PAN-OS
This document serves as a comprehensive guide for administrators seeking to integrate PAN-OS with Thales Luna HSM. Thales Luna HSM plays a critical role in encrypting the master key and securely storing the private keys utilized by PAN-OS for SSL forward proxy and SSL inbound inspection purposes. PAN-OS stands as a security-centric operating system powering all Palo Alto Networks® next-generation firewalls. It empowers organizations to confidently enable applications through advanced features such as App-ID, User-ID, Content-ID, Global Protect, and Wildfire. PAN-OS offers robust protection against both known and unknown threats, leveraging Content-ID™ and Wildfire™.
The integration leverages Luna HSM's capabilities to encrypt the PAN-OS master key and safeguard the private keys essential for SSL forward proxy and SSL inbound inspection within PAN-OS. The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| PAN-OS Platform | Luna HSM Client | Luna HSM Firmware |
|---|---|---|
| PAN-OS VM Series 11.1.x | 7.2.0 | 7.7.1 |
| PAN-OS VM Series 10.2.x | 7.2.0 | 7.7.1 |
| PAN-OS VM Series 10.0.x | 7.2.0 | 7.3.0, 7.3.3 |
| PAN-OS VM Series 9.0.x | 6.3.0 | 6.27.0 |
The compatibility of Luna HSM firmware versions with the Luna HSM Client depends on whether the Luna HSM Client supports a specific firmware version. To ensure proper functionality and compatibility, it is essential that the Luna HSM Client is designed to operate with the particular firmware version installed on your Luna HSM device. For details on supported firmware versions, please refer to the official Product Documentation provided by Luna HSM Client.
Prerequisites
Before proceeding with the integration, ensure the following tasks are completed:
Set up PAN-OS Virtual Appliance
Utilize the appropriate virtual image file to deploy the virtual appliance on VMware. Refer to the Palo Alto Support Portal and Palo Alto Product Documentation for detailed instructions.
Once your virtual appliance is deployed on VMware, follow these steps:
Access the PAN-OS Web console via the IP address configured during deployment. For example: https:/PAN-OS-Web_Interface_IP.
Apply the PAN-OS license.
The HSM feature requires a valid license. Refer to Palo Alto Product Documentation for further details on licenses and subscriptions.
Configure PAN-OS to use a static IP address.
Before connecting with Luna HSM, PAN-OS must be authenticated using its IP address. It's crucial to configure PAN-OS with a static IP address instead of relying on a dynamic IP address assigned via DHCP. Changes to the PAN-OS IP address during runtime may disrupt HSM operations.
Configure Luna HSM
Before proceeding, ensure that the Luna HSM is properly set up, initialized, provisioned, and ready for deployment. Detailed steps for configuring the connectivity between the PAN-OS environment and the Luna HSM appliance are provided in the Integrate PAN-OS with Luna HSM section.
Integrate PAN-OS with Luna HSM
To integrate PAN-OS with a Luna HSM, follow these steps:
Establish connectivity with a Luna HSM
To establish connectivity between the Luna HSM and PAN-OS, follow these steps:
Add Luna HSM server information to PAN-OS
Configure PAN-OS for authentication with the HSM
Register PAN-OS as an HSM client and allocate a partition
Configure PAN-OS to link to the designated HSM partition
Configure PAN-OS to connect to the HA slot
Verify connectivity and authentication between PAN-OS and the HSM
Add Luna HSM server information to PAN-OS
To add Luna HSM server information to PAN-OS, follow these steps:
Access the PAN-OS web interface at https://PAN-OS-Web_Interface_IP. Log in and navigate to Device > Setup > HSM.
In the Hardware Security Module Details section, select SafeNet Network HSM from the Provider Configured drop-down menu.
Click Add to enter Luna HSM server details:
-
Enter a Module Name (up to 31 ASCII characters) for the Luna HSM server.
-
Enter the Luna HSM IPv4 address in the Server Address.
If configuring high availability (HA), repeat step 3 for each Luna HSM server, specifying:
-
High Availability
-
Auto Recovery Retry value (0 to 500; default is 0)
-
High Availability Group Name (up to 31 ASCII characters)
For HA configurations, at least two Luna HSM servers are required. Up to 16 servers can be clustered, and all servers must run the same Luna HSM version. HA is recommended for key replication.
Enabling HA is considered best practice when configuring multiple HSM servers. This ensures redundancy and enhances the reliability of the system in case of hardware or network failures.
Click OK and then Commit to save the changes.
Select the HSM Client Version:
-
Use HSM Client v7.2.0 for PAN-OS 10.x and later.
-
Use HSM Client v6.3.0 for PAN-OS 9.x.
Click OK and then Commit to save the changes.
Optionally, configure a service route to connect to the HSM if you don't want to use the management interface:
-
Navigate to Device > Setup > Services > Service Route Configuration.
