Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Guides

PAN-OS

search
printsuggest an edit

PAN-OS

This document serves as a comprehensive guide for administrators seeking to integrate PAN-OS with Thales Luna HSM. Thales Luna HSM plays a critical role in encrypting the master key and securely storing the private keys utilized by PAN-OS for SSL forward proxy and SSL inbound inspection purposes. PAN-OS stands as a security-centric operating system powering all Palo Alto Networks® next-generation firewalls. It empowers organizations to confidently enable applications through advanced features such as App-ID, User-ID, Content-ID, Global Protect, and Wildfire. PAN-OS offers robust protection against both known and unknown threats, leveraging Content-ID™ and Wildfire™.

The integration leverages Luna HSM's capabilities to encrypt the PAN-OS master key and safeguard the private keys essential for SSL forward proxy and SSL inbound inspection within PAN-OS. The key benefits of this integration are:

  • Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.

  • Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.

  • Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.

  • Significant performance enhancements by offloading cryptographic operations from application servers.

copy link to clipboardSupported Platforms

This integration has been tested and verified on the following platforms:

PAN-OS Platform Luna HSM Client Luna HSM Firmware
PAN-OS VM Series 11.1.x 7.2.0 7.7.1
PAN-OS VM Series 10.2.x 7.2.0 7.7.1
PAN-OS VM Series 10.0.x 7.2.0 7.3.0, 7.3.3
PAN-OS VM Series 9.0.x 6.3.0 6.27.0
note

Note

The compatibility of Luna HSM firmware versions with the Luna HSM Client depends on whether the Luna HSM Client supports a specific firmware version. To ensure proper functionality and compatibility, it is essential that the Luna HSM Client is designed to operate with the particular firmware version installed on your Luna HSM device. For details on supported firmware versions, please refer to the official Product Documentation provided by Luna HSM Client.

copy link to clipboardPrerequisites

Before proceeding with the integration, ensure the following tasks are completed:

1Set up PAN-OS Virtual Appliance

2Configure Luna HSM

copy link to clipboardSet up PAN-OS Virtual Appliance

note

Note

Utilize the appropriate virtual image file to deploy the virtual appliance on VMware. Refer to the Palo Alto Support Portal and Palo Alto Product Documentation for detailed instructions.

Once your virtual appliance is deployed on VMware, follow these steps:

1Access the PAN-OS Web console via the IP address configured during deployment. For example: https:/PAN-OS-Web_Interface_IP.

2Apply the PAN-OS license.

note

Note

The HSM feature requires a valid license. Refer to Palo Alto Product Documentation for further details on licenses and subscriptions.

3Configure PAN-OS to use a static IP address.

note

Note

Before connecting with Luna HSM, PAN-OS must be authenticated using its IP address. It's crucial to configure PAN-OS with a static IP address instead of relying on a dynamic IP address assigned via DHCP. Changes to the PAN-OS IP address during runtime may disrupt HSM operations.

copy link to clipboardConfigure Luna HSM

Before proceeding, ensure that the Luna HSM is properly set up, initialized, provisioned, and ready for deployment. Detailed steps for configuring the connectivity between the PAN-OS environment and the Luna HSM appliance are provided in the Integrate PAN-OS with Luna HSM section.

copy link to clipboardIntegrate PAN-OS with Luna HSM

To integrate PAN-OS with a Luna HSM, follow these steps:

1Establish connectivity with a Luna HSM

2Encrypt the master key

3Rotate the master key used for encryption

4Safely store private keys on the Luna HSM

copy link to clipboardEstablish connectivity with a Luna HSM

To establish connectivity between the Luna HSM and PAN-OS, follow these steps:

1Add Luna HSM server information to PAN-OS

2Configure PAN-OS for authentication with the HSM

3Register PAN-OS as an HSM client and allocate a partition

4Configure PAN-OS to link to the designated HSM partition

5Configure PAN-OS to connect to the HA slot

6Verify connectivity and authentication between PAN-OS and the HSM

copy link to clipboardAdd Luna HSM server information to PAN-OS

To add Luna HSM server information to PAN-OS, follow these steps:

1Access the PAN-OS web interface at https://PAN-OS-Web_Interface_IP. Log in and navigate to Device > Setup > HSM.

