Character Limitation for Setting Up Master Key on Palo Alto Networks Firewall

Printer Friendly Page

Overview

This document describes how to set up a master key on the Palo Alto Networks firewall.

 

Details

Found under Device > Master Key and Diagnostics, the master key is used to encrypt private keys such as the RSA key that is used to authenticate access to the CLI. The private key is used to authenticate access to the web interface of the firewall, as well as any other keys loaded on the firewall. Because the master key is used to encrypt all other keys, make sure to store the master key in a safe location. Even if a new master key is not specified, private keys are always stored in an encrypted form on the firewall, by default. This master key option offers an added layer of security.

 

master key.png

master key config.png

 

The Palo Alto Networks firewall's master key should be a string of exactly 16 characters. The firewall will accept any combination of upper-case and lower-case alphanumerical and special characters except "$" and "&".

 

Note:  If the master key is forgotten or lost, the only way to reset this key is to factory reset the Palo Alto Networks firewall. If a factory reset is necessary, refer to the following document: How to do a Factory Reset in PAN-OS 4.1 and 5.0

 

Note: If the Life Time expires without a new key having been set, the device will reboot into maintenance mode and will need to be factory reset

 

owner: sgantait

Comments

'Note:  If the master key is forgotten or lost, the only way to reset this key is to factory reset the Palo Alto Networks firewall. If a factory reset is necessary, refer to the following document: How to do a Factory Reset in PAN-OS 4.1 and 5.0'

 

This should be better highlighted in the documentation. Whilst it is perfectly understandly why this process would need to be done incase the key is lost or forgotten, we've had a couple of frustrated customers who didn't know about this behaviour...

In 8.0 (I don't know if this is a change from any prior version), the master key must be exactly 16 characters.

 

If either of the characters "$" or "&" is used, the key will be rejected with a user message after you click OK. The message will not indicate the precise issue.

 

Upper-case, lower-case, numbers, and other common 'special characters' ARE accepted (though I have not methodically tested them all).

 

If you are setting the custom master key for the first time, simply leave the "Current master key" field blank. You will also have to enter new values for the lifetime and reminder parameters, because the initial default values will be invalid for the custom-key setting.