PAN-OS
This document serves as a comprehensive guide for administrators seeking to integrate PAN-OS with Thales Luna HSM. Thales Luna HSM plays a critical role in encrypting the master key and securely storing the private keys utilized by PAN-OS for SSL forward proxy and SSL inbound inspection purposes. PAN-OS stands as a security-centric operating system powering all Palo Alto Networks® next-generation firewalls. It empowers organizations to confidently enable applications through advanced features such as App-ID, User-ID, Content-ID, Global Protect, and Wildfire. PAN-OS offers robust protection against both known and unknown threats, leveraging Content-ID™ and Wildfire™.
The integration leverages Luna HSM's capabilities to encrypt the PAN-OS master key and safeguard the private keys essential for SSL forward proxy and SSL inbound inspection within PAN-OS. The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| PAN-OS Platform | Luna HSM Client | Luna HSM Firmware |
|---|---|---|
| PAN-OS VM Series 11.1.x | 7.2.0 | 7.7.1 |
| PAN-OS VM Series 10.2.x | 7.2.0 | 7.7.1 |
| PAN-OS VM Series 10.0.x | 7.2.0 | 7.3.0, 7.3.3 |
| PAN-OS VM Series 9.0.x | 6.3.0 | 6.27.0 |
The compatibility of Luna HSM firmware versions with the Luna HSM Client depends on whether the Luna HSM Client supports a specific firmware version. To ensure proper functionality and compatibility, it is essential that the Luna HSM Client is designed to operate with the particular firmware version installed on your Luna HSM device. For details on supported firmware versions, please refer to the official Product Documentation provided by Luna HSM Client.
Prerequisites
Before proceeding with the integration, ensure the following tasks are completed:
Set up PAN-OS Virtual Appliance
Utilize the appropriate virtual image file to deploy the virtual appliance on VMware. Refer to the Palo Alto Support Portal and Palo Alto Product Documentation for detailed instructions.
Once your virtual appliance is deployed on VMware, follow these steps:
<div markdown="1" class="line-attached-list-ordered"
Access the PAN-OS Web console via the IP address configured during deployment. For example: https:/PAN-OS-Web_Interface_IP.
Apply the PAN-OS license.
The HSM feature requires a valid license. Refer to Palo Alto Product Documentation for further details on licenses and subscriptions.
Configure PAN-OS to use a static IP address.
Before connecting with Luna HSM, PAN-OS must be authenticated using its IP address. It's crucial to configure PAN-OS with a static IP address instead of relying on a dynamic IP address assigned via DHCP. Changes to the PAN-OS IP address during runtime may disrupt HSM operations.
Configure Luna HSM
Before proceeding, ensure that the Luna HSM is properly set up, initialized, provisioned, and ready for deployment. Detailed steps for configuring the connectivity between the PAN-OS environment and the Luna HSM appliance are provided in the Integrate PAN-OS with Luna HSM section.
Integrate PAN-OS with Luna HSM
To integrate PAN-OS with a Luna HSM, follow these steps:
Establish connectivity with a Luna HSM
To establish connectivity between the Luna HSM and PAN-OS, follow these steps:
Add Luna HSM server information to PAN-OS
To add Luna HSM server information to PAN-OS, follow these steps:
<div markdown="1" class="line-attached-list-ordered"
Access the PAN-OS web interface at https://PAN-OS-Web_Interface_IP. Log in and navigate to Device > Setup > HSM.
In the Hardware Security Module Details section, select SafeNet Network HSM from the Provider Configured drop-down menu.
Click Add to enter Luna HSM server details:
-
Enter a Module Name (up to 31 ASCII characters) for the Luna HSM server.
-
Enter the Luna HSM IPv4 address in the Server Address.
If configuring high availability (HA), repeat step 3 for each Luna HSM server, specifying:
-
High Availability
-
Auto Recovery Retry value (0 to 500; default is 0)
-
High Availability Group Name (up to 31 ASCII characters)
For HA configurations, at least two Luna HSM servers are required. Up to 16 servers can be clustered, and all servers must run the same Luna HSM version. HA is recommended for key replication.
Enabling HA is considered best practice when configuring multiple HSM servers. This ensures redundancy and enhances the reliability of the system in case of hardware or network failures.
