PAN documentation seems to be clear about it : XML config stored "encrypted" passwords and private keys: Encrypting Private Keys and Passwords on the Firewall
*Device > Master Key and Diagnostics
Use the Master Key and Diagnostics page to specify a master key to encrypt private keys on the firewall. Private keys are stored in encrypted form by default even if a new master key is not specified.
Field
Description
Master Key
Specify the key that is currently used to encrypt all of the private keys andpasswords on the firewall.
New Master Key
Confirm Master Key
To change the master key, enter and confirm a new key.
Life Time
Specify the number of days and hours after which the master key expires.
Time for Reminder
Specify the number of days and hours before expiration when the user isnotified of the impending expiration.
Common Criteria
In Common Criteria mode, additional buttons are available to run acryptographic algorithm self-test and software integrity self-test. A scheduler is also included to specify the times at which the two self-tests will run.
My understanding : PaloAlto is using some kind of secret passphrase that is used to encrypt passwords and private keys. If they are using right algorithms, it could be strong protection (AES-256 for example) as long as that passphrase doesn't get out of PA office or it's generated for each box out of factory. If you want extra security, go in Device -> Master Key and diagnostics and change the master key, but make sure you never loose that passphrase or you won't be able to restore from a cold backup. When you create a case at PA support, you bring them your config XML or tech dump (which contains config). But they never ask you for a password to run their tests, 2 solutions : they change passwords in XML before importing, or they have default master key of all device they sell. I tend to believe second solution
... View more
