master Key and Diagnostics, the master key is used to encrypt private keys such as the RSA key that is used to authenticate access to the CLI. The private key is used to authenticate access to the web interface of the firewall, as well as any other keys loaded on the firewall. Because the master key is used to encrypt all other keys, make sure to store the master key in a safe location. Even if a new master key is not specified, private keys are always stored in an encrypted form on the firewall, by default. This master key option offers an added layer of security.
The Palo Alto Networks firewall's master key should be a string of exactly 16 characters. The firewall will accept any combination of upper-case and lower-case alphanumerical and special characters except "$" and "&".
Note: If the master key is forgotten or lost, the only way to reset this key is to factory reset the Palo Alto Networks firewall. If a factory reset is necessary, refer to the following document: How to do a Factory Reset in PAN-OS 4.1 and 5.0
Note: If the Life Time expires without a new key having been set, the device will reboot into maintenance mode and will need to be factory reset