Tips & Tricks: One Key To Rule Them All—How to Set a Master Key

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
kiwi_0-1639648726197.png

 

 

 

 

Did you know that you can add an additional layer of protection to your passwords and private keys on your Next-Generation Firewalls and Panorama?

 

To ensure your private data is safe, passwords and private keys contained on the firewall are encrypted in the configuration file. Should someone get their hands on your configuration file, they won't be able to simply read your information. See below:

 

<users>
        <entry name="kiwi-admin">
          <permissions>
            <role-based>
              <superuser>yes</superuser>
            </role-based>
          </permissions>
          <phash>$1$jepblocv$OHdXMHODrcBEBPMekB/qv1</phash>
        </entry>
      </users>

 

In this example, you can see that user kiwi-admin's password is hashed.

 

If you import this configuration file onto another firewall then you will need to know the password behind the hash or you won't be able to login with this account.

 

So, what happens if you don't change your password and keep the default admin user with the default password (admin/admin)? In that case, the master key will not change. The configuration file can be imported to other devices and the admin account will be available for use with the default password. That's great for migrating or duplicating configuration, but could pose a security risk if someone having bad intentions were to get your config file.

 

As a best practice, Palo Alto Networks recommends that you: configure a new master key instead of using the default key; store it in a safe location; and periodically change it. Don't use the same master key on all of your devices. This ensures that an attacker won't have access to all of your devices in case he learns the master key for one appliance.

 

That being said, in some cases you must use the same master key across multiple devices:

  • In HA configurations: HA synchronization won't work if you use different master keys
  • Panorama managing WildFire appliances and Log Collectors: Push operations from Panorama will fail if you use different master keys on Panorama, WildFire appliances and managed collectors.

 

On the device tab (1), you can access the 'Master Key and Diagnostics' options in the left side menu (2).  From there, click the cogwheel (3) to enter the Master Key settings (4):

 
kiwi_1-1639641501895.png

 

Here you can change the Master Key. Note that the length of this key must be exactly 16 characters!

 

First time here? Don't worry about entering the "Current Master Key." You'll need it when you will change the key the next time though!

 

Note: You must configure a new master key before the current key expires.  If it expires, the firewall will reboot in Maintenance mode leaving you no other option but to reset the firewall to Factory Default Settings.

 

You can configure a reminder to alert you when the key is about to expire. The firewall automatically opens the System Alarms dialog to display the alarm. To ensure that the expiration alarm displays, make sure that you enable the alarms in Device > Log Settings > Alarm Settings > Enable Alarms:

 

Dont' forget to enable the alarms in the Alarm SettingsDont' forget to enable the alarms in the Alarm Settings

 

Alternatively, you can also include this alarm in log forwarding profiles (and get a notification via email for example).

 

Just make sure that you set the reminder, leaving you with enough time to configure a new master key before it expires.

 

Additional information:

Query On Master Key 

Can We Get Master Key Expiration Via API 

Configure The Master Key 

 

Feel free to share your questions, comments and ideas in the section below.

 

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

 

Kiwi out!

10 Comments
  • 15608 Views
  • 10 comments
  • 5 Likes
Register or Sign-in
Labels