Click OK and then Commit to save the changes.
Select the HSM Client Version:
-
Use HSM Client v7.2.0 for PAN-OS 10.x and later.
-
Use HSM Client v6.3.0 for PAN-OS 9.x.
Click OK and then Commit to save the changes.
Optionally, configure a service route to connect to the HSM if you don't want to use the management interface:
-
Navigate to Device > Setup > Services > Service Route Configuration.
-
Select Customize a service route, ensuring the IPv4 tab is active by default.
-
Select HSM in the Service column.
-
Choose a Source Interface for the HSM, specifying the network interface used for communication.
-
Confirm changes by clicking OK and committing them.
When configuring a service route, keep in mind that PAN-OS will communicate with the HSM through the specified interface, bypassing the default management interface. Be cautious, as this setup may lead to a temporary disruption in SSL/TLS operations. Additionally, exercise care when executing the clear session all command, as it will reset all existing HSM sessions, temporarily bringing down HSM states until recovery. During this recovery period, all SSL/TLS operations will fail for several seconds.
Configure PAN-OS for authentication with the HSM
To configure PAN-OS to authenticate to Luna HSM, follow these steps:
Setup > HSM > Setup Hardware Security Module**.
Select the Server Name from the list of HSM modules you previously added.
Choose the HSM Authentication method:
Automatic
This method allows PAN-OS to automatically authenticate with the Luna HSM using the HSM Administrator Password. To configure automatic authentication:
(a) Enter the HSM Administrator Password, which is the Luna HSM admin password.
(b) Click OK to proceed.
(c) PAN-OS will attempt to authenticate with the HSM and display a status message. Click OK to close the message window.
Manual
This method requires manual upload of the HSM server certificate to PAN-OS. To configure manual authentication:
(a) Copy the server.pem file from the Luna HSM using a remote file transfer protocol such as SCP from a Linux or Windows machine. For instance, you can execute the following command: scp admin@10.164.75.32:server.pem /home. Ensure to replace admin@10.164.75.32 with the appropriate username and IP address of your Luna HSM, and /home with the desired destination directory on your local machine. When prompted, enter the HSM Admin password to authenticate the file transfer.
(b) Select Import And Install HSM Server Certificate.
(c) Click Browse and select the server.pem file you copied in step a. Click OK to upload the certificate to PAN-OS.
(d) Click Close to complete the upload process.
(e) Click Export HSM Client Certificate to download the client certificate file.
(f) Copy the client certificate to a Linux or Windows machine for transfer to the HSM device. Use the command scp /home/10.164.76.45.pem admin@10.164.75.32: to transfer the file. Provide the HSM admin password when prompted.
Register PAN-OS as an HSM client and allocate a partition
To register PAN-OS as a Luna HSM client and allocate a partition, follow these steps:
<div markdown="1" class="line-attached-list-ordered"
Access the Luna HSM interface using admin credentials.
Register PAN-OS as a client:
client register -c <PAN-OS_client_name> -ip <PAN-OS_IP>
Assign a partition to PAN-OS:
client assignpartition -c <PAN-OS_client_name> -p <partition-name>
If an existing PAN-OS client with the same name is already registered on the HSM, you must remove the duplicate registration before registering the new client. Use the command client delete -client <PAN-OS_client_name> to remove the duplicate registration.
Configure PAN-OS to link to the designated HSM partition
To enhance the procedure for configuring PAN-OS to connect to a Luna HSM partition, consider the following refined steps:
Setup > HSM** and refresh the display.
Access the Setup HSM Partition within the Hardware Security Operations settings.
Authenticate PAN-OS to the Luna HSM partition by entering the partition password, which corresponds to the crypto officer password. Click OK to proceed.
Upon successful authentication, a confirmation of the status will be displayed. Click OK to acknowledge the successful connection.
Configure PAN-OS to connect to the HA slot
To configure PAN-OS to connect to the HA slot for an HA setup, follow these steps:
(a) Log in to the PAN-OS CLI.
(b) Create the HA group:
request hsm ha create-ha-group password
(c) Synchronize the members of the HA group:
request hsm ha synchronize password
(d) Replace the HSM servers in the HA group:
request hsm ha replace-server password
