Palo Alto firewalls use a Master Key to encrypt all the private keys and saved passwords in the configuration.
By default this key is set to p1a2l3o4a5l6t7o8
It is not a bad idea to change this…..
I was recently tasked with changing the Master Key at a client site that had a pair of Palo Alto firewalls arranged in an active/passive HA pair. Unfortunately the Palo Alto documentation I consulted neglected to mention a rather important step and I ended up snotting the passive firewall. I hadnt disabled Config Sync so when I changed the Master Key on the active firewall it proceeded to re-encrypt all of the saved passwords and keys in the configuration and then copied the configuration over to the passive firewall. Problem was that as the passive firewall didn’t have the new Master Key it couldn’t read any of the newly encrypted passwords and keys so wouldn’t let me enter the new Master Key or save or commit anything. Fortunately I was able to disable Config Sync, restore the backup of the passive firewall that I took before performing the operation, enter the new Master Key and then resync the configs. Phew!
This post details the correct procedure for changing the Master Key on an active/passive HA pair of Palo Alto firewalls.
The first step is to save and commit any pending changes and then take a backup of each firewall.
Go to Device – Setup – Operations and click on Export named configuration snapshot
Select running-config.xml and click OK to save to your preferred location.
Repeat this on both firewalls in the HA pair.
The next step is to Disable Configuration Sync (VERY IMPORTANT!)
On the active member on the HA pair:
Go to Device – High Availability – General – Setup
Remove the tick from “Enable Config Sync”
Save and Commit this change and then repeat on the passive firewall.
Now we are ready to change the Master Key.
The key must be exactly 16 characters in length and the same key is entered into each firewall in the HA pair.
On the active member on the HA pair:
Go to Device – Master Key and Diagnostics – Master Key
Enter the new Master Key in the New Master Key and Confirm New Master Key fields
Set the Lifetime and Reminder to appropriate values and click OK.
Save and Commit this change and then repeat on the passive firewall.
The last step is to reactivate Configuration Sync.
On the active member on the HA pair:
Go to Device – High Availability – General – Setup
Add the tick back into “Enable Config Sync”
Save and Commit this change and then repeat on the passive firewall.
Job done!
The last step should be to “Click the tick from “Enable Config Sync” not Remove the tick from “Enable Config Sync”.
Cheers Adrian, I have made the necessary correction.
This is great. I just got burned by this tonight. Luckily I had a backup … but I’m wiping the passive firewall tomorrow, loading the base config, then changing the password to match the primary master key. That should work when it syncs the certificates from the primary, yes?
Hey CP
You should be OK with regards to the certificates, I don’t recall having any dramas with that when it happened to me!
Regards
Kirin
Thanks also for posting the default mk. Where is this documented? It’s always been a mystery to me. I learned today.
No worries, I found it here in a slide deck presented at the Hack In The Box Security Conference on Attacking Next-Generation Firewalls published by Felix Wilhelm
Slight amendment:
After changing the Master Keys there is nothing to Commit.
Thanks for the information on this. Definitely helped me get through an issue I was having (set it up on one server, but the other wouldn’t take the new key).
For anyone reading this, this information is applicable to _setting up_ a master key on an HA cluster as well.
I also didn’t have an option to commit after putting in the master key.