-
Select Customize a service route, ensuring the IPv4 tab is active by default.
-
Select HSM in the Service column.
-
Choose a Source Interface for the HSM, specifying the network interface used for communication.
-
Confirm changes by clicking OK and committing them.
When configuring a service route, keep in mind that PAN-OS will communicate with the HSM through the specified interface, bypassing the default management interface. Be cautious, as this setup may lead to a temporary disruption in SSL/TLS operations. Additionally, exercise care when executing the clear session all command, as it will reset all existing HSM sessions, temporarily bringing down HSM states until recovery. During this recovery period, all SSL/TLS operations will fail for several seconds.
Configure PAN-OS for authentication with the HSM
To configure PAN-OS to authenticate to Luna HSM, follow these steps:
Access the PAN-OS web interface and navigate to Device > Setup > HSM > Setup Hardware Security Module.
Select the Server Name from the list of HSM modules you previously added.
Choose the HSM Authentication method:
Automatic
This method allows PAN-OS to automatically authenticate with the Luna HSM using the HSM Administrator Password. To configure automatic authentication:
(a) Enter the HSM Administrator Password, which is the Luna HSM admin password.
(b) Click OK to proceed.
(c) PAN-OS will attempt to authenticate with the HSM and display a status message. Click OK to close the message window.
Manual
This method requires manual upload of the HSM server certificate to PAN-OS. To configure manual authentication:
(a) Copy the server.pem file from the Luna HSM using a remote file transfer protocol such as SCP from a Linux or Windows machine. For instance, you can execute the following command: scp admin@10.164.75.32:server.pem /home. Ensure to replace admin@10.164.75.32 with the appropriate username and IP address of your Luna HSM, and /home with the desired destination directory on your local machine. When prompted, enter the HSM Admin password to authenticate the file transfer.
(b) Select Import And Install HSM Server Certificate.
(c) Click Browse and select the server.pem file you copied in step a. Click OK to upload the certificate to PAN-OS.
(d) Click Close to complete the upload process.
(e) Click Export HSM Client Certificate to download the client certificate file.
(f) Copy the client certificate to a Linux or Windows machine for transfer to the HSM device. Use the command scp /home/10.164.76.45.pem admin@10.164.75.32: to transfer the file. Provide the HSM admin password when prompted.
Register PAN-OS as an HSM client and allocate a partition
To register PAN-OS as a Luna HSM client and allocate a partition, follow these steps:
Access the Luna HSM interface using admin credentials.
Register PAN-OS as a client:
client register -c <PAN-OS_client_name> -ip <PAN-OS_IP>
Assign a partition to PAN-OS:
client assignpartition -c <PAN-OS_client_name> -p <partition-name>
If an existing PAN-OS client with the same name is already registered on the HSM, you must remove the duplicate registration before registering the new client. Use the command client delete -client <PAN-OS_client_name> to remove the duplicate registration.
Configure PAN-OS to link to the designated HSM partition
To enhance the procedure for configuring PAN-OS to connect to a Luna HSM partition, consider the following refined steps:
Navigate to Device > Setup > HSM and refresh the display.
Access the Setup HSM Partition within the Hardware Security Operations settings.
Authenticate PAN-OS to the Luna HSM partition by entering the partition password, which corresponds to the crypto officer password. Click OK to proceed.
Upon successful authentication, a confirmation of the status will be displayed. Click OK to acknowledge the successful connection.
Configure PAN-OS to connect to the HA slot
To configure PAN-OS to connect to the HA slot for an HA setup, follow these steps:
Repeat the previous steps to authenticate, register, and configure the partition for an additional Luna HSM server to be added to the existing HA group.
If you need to remove a Luna HSM server from the configuration, repeat the partition connection step to remove the deleted server from the HA group.
For PAN-OS 9.x, perform these additional steps:
(a) Log in to the PAN-OS CLI.
(b) Create the HA group:
request hsm ha create-ha-group password
(c) Synchronize the members of the HA group:
request hsm ha synchronize password
(d) Replace the HSM servers in the HA group:
request hsm ha replace-server password
Verify connectivity and authentication between PAN-OS and the HSM
To confirm the connectivity and authentication status between PAN-OS and the Luna HSM partition, follow these steps using the PAN-OS web interface:
Navigate to Device > Setup > HSM and review the authentication and connection status:
-
Green: Indicates successful authentication and connection to the HSM.
-
Red: Indicates authentication failure or lack of network connectivity to the HSM.
Check the following columns in the Hardware Security Module Status section to assess the authentication status:
-
Serial Number: Displays the serial number of the HSM partition (available only if PAN-OS successfully authenticated).
-
Partition: Shows the name of the partition assigned to PAN-OS.
-
Module State: Indicates the current state of the HSM connection; always displays Authenticated if the Hardware Security Module Status shows the HSM.
Encrypt the master key
The Master Key plays a crucial role in encrypting all private keys and passwords on the PAN-OS, ensuring data security. Follow these detailed steps to encrypt the master key using an encryption key stored on the Luna HSM:
Log in to the PAN-OS web interface and navigate to Device > Master Key and Diagnostics.
Access the Master Key settings:
-
Specify the current key used for encrypting private keys and passwords on the PAN-OS in the Master Key field.
-
If changing the master key, enter the new master key and confirm.
Enable the Stored on HSM option and provide the following values:
-
Life Time: Set the expiration period for the master key (1-730 days).
-
Time for Reminder: Define when users should be notified before the key expires (1-365 days).
Click OK to save the settings.
This procedure should be revisited whenever encrypting a key for the first time or defining a new master key for encryption.
In cases where the master key is not synchronized across HA members, run request hsm ha synchronize password from the PAN-OS CLI to ensure consistency.
Rotate the master key used for encryption
To maintain optimal security, it is recommended to periodically rotate the master key encryption by refreshing the wrapping key stored on the Luna HSM. Follow these steps to rotate the master key encryption:
Log in to the PAN-OS CLI.
Execute the following CLI command to rotate the wrapping key for the master key on the HSM:
request hsm mkey-wrapping-key-rotation
If the master key is already encrypted on the HSM, the CLI command will generate a new wrapping key on the HSM and re-encrypt the master key with the new wrapping key.
If the master key is not currently encrypted on the HSM, the CLI command will create a new wrapping key on the HSM for future encryption. The old wrapping key will be retained and not deleted by this command.
Safely store private keys on the Luna HSM
To bolster security measures, Luna HSM can be configured to safeguard the private keys used in SSL/TLS decryption for PAN-OS certificates. PAN-OS leverages Luna HSM for SSL/TLS decryption in the following scenarios:
-
SSL Forward Proxy: Luna HSM can securely store the private key of the Forward Trust certificate, which is utilized to sign certificates in SSL/TLS forward proxy operations. PAN-OS generates certificates during these operations, sends them to Luna HSM for signing, and then forwards them to the client.
-
SSL Inbound Inspection: Luna HSM can house the private keys for internal servers undergoing SSL/TLS inbound inspection.
If you employ DHE or ECDHE key exchange algorithms to enable perfect forward secrecy (PFS) support for SSL decryption, Luna HSM can store the private keys for SSL Inbound Inspection. Additionally, Luna HSM can store ECDSA keys used in SSL Forward Proxy or SSL Inbound Inspection.
This section covers the following key topics:
Generate private key and certificate for decryption
For this demonstration, the Luna HSM client is installed on a separate operating system (Linux or Windows) with an NTLS connection to the Luna HSM partition used by PAN-OS. Follow these steps to generate a key pair and self-signed certificate using the cmu utility within the Luna HSM partition:
Create a key pair using the cmu utility:
./cmu gen -modulusBits=2048 -publicExp=65537 -sign=T -verify=T
Provide the partition password when prompted.
List the generated key using the cmu utility:
./cmu list
Provide the partition password when prompted.
Create a self-signed certificate:
./cmu selfSign -C=CA -O=thales -startDate=20190101 -endDate=20250101 -CN="test.thales.com"
Verify that the certificate was generated successfully:
./cmu list
Provide the partition password when prompted.
Export the generated certificate:
./cmu export
Provide the partition password and a filename when prompted.
Copy the exported certificate file to your workstation from where you are accessing the PAN-OS web console.
Import the certificate corresponding to the HSM-stored key
To import the certificate that corresponds to the key stored on the Luna HSM, follow these steps using the PAN-OS web interface:
Navigate to Device > Certificate Management > Certificates > Device Certificates.
Click the Import button.
In the Certificate Type field, select Local.
Enter a descriptive name for the certificate in the Certificate Name field.
Browse to locate the certificate file that was exported from the Luna HSM partition.
Select the appropriate file format for the certificate.
Check the Private Key resides on Hardware Security Module option.
Click OK to confirm the import, and then click Commit to save the changes.
The imported certificate details will now be listed under Device Certificates.
Enable the certificate for SSL/TLS Forward Proxy (applicable to forward trust certificates only)
To empower the certificate for SSL/TLS Forward Proxy usage, specifically for forward trust certificates, follow these refined steps:
Open the imported certificate for editing within the PAN-OS web interface.
Choose the option for Forward Trust Certificate.
Click OK to confirm the selection, and then proceed to click Commit to save the changes effectively.
Verify the certificate import process
To confirm that the certificate has been successfully imported onto PAN-OS, follow these steps:
Locate the certificate you imported within the PAN-OS web interface.
Examine the icon displayed in the Key column:
-
Lock icon: Indicates that the private key for the certificate is securely stored on the Luna HSM.
-
Error icon: Signifies that the private key is not stored on the HSM, or the HSM is not properly authenticated or connected to PAN-OS.
