Palo Alto Networks Firewall nShield HSM Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
Procedures

Introduction

This Integration Guide describes the deployment of a Palo Alto Networks Firewall with an nShield Connect hardware security module (HSM). The HSM securely generates and stores digital keys. It provides both logical and physical protection from non-authorized use and potential adversaries. The HSM-Firewall integration provides security by protecting the master keys. The HSM can also provide protection for the private keys used in SSL/TLS decryption, both in SSL forward proxy and SSL inbound inspection.

This guide assumes that there is no existing nShield Security World. For instructions to create a Security World, see the User Guide for your HSM. In situations in which a Security World already exists, parts of this Integration Guide can still be used for the generation and subsequent storage of keys.

The benefits of using an nShield HSM with the Palo Alto Networks Firewall include:

Secure encryption and storage of the firewall master key and private keys.
FIPS 140-2 Level 3 validated hardware.

Product configurations

We have successfully tested nShield HSM integration with the Palo Alto Networks Firewall in the following configurations:

PAN-OS v10.1 with Entrust Security World v12.40.2
Entrust nShield Connect Plus and XC
nShield Connect Image 12.60.10
nShield Connect Plus Firmware 12.50.8
nShield Connect XC Firmware 12.50.11

FIPS	Security World version	Compatibility Pack v1.10	Tested*	Verified
140-2 Level 2	v2	Yes	1,2,3	1,2,3
140-2 Level 3	v2	Yes	1,2,3	2,3
140-2 Level 2	v3	No	1,2,3	No compatibility
140-2 Level 3	v3	No	1,2,3	No compatibility

*Tested integration use cases:

Firewall Master Key Protection
SSL/TLS encrypt/decrypt (Inbound Inspection)
SSL/TLS Outbound encrypt/decrypt (Forward Proxy)

Requirements

Before starting the integration process

Familiarize yourself with:

Installation Guide and User Guide for your HSM.
nShield Remote Administration User Guide .
Security World v12.40 Compatibility Package v1.1.0 Release Notes
PAN-OS® 10.1 Administrator’s Guide

Before using Entrust hardware and software

The following preparations need to be made before starting to use Entrust products:

Each HSM uses a remote file system (RFS). You can configure the RFS on any computer running nShield Security World software.
The RFS computer can also be used as a client to the HSM, to allow presentation of smart cards using nShield Remote Administration, an optional product. For information, see the nShield Remote Administration User Guide .
A correct quorum for the Administrator Card Set (ACS).
- For creating the Security World, determine who within the organization will act as custodians of the ACS.
- Obtain enough blank smart cards to create the Administrator Card Set (ACS).
Operator Card Set (OCS), Softcard, or Module-Only protection.
- If OCS protection is to be used, a 1-of-N quorum must be used.
Firewall configuration with usable ports:
- 9004 for the HSM nfast server (hardserver).
- 8200 for the Firewall.

Furthermore, the Security World parameters have to be defined. For details of the security implications of the choices, see the nShield Security Manual :

Whether your Security World must comply with FIPS 140-2 Level 3 standards.
- If using FIPS Restricted mode, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Firewall master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
Whether to instantiate the Security World as recoverable or not.

Before using the Palo Alto Networks Firewall

The following preparations need to be made before starting to use the Palo Alto Networks Firewall:

Obtain a Palo Alto Networks customer support account. This account is required to have access to the latest software releases.
Procure a Palo Alto Networks Firewall appliance, or set up the Firewall in a bare-metal computer. A virtual machine (VM) can also be used. This guide was tested using a VMWare ESXi virtual machine.
Upgrade the Firewall installation software with the latest package to be tested.
The nShield RFS version must be compatible with the Palo Alto Networks Firewall, see Product configurations .

Considerations for keys

1024-bit and 2048-bit RSA keys are supported but it is recommended to use 2048-bit keys. Security Worlds that meet FIPS 140-2 Level 3 standards require 2048-bit keys.

