Changing the Master Key on a Palo Alto Firewall Active/Passive HA pair

Palo Alto firewalls use a Master Key to encrypt all the private keys and saved passwords in the configuration.

By default this key is set to p1a2l3o4a5l6t7o8

It is not a bad idea to change this…..

I was recently tasked with changing the Master Key at a client site that had a pair of Palo Alto firewalls arranged in an active/passive HA pair. Unfortunately the Palo Alto documentation I consulted neglected to mention a rather important step and I ended up snotting the passive firewall. I hadnt disabled Config Sync so when I changed the Master Key on the active firewall it proceeded to re-encrypt all of the saved passwords and keys in the configuration and then copied the configuration over to the passive firewall. Problem was that as the passive firewall didn’t have the new Master Key it couldn’t read any of the newly encrypted passwords and keys so wouldn’t let me enter the new Master Key or save or commit anything. Fortunately I was able to disable Config Sync, restore the backup of the passive firewall that I took before performing the operation, enter the new Master Key and then resync the configs. Phew!

This post details the correct procedure for changing the Master Key on an active/passive HA pair of Palo Alto firewalls.

The first step is to save and commit any pending changes and then take a backup of each firewall.

Go to Device – Setup – Operations and click on Export named configuration snapshot

Select running-config.xml and click OK to save to your preferred location.

Repeat this on both firewalls in the HA pair.

The next step is to Disable Configuration Sync (VERY IMPORTANT!)

On the active member on the HA pair:

Go to Device – High Availability – General – Setup

Remove the tick from “Enable Config Sync”

Save and Commit this change and then repeat on the passive firewall.

Now we are ready to change the Master Key.

The key must be exactly 16 characters in length and the same key is entered into each firewall in the HA pair.

On the active member on the HA pair:

Go to Device – Master Key and Diagnostics – Master Key

 

Enter the new Master Key in the New Master Key and Confirm New Master Key fields

Set the Lifetime and Reminder to appropriate values and click OK.

Save and Commit this change and then repeat on the passive firewall.

The last step is to reactivate Configuration Sync.

On the active member on the HA pair:

Go to Device – High Availability – General – Setup

Remove the tick from “Enable Config Sync”

Save and Commit this change and then repeat on the passive firewall.

Job done!

 

Leave a Reply

Your email address will not be published. Required fields are marked *