Set Up Connectivity with a SafeNet NetworkHSM
Updated on
Wed Jul 17 16:47:57 UTC 2024
Focus
Download PDF
Updated on
Wed Jul 17 16:47:57 UTC 2024
Focus
- Home
- PAN-OS
- Certificate Management
- Secure Keys with a Hardware Security Module
- Set Up Connectivity with an HSM
- Set Up Connectivity with a SafeNet NetworkHSM
Download PDF
Table of Contents
To set up connectivity between the Palo AltoNetworks firewall (HSM client) and a SafeNet Network HSM server,you must specify the IP address of the server, enter a passwordfor authenticating the firewall to the server, and then registerthe firewall with the server. Before you being configuring yourHSM client, create a partition for the firewall on the HSM serverand then confirm that the SafeNet Network client version on thefirewall is compatible with your SafeNet Network HSM server (see Set UpConnectivity with an HSM).
Before the HSM and firewallconnect, the HSM authenticates the firewall based on the firewallIP address. Therefore, you must configure the firewall to use a staticIP address—not a dynamic address assigned through DHCP. Operationson the HSM stop working if the firewall IP address changes duringruntime.
HSM configurations are not synchronized betweenhigh availability (HA) firewall peers. Consequently, you must configurethe HSM separately on each peer. In active/passive HA configurations,you must manually perform one failover to individuallyconfigure and authenticate each HA peer to the HSM. After this initialmanual failover, user interaction is not required for failover to functionproperly.
Define connection settings for each SafeNet Network HSM.
Log in to the firewall web interface andselect
.Device
Setup
HSM
Edit the Hardware Security Module Provider settingsand set the
Provider Configured
toSafeNet NetworkHSM
.Add
each HSM server as follows.A high availability (HA) HSM configuration requires at least twoservers; you can have a cluster of up to 16 HSM servers. All HSMservers in the cluster must run the same SafeNet version and mustauthenticate separately. You should use a SafeNet cluster only whenyou want to replicate the keys across the cluster. Alternatively, youcan add up to 16 SafeNet HSM servers to function independently.Enter a
Module Name
(an ASCIIstring of up to 31 characters) for the HSM server.Enter an IPv4 address for the HSM
Server Address
.
(
HA only
) Select
High Availability
,specify theAuto Recovery Retry
value (maximumnumber of times the HSM client tries to recover its connection to anHSM server before failing over to an HSM HA peer server; range is0 to 500; default is 0), and enter aHigh AvailabilityGroup Name
(an ASCII string up to 31 characters long).See AlsoUsing a Hardware Security Module (HSM) — Documentation hyperledger-fabricdocs masterHSMs for General Purpose Use CasesSupport CommunityKey Management and use cases for HSMsIf you configure two or more HSMservers, the best practice is to enable
High Availability
.Otherwise the firewall does not use the additional HSM servers.Click
OK
andCommit
your changes.
(
Optional
) Configure aservice route to connect to the HSM if you don’t want the firewallto connect through the Management interface (default).
If you configure a service routefor the HSM, running the
clear session all
CLIcommand clears all existing HSM sessions, which brings all HSM statesdown and then up again. During the several seconds required forHSM to recover, all SSL/TLS operations will fail.Select
andclickDevice
Setup
Services
Service Route Configuration
.Customize
a service route.TheIPv4
tab is active by default.Click
HSM
in the Service column.Select a
Source Interface
forthe HSM.Click
OK
andCommit
your changes.
Configure the firewall to authenticate to the HSM.
Select
andDevice
Setup
SetupHardware Security Module
.Select the HSM
Server Name
.Select
Automatic
orManual
foryour authentication and trust certificate.Enter the
Administrator Password
to authenticatethe firewall to the HSM.Click
OK
.The firewall tries to authenticate to the HSM and displaysa status message.
Click
OK
again.
Register the firewall as an HSM client with the HSM serverand assign the firewall to a partition on the HSM server.
If the HSM has a firewall with thesame
<cl-name>
already registered, you mustfirst remove the duplicate registration by running theclient delete -client
command,where<cl-name>
<cl-name>
is the name of the registeredclient (firewall) you want to delete.Log in to the HSM from a remote system.
Register the firewall using the
client register -c
CLIcommand, where<cl-name>
-ip<fw-ip-addr>
<cl-name>
is a name that youassign to the firewall for use on the HSM and<fw-ip-addr>
isthe IP address for that firewall.Assign a partition to the firewall using the
client assignpartition -c
CLIcommand, where<cl-name>
-p<partition-name>
<cl-name>
is the name you assignedto the firewall using theclient register
commandand<partition-name>
is the name of a previouslyconfigured partition that you want to assign to this firewall.
Configure the firewall to connect to the HSM partition.
Select
andrefresh (Device
Setup
HSM
) the display.
Setup HSM Partition
(HardwareSecurity Operations settings).Enter the
Partition Password
to authenticatethe firewall to the partition on the HSM.Click
OK
.
(
HA only
) Repeat the previous authentication,registration, and partition connection steps to add another HSMto the existing HA group.
If you remove an HSM from your configuration,repeat the previous partition connection step to remove the deletedHSM from the HA group.
Verify firewall connectivity and authentication withthe HSM.
Select
andcheck the authentication and connection Status:Device
Setup
HSM
Green
—The firewall is successfully authenticatedand connected to the HSM.Red
—The firewall failed to authenticate to the HSMor network connectivity to the HSM is down.
View the following columns in Hardware Security Module Statusto determine the authentication status:
Serial Number
—The serial number of the HSMpartition if the firewall successfully authenticated to the HSM.Partition
—The partition name on the HSM that is assignedto the firewall.Module State
—The current state of the HSM connection.This value is alwaysAuthenticated
ifthe Hardware Security Module Status displays the HSM.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}