Procedures

The high-level procedure to install and configure a Palo Alto Network Firewall with an nShield HSM is as follows:

Set up the HSM and the Security World.
Configure the Firewall to authenticate with the HSM(s).
Encrypt the master key on a Firewall and store it in the HSM.
Store the keys used for SSL forward proxy or SSL inbound inspection decryption.
Perform attestation that:
- The master key is encrypted on the HSM.
- The certificate use in SSL/TLS forward proxy is successfully imported into the Firewall.

Prepare the RFS and the HSM(s)

Each nShield HSM must have a remote file system (RFS) configured. The RFS includes master copies of all the files that the HSM needs, see the User Guide for your HSM.

If more than one HSM is used, they have to be in the same, v2, Security World.

Upgrade the RFS software

Check the software version of the RFS by running the ncversions command.
If the software is older than v12.60.11 , upgrade it. For instructions, see the User Guide for your HSM.

Install the Security World v12.40 Compatibility Package on the RFS

The v12.40 Compatibility Package must be installed on the RFS. For instructions, see the Security World v12.40 Compatibility Package v1.1.0 Release Notes .

Create a v2 Security World on the RFS

At the RFS command prompt, run new-world-1240 .

For information on the command, see the Security World v12.40 Compatibility Package v1.1.0 Release Notes .

Set up connectivity between the Firewall, the HSM, and the RFS

Define connection settings for each HSM

The HSM authenticates the Firewalls based on their IP addresses. Therefore, you must configure the Firewalls to use static IP addresses. Dynamic addresses, assigned through DHCP, cannot be used.

If you want to set up connectivity to more than one HSM for high-availability, do it at this point. If more than one HSM is being used, the HSMs must share the same v2 security world. For steps on loading an existing security world onto an HSM, see the nShield Connect User Guide . Adding more HSMs after the master key has been encrypted and stored in an HSM (see Encrypt the master key using the HSM ) is only possible by first removing the master key from the HSM. The master key is needed to perform the removal. Then encrypt and store the master key again in the HSM after adding new HSM to the list above.

Sign in to the Palo Alto Networks Firewall web interface, and select Device > Setup > HSM .
Edit the Hardware Security Module Provider settings and set the Provider Configured to nCipher nShield Connect .
Add each HSM as follows. A high-availability HSM configuration requires at least two HSMs.
1. Enter a Module Name for the HSM. This can be any ASCII string of up to 31 characters.
2. Enter an IPv4 address for the HSM.
3. Repeat steps a and b for all HSMs.
Enter an IPv4 address for the RFS.
Select OK .
Select the Commit icon, shown with a red arrow in the following picture.

Configure a service route to the HSM

Perform these optional steps if you do not want the Firewall to connect through the default management interface. If you are connecting through the default management interface, go to Register the Firewall as an HSM client .

Select Device > Setup > Services , then select Service Route Configuration .
Select Customize a service route .

The IPv4 tab is active by default.
For Service , select HSM .
Select a Source Interface for the HSM.
Select OK .
Select the Commit icon.

Register the Firewall as an HSM client

This can be done from the front panel of the HSM or from the RFS. These steps describe how to register the firewall as an HSM client from the RFS command line.

On the RFS, change to the HSM-specific directory to obtain the HSM configuration file and create a new configuration file:
```
cd /opt/nfast/kmdata/hsm-<HSM-ESN>/config/

touch config.new

cp config config.new
```
Edit config.new :
```
vi config.new
```

Add the following to the [hs_clients] section:

addr=<Firewall-IP>
clientperm=priv
keyhash=0000000000000000000000000000000000000000
esn=
timelimit=0
datalimit=0
-----

Push config.new to the HSM:

cfg-pushnethsm --address=<HSM-IP> config.new

Update the config file with the changes made:
```
> cp config.new config
```
Repeat these steps for each HSM in the high-availability configuration.

Configure the RFS to accept connections from the Firewall and the HSM

Log in to the RFS.
Assume root privileges by running the su command:
```
su
```
Configure or disable the RFS firewall:
```
service firewalld stop
```
Note
The RFS firewall is independent of the Palo Alto Networks Firewall.

