Tips & Tricks: One Key To Rule Them All—How to Set a Master Key

kiwi · ‎12-16-2021

Did you know that you can add an additional layer of protection to your passwords and private keys on your Next-Generation Firewalls and Panorama?

To ensure your private data is safe, passwords and private keys contained on the firewall are encrypted in the configuration file. Should someone get their hands on your configuration file, they won't be able to simply read your information. See below:

<users>
        <entry name="kiwi-admin">
          <permissions>
            <role-based>
              <superuser>yes</superuser>
            </role-based>
          </permissions>
          <phash>$1$jepblocv$OHdXMHODrcBEBPMekB/qv1</phash>
        </entry>
      </users>

In this example, you can see that user kiwi-admin's password is hashed.

If you import this configuration file onto another firewall then you will need to know the password behind the hash or you won't be able to login with this account.

So, what happens if you don't change your password and keep the default admin user with the default password (admin/admin)? In that case, the master key will not change. The configuration file can be imported to other devices and the admin account will be available for use with the default password. That's great for migrating or duplicating configuration, but could pose a security risk if someone having bad intentions were to get your config file.

As a best practice, Palo Alto Networks recommends that you: configure a new master key instead of using the default key; store it in a safe location; and periodically change it. Don't use the same master key on all of your devices. This ensures that an attacker won't have access to all of your devices in case he learns the master key for one appliance.

That being said, in some cases you must use the same master key across multiple devices:

In HA configurations: HA synchronization won't work if you use different master keys
Panorama managing WildFire appliances and Log Collectors: Push operations from Panorama will fail if you use different master keys on Panorama, WildFire appliances and managed collectors.

On the device tab (1), you can access the 'Master Key and Diagnostics' options in the left side menu (2). From there, click the cogwheel (3) to enter the Master Key settings (4):

Here you can change the Master Key. Note that the length of this key must be exactly 16 characters!

First time here? Don't worry about entering the "Current Master Key." You'll need it when you will change the key the next time though!

Note: You must configure a new master key before the current key expires. If it expires, the firewall will reboot in Maintenance mode leaving you no other option but to reset the firewall to Factory Default Settings.

You can configure a reminder to alert you when the key is about to expire. The firewall automatically opens the System Alarms dialog to display the alarm. To ensure that the expiration alarm displays, make sure that you enable the alarms in Device > Log Settings > Alarm Settings > Enable Alarms:

Dont' forget to enable the alarms in the Alarm Settings

Alternatively, you can also include this alarm in log forwarding profiles (and get a notification via email for example).

Just make sure that you set the reminder, leaving you with enough time to configure a new master key before it expires.

Additional information:

Query On Master Key

Can We Get Master Key Expiration Via API

Configure The Master Key

Feel free to share your questions, comments and ideas in the section below.

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

Kiwi out!

ChrisRice · ‎08-04-2022

I'm very surprised that this process is not in any of your playbooks listed in the professional services library. I would suggest adding that to the playbooks if its a best practice.

ksalustro · ‎04-19-2023

What is the best practice for expiration time?

Mamoudou · ‎07-13-2023

Hello,

Anyone knows where find the current master key in the firewall ?

I want to change my master key because it will expire in some days but I don't know my actual master key.

Thank in advance for your help.

Regards

jjosephs · ‎07-13-2023

@mamodeo

If you do not know the current master key, then the only recourse is to factory reset the device and then set the master key for the first time. The master key has the same role as your password used to login to any account. The only way to reset a lost master key is through a factory reset.

Mamoudou · ‎07-17-2023

Thank you for your response.

Our master key will expire in 30 days for firewall and panorama. So there is no any way to find the current master key ?

And I don't remember that during a factory reset we have to set a master key.

Thanks

jjosephs · ‎07-17-2023

@Mamoudou, you are correct that one does not have to set the masterkey after a factory reset.

The platform is using the default key, which is exactly why it should be changed.

All devices will be using the same master key.

You must safely archive your master keys in some manner so that they can be used again, when necessary

Mamoudou · ‎07-18-2023

@jjosephs Thanks for your response again. So in my case there is no way to find the current master key ? I have to reset factory all of my devices (because the master key will expire in 30 days)?

If I decide to do the reset where can I find the default master key ?

Thank you in advance.

gkrutsinger · ‎08-09-2023

Hello @Mamoudou ,

You do not need to know the default key to set it. When setting the first key, the Current Key will be left blank because it is the default key. Any changes after that will require both the current and the new key. Please be sure to review the links provided in the original post, there are several important notes regarding HA and pending commits when deploying the master keys.

Willem_Goethals · ‎11-23-2023

I have a further question concerning this: what is actually encrypted using this Master Key? I have set a master key on my test environments, but I notice that my phash of my local administrators does not change between Masterkey versions.

Also when I export the configuration and import it on another box with a default masterkey this works without ever having to enter the original masterkey.

Is it only disk encryption or file encryption that is separate from the encryption used for the password hash?

ksalustro · ‎12-08-2023

"The Master Key is used to encrypt private keys on the firewall, which includes the RSA key used to authenticate the server when logging into CLI and the private key used by the web server when logging into the web interface. Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied. The Master Key provides more security to those passwords."

Why is a Decryption Key Required When Loading an Imported Confi... - Knowledge Base - Palo Alto Netw...

The disk encryption will be different, and password hashes will be different when exporting the config, so that if you import it on another fw and don't have the source fw's master key for the destination fw, then it can't read any passwords.

If you're able to read one fw's passwords on another fw, maybe you missed a step?

Tips & Tricks: One Key To Rule Them All—How to Set a Master Key