Just wondering if palo Alto default password hashing and it would be great if there was a document regarding this. This is to meet and justify the audit requirement in that, the paloAlto are built with hashing method while login the account.
Hi @AinulSafiah ,
The default master key works fine, but it is a best practice to change it.
Palo admin account passwords are hashed so they can't be reverted back to original passwords.
On the other hand accounts where Palo needs to connect somewhere (IPSec tunnels, LDAP etc) are encrypted using master key.
As master key has leaked it is possible for someone who is able to export your firewall config to decrypt credentials and gain access to PSK's or domain passwords.
Be careful to keep track of changed master key expiry date because if it expires your environment will go down.
"You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings."
Hi @TomYoung , mind if you could share us the documentation to support this statement? Or this already included in this documentation https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/configure-the-maste...
Hi @AinulSafiah ,
Yes, the 1st paragraph of that document states "Every firewall and Panorama management server has a default master key that encrypts all the private keys and passwords in the configuration to secure them (such as the private key used for SSL Forward Proxy Decryption)."
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!