2In the Hardware Security Module Details section, select SafeNet Network HSM from the Provider Configured drop-down menu.



3Click Add to enter Luna HSM server details:


  • Enter a Module Name (up to 31 ASCII characters) for the Luna HSM server.

  • Enter the Luna HSM IPv4 address in the Server Address.

4If configuring high availability (HA), repeat step 3 for each Luna HSM server, specifying:


  • High Availability

  • Auto Recovery Retry value (0 to 500; default is 0)

  • High Availability Group Name (up to 31 ASCII characters)

note

Note

For HA configurations, at least two Luna HSM servers are required. Up to 16 servers can be clustered, and all servers must run the same Luna HSM version. HA is recommended for key replication.

note

Note

Enabling HA is considered best practice when configuring multiple HSM servers. This ensures redundancy and enhances the reliability of the system in case of hardware or network failures.

5Click OK and then Commit to save the changes.

6Select the HSM Client Version:


  • Use HSM Client v7.2.0 for PAN-OS 10.x and later.

  • Use HSM Client v6.3.0 for PAN-OS 9.x.

7Click OK and then Commit to save the changes.

8Optionally, configure a service route to connect to the HSM if you don't want to use the management interface:


  • Navigate to Device > Setup > Services > Service Route Configuration.

  • Select Customize a service route, ensuring the IPv4 tab is active by default.

  • Select HSM in the Service column.

  • Choose a Source Interface for the HSM, specifying the network interface used for communication.

  • Confirm changes by clicking OK and committing them.

warning

Warning

When configuring a service route, keep in mind that PAN-OS will communicate with the HSM through the specified interface, bypassing the default management interface. Be cautious, as this setup may lead to a temporary disruption in SSL/TLS operations. Additionally, exercise care when executing the clear session all command, as it will reset all existing HSM sessions, temporarily bringing down HSM states until recovery. During this recovery period, all SSL/TLS operations will fail for several seconds.

copy link to clipboardConfigure PAN-OS for authentication with the HSM

To configure PAN-OS to authenticate to Luna HSM, follow these steps:

1Access the PAN-OS web interface and navigate to Device > Setup > HSM > Setup Hardware Security Module.

2Select the Server Name from the list of HSM modules you previously added.

3Choose the HSM Authentication method:


Automatic

This method allows PAN-OS to automatically authenticate with the Luna HSM using the HSM Administrator Password. To configure automatic authentication:

(a) Enter the HSM Administrator Password, which is the Luna HSM admin password.


(b) Click OK to proceed.



(c) PAN-OS will attempt to authenticate with the HSM and display a status message. Click OK to close the message window.


Manual

This method requires manual upload of the HSM server certificate to PAN-OS. To configure manual authentication:

(a) Copy the server.pem file from the Luna HSM using a remote file transfer protocol such as SCP from a Linux or Windows machine. For instance, you can execute the following command: scp admin@10.164.75.32:server.pem /home. Ensure to replace admin@10.164.75.32 with the appropriate username and IP address of your Luna HSM, and /home with the desired destination directory on your local machine. When prompted, enter the HSM Admin password to authenticate the file transfer.


(b) Select Import And Install HSM Server Certificate.



(c) Click Browse and select the server.pem file you copied in step a. Click OK to upload the certificate to PAN-OS.


(d) Click Close to complete the upload process.


(e) Click Export HSM Client Certificate to download the client certificate file.


(f) Copy the client certificate to a Linux or Windows machine for transfer to the HSM device. Use the command scp /home/10.164.76.45.pem admin@10.164.75.32: to transfer the file. Provide the HSM admin password when prompted.

copy link to clipboardRegister PAN-OS as an HSM client and allocate a partition

To register PAN-OS as a Luna HSM client and allocate a partition, follow these steps:

1Access the Luna HSM interface using admin credentials.

