Why You Should Change Palo Alto Master Key?
Palo Alto firewalls come with a default master key used to encrypt passwords, secrets, and certificates. If your firewall is compromised or someone gains unauthorized access, they can easily decrypt these secrets, posing a significant security risk. In this blog post, let's explore why you should change the master key, important considerations, and how to configure it. Let's get started.
Why Change the Master Key?
Palo Alto firewalls come with a default master key. Anyone with unauthorized access to the firewall can easily decrypt your secrets or export the configuration to another firewall to retrieve those secrets. For this reason, Palo Alto strongly recommends changing the master key as soon as possible.
Master Key Considerations
Configuring the master key isn’t something you can just set and forget; it requires careful consideration. Here are some important points to keep in mind.
- The new master key must be exactly 16 characters long.
- If your firewalls are in an HA pair, you need to disable 'Config Sync' before configuring the key, as the key does not sync across the pair. You must configure the exact same key on each firewall individually.
- If the master key expires, the firewall or Panorama will automatically reboot into Maintenance mode. At that point, you’ll need to reset the firewall to the factory default settings.
- Suppose you’re using Panorama to manage your firewalls. In that case, you can configure the same master key across Panorama and all managed firewalls, or you can configure a unique master key for each managed firewall.
If you use Panorama, you can configure the same key across all firewalls, but this could pose a security risk. If one firewall or Panorama gets compromised, all other firewalls using the same key are at risk too. It’s a better practice to use a unique master key for each firewall, but even changing from the default key is better than nothing.
If you prefer not to worry about renewing the key frequently, you can set a very long lifetime like 20 years. However, this isn’t ideal. A better approach is to set a shorter lifetime, such as one or two years, and renew the key before it expires.
When configuring the master key, you can specify a reminder and auto-renew period.
- Reminder - This generates an alarm and system log before the expiry date. For example, if you set the key lifetime to one year and the reminder to 60 days, the firewall will log an alert 60 days before expiration.
- Auto-Renew - If enabled, the key automatically renews for the specified period. For example, if you set it to 30 days, the key renews for an additional 30 days. However, you’ll need to renew it manually before the 30-day extension runs out.
Palo Alto Master Key Configuration
Configuring the master key is straightforward. Navigate to Device (or the Panorama tab if using Panorama) > Master Key and Diagnostics, and check the 'Master Key' box.
If you are configuring the key for the first time, you don’t need to enter the current master key, as it’s not provided. However, if you are renewing the key, you must enter the current master key.
As mentioned earlier, if the firewall is part of an HA pair, you must disable Config Sync before changing the key. Once you’ve configured the key on both firewalls, you can re-enable Config Sync.
When you click OK, the firewall will automatically commit the changes. Make sure to keep a note of the key, as it will be required in the future. Also, note that when setting up the key, you won’t be able to configure the auto-renew period at the same time. After the commit is complete, return to the same tab and enable Auto Renew with Same Master Key. Specify the renewal period, typically 30 or 60 days. This period acts as a buffer, ensuring you have time to manually renew the key before it expires.
Master Key Encryption
You can configure the master key to use the AES-256-CBC or the AES-256-GCM (introduced in PAN-OS 10.0) encryption algorithm to encrypt data such as keys and passwords. AES-256-GCM provides stronger encryption than AES-256-CBC and improves your security posture. It also includes a built-in integrity check.
The following operational CLI command changes the encryption level and automatically re-encrypts all currently encrypted data with the specified encryption level.
request encryption-level level <0|1|2>- 0: Use the default algorithm (AES-256-CBC) to encrypt data.
- 1: Use the AES-256-CBC algorithm to encrypt data.
- 2: Use the AES-256-GCM algorithm to encrypt data.
The firewall will re-encrypt all currently encrypted data and encrypt new sensitive data using the specified algorithm. If you don’t want the firewall to re-encrypt existing data with the new algorithm, you can add the re-encrypt no option in the command string. This prevents the automatic re-encryption of data that the firewall has already encrypted.
request encryption-level re-encrypt <yes|no> level <0|1|2>You can run the following command to view information about the master key, including its expiry date and encryption level.
show system masterkey-propertiesClosing Up
Whatever you do, remember that this is not a set-it-and-forget-it configuration. Please make sure the master key is stored securely and renewed before it expires. Failing to do so could result in a non-functional firewall, so proceed with caution.