Changing the Master Key on a Palo Alto Firewall Active/Passive HA pair

Palo Alto firewalls use a Master Key to encrypt all the private keys and saved passwords in the configuration.

By default this key is set to p1a2l3o4a5l6t7o8

It is not a bad idea to change this…..

I was recently tasked with changing the Master Key at a client site that had a pair of Palo Alto firewalls arranged in an active/passive HA pair. Unfortunately the Palo Alto documentation I consulted neglected to mention a rather important step and I ended up snotting the passive firewall. I hadnt disabled Config Sync so when I changed the Master Key on the active firewall it proceeded to re-encrypt all of the saved passwords and keys in the configuration and then copied the configuration over to the passive firewall. Problem was that as the passive firewall didn’t have the new Master Key it couldn’t read any of the newly encrypted passwords and keys so wouldn’t let me enter the new Master Key or save or commit anything. Fortunately I was able to disable Config Sync, restore the backup of the passive firewall that I took before performing the operation, enter the new Master Key and then resync the configs. Phew!

This post details the correct procedure for changing the Master Key on an active/passive HA pair of Palo Alto firewalls.

The first step is to save and commit any pending changes and then take a backup of each firewall.

Go to Device – Setup – Operations and click on Export named configuration snapshot

Select running-config.xml and click OK to save to your preferred location.

Repeat this on both firewalls in the HA pair.

The next step is to Disable Configuration Sync (VERY IMPORTANT!)

On the active member on the HA pair:

Go to Device – High Availability – General – Setup

Remove the tick from “Enable Config Sync”

Save and Commit this change and then repeat on the passive firewall.

Now we are ready to change the Master Key.

The key must be exactly 16 characters in length and the same key is entered into each firewall in the HA pair.

On the active member on the HA pair:

Go to Device – Master Key and Diagnostics – Master Key

 

Enter the new Master Key in the New Master Key and Confirm New Master Key fields

Set the Lifetime and Reminder to appropriate values and click OK.

Save and Commit this change and then repeat on the passive firewall.

The last step is to reactivate Configuration Sync.

On the active member on the HA pair:

Go to Device – High Availability – General – Setup

Add the tick back into “Enable Config Sync”

Save and Commit this change and then repeat on the passive firewall.

Job done!

 

6 Comments on "Changing the Master Key on a Palo Alto Firewall Active/Passive HA pair"


  1. The last step should be to “Click the tick from “Enable Config Sync” not Remove the tick from “Enable Config Sync”.

    Reply

  2. This is great. I just got burned by this tonight. Luckily I had a backup … but I’m wiping the passive firewall tomorrow, loading the base config, then changing the password to match the primary master key. That should work when it syncs the certificates from the primary, yes?

    Reply

    1. Hey CP

      You should be OK with regards to the certificates, I don’t recall having any dramas with that when it happened to me!

      Regards

      Kirin

      Reply

  3. Thanks also for posting the default mk. Where is this documented? It’s always been a mystery to me. I learned today.

    Reply

    1. No worries, I found it here in a slide deck presented at the Hack In The Box Security Conference on Attacking Next-Generation Firewalls published by Felix Wilhelm

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *