Palo Alto Change Master Key with HA (Active/Passive)

Palo Alto Change Master Key with HA (Active/Passive)

When a Palo Alto Networks firewall is configured with a unique master key, you need to change the master key before it expires, as when the master key expires, the firewall will reboot into maintenance mode, and you’ll need to factory reset it.

In this post, I will show you step by step how to change the Palo Alto Networks firewall master key before it expires.

Prerequisites

  • Palo Alto firewall configured with a unique master key.

If you haven’t configured a master key yet, my post, Palo Alto Configure Master Key with HA (Active/Passive), goes into detail on the process.

The Process

  • Backup your Palo Alto firewall config.

For more information on backing up your firewall config, my post, Palo Alto Config Backup, goes into detail.

Disable HA Config Sync

We need to disable the HA configuration synchronization on both firewalls in the HA setup before changing the master key.

Disable HA Config Sync GUI

  • On the Primary firewall, click on the Device tab.
  • Click on High Availability.
  • Click on the General tab.
  • In the HA Pair Settings, click on the gear icon in the Setup box.
  • Uncheck Enable Config Sync and click OK.
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Disable HA Config Sync CLI

  • SSH into the Primary firewall.
  • Enter configuration mode with the command configure
  • Run the following command to check your current HA config sync settings show deviceconfig high-availability group configuration-synchronization

If enabled is set to yes, we need to disable it.

  • Disable HA config sync with the following command set deviceconfig high-availability group configuration-synchronization enabled no
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Change Master Key

With HA config sync disabled, we can safely change the master key on both firewalls. The new master key must be exactly 16 characters.

Change Master Key GUI

  • On the Primary firewall, click on the Device tab.
  • Click on Master Key and Diagnostics.
  • In the Master Key box, click on the gear icon.
  • Check the box for Master Key.
  • Enter the current Master Key.
  • Enter the new Master Key you would like to use.
  • Enter how long you want the master key to last, and when you want the firewall to start reminding you to change it.

In this example, I will set the master key’s lifetime to 730 days and set the reminder to change the master key to 90 days.

As soon as you click OK, an automatic commit task should start.

  • Wait for the automatic commit task to complete.

If the automatic commit task didn’t start, manually commit the changes.

  • Repeat the process on the Secondary firewall.

Change the Master Key CLI

  • SSH into the Primary firewall.
  • Run the following command to check the master key expiry show system masterkey-properties
  • When configuring the master key with CLI, the lifetime and reminder must be specified in hours.

In my example, I want to use 90 days for the reminder (2160 hours) and 730 days for the lifetime (17520 hours).

  • To change your master key, run the following command and change Old_Master_Key_Here, Reminder_Hours, Lifetime_Hours, and New_Master_Key_Here to your desired settings request master-key current-master-key Old_Master_Key_Here reminder Reminder_Hours lifetime Lifetime_Hours new-master-key New_Master_Key_Here

In my example, my command will look like this request master-key current-master-key paloalto12345678 reminder 2160 lifetime 17520 new-master-key 12345678paloalto

  • As soon as you enter the command, an auto-commit job will start.

If the auto-commit job didn’t start, manually commit the changes.

  • Repeat the process on the Secondary firewall.

Enable HA Config Sync

Once the new master key is set to the same on both firewalls, we can safely enable HA configuration synchronization.

Enable HA Config Sync GUI

  • On the Primary firewall, click on the Device tab.
  • Click on High Availability.
  • Click on the General tab.
  • In the HA Pair Settings, click on the gear icon in the Setup box.
  • Check Enable Config Sync and click OK.
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Enable HA Config Sync CLI

  • SSH into the Primary firewall.
  • Enter configuration mode with the command configure
  • Run the following command to check your current HA config sync settings show deviceconfig high-availability group configuration-synchronization

If enabled is set to no, we need to enable it.

  • Enable HA config sync with the following command set deviceconfig high-availability group configuration-synchronization enabled yes
  • Commit the changes.
  • Repeat the process on the Secondary firewall.

Closing

That’s all it takes to change the master key on a Palo Alto Networks firewall before the master key expires.

If you want to read more about changing the master key, here is the Palo Alto Networks documentation.

Related posts:

Palo Alto Configure Master Key with HA (Active/Passive) Palo Alto Private Data Reset with HA (Active/Passive) Upgrade Palo Alto HA Pair (Active/Passive) with CLI Upgrade Palo Alto Firewall HA Pair (Active/Passive)

Leave a Reply

Your email address will not be published. Required fields are marked *