Palo Alto Change Master Key with HA (Active/Passive)

March 28, 2026bytheDXT

When a Palo Alto Networks firewall is configured with a unique master key, you need to change the master key before it expires, as when the master key expires, the firewall will reboot into maintenance mode, and you’ll need to factory reset it.

In this post, I will show you step by step how to change the Palo Alto Networks firewall master key before it expires.

Prerequisites

Palo Alto firewall configured with a unique master key.

If you haven’t configured a master key yet, my post, Palo Alto Configure Master Key with HA (Active/Passive), goes into detail on the process.

The Process

Backup your Palo Alto firewall config.

For more information on backing up your firewall config, my post, Palo Alto Config Backup, goes into detail.

Disable HA Config Sync via the GUI or CLI.
Change Master Key via the GUI or CLI.
Enable HA Config Sync via the GUI or CLI.

Disable HA Config Sync

We need to disable the HA configuration synchronization on both firewalls in the HA setup before changing the master key.

Disable HA Config Sync GUI

On the Primary firewall, click on the Device tab.

Click on High Availability.

Click on the General tab.

In the HA Pair Settings, click on the gear icon in the Setup box.

Uncheck Enable Config Sync and click OK.

Commit the change.
Repeat the process on the Secondary firewall.

Disable HA Config Sync CLI

SSH into the Primary firewall.
Enter configuration mode with the command configure

Run the following command to check your current HA config sync settings show deviceconfig high-availability group configuration-synchronization

If enabled is set to yes, we need to disable it.

Disable HA config sync with the following command set deviceconfig high-availability group configuration-synchronization enabled no

Commit the change.

Repeat the process on the Secondary firewall.

Change Master Key

With HA config sync disabled, we can safely change the master key on both firewalls. The new master key must be exactly 16 characters.

Change Master Key GUI

On the Primary firewall, click on the Device tab.

Click on Master Key and Diagnostics.

In the Master Key box, click on the gear icon.

Check the box for Master Key.
Enter the current Master Key.
Enter the new Master Key you would like to use.
Enter how long you want the master key to last, and when you want the firewall to start reminding you to change it.

In this example, I will set the master key’s lifetime to 730 days and set the reminder to change the master key to 90 days.

As soon as you click OK, an automatic commit task should start.

Wait for the automatic commit task to complete.

If the automatic commit task didn’t start, manually commit the changes.

Repeat the process on the Secondary firewall.

Change the Master Key CLI

SSH into the Primary firewall.
Run the following command to check the master key expiry show system masterkey-properties

When configuring the master key with CLI, the lifetime and reminder must be specified in hours.

In my example, I want to use 90 days for the reminder (2160 hours) and 730 days for the lifetime (17520 hours).

To change your master key, run the following command and change Old_Master_Key_Here, Reminder_Hours, Lifetime_Hours, and New_Master_Key_Here to your desired settings request master-key current-master-key Old_Master_Key_Here reminder Reminder_Hours lifetime Lifetime_Hours new-master-key New_Master_Key_Here

In my example, my command will look like this request master-key current-master-key paloalto12345678 reminder 2160 lifetime 17520 new-master-key 12345678paloalto