- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Did you know that you can add an additional layer of protection to your passwords and private keys on your Next-Generation Firewalls and Panorama?
To ensure your private data is safe, passwords and private keys contained on the firewall are encrypted in the configuration file. Should someone get their hands on your configuration file, they won't be able to simply read your information. See below:
<users>
<entry name="kiwi-admin">
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
<phash>$1$jepblocv$OHdXMHODrcBEBPMekB/qv1</phash>
</entry>
</users>
In this example, you can see that user kiwi-admin's password is hashed.
If you import this configuration file onto another firewall then you will need to know the password behind the hash or you won't be able to login with this account.
So, what happens if you don't change your password and keep the default admin user with the default password (admin/admin)? In that case, the master key will not change. The configuration file can be imported to other devices and the admin account will be available for use with the default password. That's great for migrating or duplicating configuration, but could pose a security risk if someone having bad intentions were to get your config file.
As a best practice, Palo Alto Networks recommends that you: configure a new master key instead of using the default key; store it in a safe location; and periodically change it. Don't use the same master key on all of your devices. This ensures that an attacker won't have access to all of your devices in case he learns the master key for one appliance.
That being said, in some cases you must use the same master key across multiple devices:
On the device tab (1), you can access the 'Master Key and Diagnostics' options in the left side menu (2). From there, click the cogwheel (3) to enter the Master Key settings (4):
Here you can change the Master Key. Note that the length of this key must be exactly 16 characters!
First time here? Don't worry about entering the "Current Master Key." You'll need it when you will change the key the next time though!
Note: You must configure a new master key before the current key expires. If it expires, the firewall will reboot in Maintenance mode leaving you no other option but to reset the firewall to Factory Default Settings.
You can configure a reminder to alert you when the key is about to expire. The firewall automatically opens the System Alarms dialog to display the alarm. To ensure that the expiration alarm displays, make sure that you enable the alarms in Device > Log Settings > Alarm Settings > Enable Alarms:
Alternatively, you can also include this alarm in log forwarding profiles (and get a notification via email for example).
Just make sure that you set the reminder, leaving you with enough time to configure a new master key before it expires.
Can We Get Master Key Expiration Via API
Feel free to share your questions, comments and ideas in the section below.
Thank you for taking time to read this blog.
Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
3 Likes | |
2 Likes | |
2 Likes | |
2 Likes |
User | Likes Count |
---|---|
9 | |
4 | |
3 | |
2 | |
2 |