2Register PAN-OS as a client:

client register -c <PAN-OS_client_name> -ip <PAN-OS_IP>

3Assign a partition to PAN-OS:

client assignpartition -c <PAN-OS_client_name> -p <partition-name>
note

Note

If an existing PAN-OS client with the same name is already registered on the HSM, you must remove the duplicate registration before registering the new client. Use the command client delete -client <PAN-OS_client_name> to remove the duplicate registration.

To enhance the procedure for configuring PAN-OS to connect to a Luna HSM partition, consider the following refined steps:

1Navigate to Device > Setup > HSM and refresh the display.

2Access the Setup HSM Partition within the Hardware Security Operations settings.

3Authenticate PAN-OS to the Luna HSM partition by entering the partition password, which corresponds to the crypto officer password. Click OK to proceed.

4Upon successful authentication, a confirmation of the status will be displayed. Click OK to acknowledge the successful connection.

copy link to clipboardConfigure PAN-OS to connect to the HA slot

To configure PAN-OS to connect to the HA slot for an HA setup, follow these steps:

1Repeat the previous steps to authenticate, register, and configure the partition for an additional Luna HSM server to be added to the existing HA group.

2If you need to remove a Luna HSM server from the configuration, repeat the partition connection step to remove the deleted server from the HA group.

3For PAN-OS 9.x, perform these additional steps:


(a) Log in to the PAN-OS CLI.


(b) Create the HA group:

request hsm ha create-ha-group password

(c) Synchronize the members of the HA group:

request hsm ha synchronize password

(d) Replace the HSM servers in the HA group:

request hsm ha replace-server password

copy link to clipboardVerify connectivity and authentication between PAN-OS and the HSM

To confirm the connectivity and authentication status between PAN-OS and the Luna HSM partition, follow these steps using the PAN-OS web interface:

1Navigate to Device > Setup > HSM and review the authentication and connection status:


  • Green: Indicates successful authentication and connection to the HSM.

  • Red: Indicates authentication failure or lack of network connectivity to the HSM.

2Check the following columns in the Hardware Security Module Status section to assess the authentication status:


  • Serial Number: Displays the serial number of the HSM partition (available only if PAN-OS successfully authenticated).

  • Partition: Shows the name of the partition assigned to PAN-OS.

  • Module State: Indicates the current state of the HSM connection; always displays Authenticated if the Hardware Security Module Status shows the HSM.



copy link to clipboardEncrypt the master key

The Master Key plays a crucial role in encrypting all private keys and passwords on the PAN-OS, ensuring data security. Follow these detailed steps to encrypt the master key using an encryption key stored on the Luna HSM:

1Log in to the PAN-OS web interface and navigate to Device > Master Key and Diagnostics.

2Access the Master Key settings:


  • Specify the current key used for encrypting private keys and passwords on the PAN-OS in the Master Key field.

  • If changing the master key, enter the new master key and confirm.

3Enable the Stored on HSM option and provide the following values:


  • Life Time: Set the expiration period for the master key (1-730 days).

  • Time for Reminder: Define when users should be notified before the key expires (1-365 days).

4Click OK to save the settings.



note

Note

This procedure should be revisited whenever encrypting a key for the first time or defining a new master key for encryption.

note

Note

In cases where the master key is not synchronized across HA members, run request hsm ha synchronize password from the PAN-OS CLI to ensure consistency.


copy link to clipboardRotate the master key used for encryption

To maintain optimal security, it is recommended to periodically rotate the master key encryption by refreshing the wrapping key stored on the Luna HSM. Follow these steps to rotate the master key encryption:

1Log in to the PAN-OS CLI.

2Execute the following CLI command to rotate the wrapping key for the master key on the HSM:

request hsm mkey-wrapping-key-rotation
note

Note

If the master key is already encrypted on the HSM, the CLI command will generate a new wrapping key on the HSM and re-encrypt the master key with the new wrapping key.

note

Note

If the master key is not currently encrypted on the HSM, the CLI command will create a new wrapping key on the HSM for future encryption. The old wrapping key will be retained and not deleted by this command.

copy link to clipboardSafely store private keys on the Luna HSM

To bolster security measures, Luna HSM can be configured to safeguard the private keys used in SSL/TLS decryption for PAN-OS certificates. PAN-OS leverages Luna HSM for SSL/TLS decryption in the following scenarios:

  • SSL Forward Proxy: Luna HSM can securely store the private key of the Forward Trust certificate, which is utilized to sign certificates in SSL/TLS forward proxy operations. PAN-OS generates certificates during these operations, sends them to Luna HSM for signing, and then forwards them to the client.

  • SSL Inbound Inspection: Luna HSM can house the private keys for internal servers undergoing SSL/TLS inbound inspection.

If you employ DHE or ECDHE key exchange algorithms to enable perfect forward secrecy (PFS) support for SSL decryption, Luna HSM can store the private keys for SSL Inbound Inspection. Additionally, Luna HSM can store ECDSA keys used in SSL Forward Proxy or SSL Inbound Inspection.

This section covers the following key topics:


copy link to clipboardGenerate private key and certificate for decryption

For this demonstration, the Luna HSM client is installed on a separate operating system (Linux or Windows) with an NTLS connection to the Luna HSM partition used by PAN-OS. Follow these steps to generate a key pair and self-signed certificate using the cmu utility within the Luna HSM partition:

1Create a key pair using the cmu utility:

./cmu gen -modulusBits=2048 -publicExp=65537 -sign=T -verify=T
note

Note

Provide the partition password when prompted.

2List the generated key using the cmu utility:

./cmu list
note

Note

Provide the partition password when prompted.

3Create a self-signed certificate:

./cmu selfSign -C=CA -O=thales -startDate=20190101 -endDate=20250101 -CN="test.thales.com"

4Verify that the certificate was generated successfully:

./cmu list
note

Note

Provide the partition password when prompted.

5Export the generated certificate:

./cmu export
note

Note

Provide the partition password and a filename when prompted.

6Copy the exported certificate file to your workstation from where you are accessing the PAN-OS web console.

copy link to clipboardImport the certificate corresponding to the HSM-stored key

To import the certificate that corresponds to the key stored on the Luna HSM, follow these steps using the PAN-OS web interface:

1Navigate to Device > Certificate Management > Certificates > Device Certificates.

2Click the Import button.

3In the Certificate Type field, select Local.

4Enter a descriptive name for the certificate in the Certificate Name field.

5Browse to locate the certificate file that was exported from the Luna HSM partition.

6Select the appropriate file format for the certificate.

7Check the Private Key resides on Hardware Security Module option.

8Click OK to confirm the import, and then click Commit to save the changes.



9The imported certificate details will now be listed under Device Certificates.

copy link to clipboardEnable the certificate for SSL/TLS Forward Proxy (applicable to forward trust certificates only)

To empower the certificate for SSL/TLS Forward Proxy usage, specifically for forward trust certificates, follow these refined steps:

1Open the imported certificate for editing within the PAN-OS web interface.

2Choose the option for Forward Trust Certificate.

3Click OK to confirm the selection, and then proceed to click Commit to save the changes effectively.

copy link to clipboardVerify the certificate import process

To confirm that the certificate has been successfully imported onto PAN-OS, follow these steps:

1Locate the certificate you imported within the PAN-OS web interface.

2Examine the icon displayed in the Key column:


  • Lock icon: Indicates that the private key for the certificate is securely stored on the Luna HSM.

  • Error icon: Signifies that the private key is not stored on the HSM, or the HSM is not properly authenticated or connected to PAN-OS.


On this page