Note
An RFS reboot re-enables the RFS firewall.
Verify that the RFS firewall stopped:
```
service firewalld status
```
Set up the RFS. This command must be run for each HSM being added to your high-availability configuration:
```
rfs-setup --force <HSM_IP_address> $(anonkneti <HSM_IP_address>)
```
Run the following command to permit HSM client submissions on the RFS:
```
rfs-setup --gang-client --write-noauth <Firewall-IP-address>
```

You can use the following commands to configure the RFS to accept connections from the client Firewall. rfs-setup is run on the RFS, and rfs-sync is run on the client:

RFS     rfs-setup --gang-client --write-noauth --force <client_IP_address>
Client  rfs-sync --setup --no-authenticate <RFS_IP_Address>
        rfs-sync --update
        rfs-sync --commit

For security reasons, the Firewall has a protected command-line interface that does not allow direct access to rfs-setup and rfs-sync in its built-in nfast server. Instead, equivalent commands are available in the protected Palo Alto Networks Firewall command-line interface, and can be useful for debugging.

nShield Command	Palo Alto Networks Command
`/opt/nfast/bin/rfs-sync --setup --no-authenticate <RFS_IP_Address>`	`request hsm rfs-setup`
`/opt/nfast/bin/rfs-sync --update` `/opt/nfast/bin/rfs-sync --commit`	`request hsm rfs-sync`
`/opt/nfast/bin/enquiry`	`show hsm info`

Authenticate the Firewall to the HSM

In the Palo Alto Networks Firewall web interface, select Device > Setup > HSM > Setup Hardware Security Module .
Select OK .

The Firewall authenticates to the HSM and displays a completion message:
Select OK .

Synchronize the Firewall with the RFS

In the Palo Alto Networks Firewall web interface, select Device > Setup >HSM > Synchronize with Remote Filesystem .

The Firewall synchronizes with the RFS and displays a completion message:
Select OK .

Verify Firewall connectivity and authentication with the HSM

In the Palo Alto Networks Firewall web interface, select Device > Setup > HSM .
Check the Hardware Security Module Status . It should be Authenticated .
- Name - The name of the HSM.
- IP address - The IP address of the HSM.
- Module State - The current state of the HSM connection: Authenticated or NotAuthenticated .

Check the connection status:

Green - The Firewall is successfully authenticated and connected to the HSM.

Red - The Firewall failed to authenticate to the HSM, or network connectivity to the HSM is down.

Note	A left-over `rfs-sync` lock from a failed attempt could cause red status. Launch a command-line interface on the RFS, remove the `/opt/nfast/kmdata/local/.nft-lock` file, then re-run the instructions in Synchronize the Firewall with the RFS .

Encrypt the master key using the HSM

A master key encrypts all private keys and passwords on the Palo Alto Networks Firewall. Every time the Firewall is required to decrypt a password or private key, it requests the HSM to decrypt the master key.

The HSM encrypts the master key using a wrapping key. To maintain security, you must occasionally change (refresh) this wrapping key.

Encrypt the master key

Use this procedure for first time encryption of a key, or if you define a new master key and you want to encrypt it.

In the Palo Alto Networks Firewall web interface, select Device > Master Key and Diagnostics .
Select the gear icon next to Master Key .
Select the Master Key check box.
In the Current Master Key field, enter the key that is currently used to encrypt all of the private keys and passwords on the Firewall (if applicable).
Select the Stored on HSM check box.
Enter the new master key and confirm.
Enter the following information:
- Life Time - The number of days and hours after which the master key expires (1-18250 days).
- Time for Reminder - The number of days and hours before expiration when the user is notified of the impending expiration (1–365 days).
Select OK , then select Commit .

The Master Key information is updated.

The new key is also visible in Device > Setup > HSM > Hardware Security Module Details .

Refresh the master key encryption

Refresh the master key encryption by rotating the wrapping key that encrypts it. The wrapping key resides on the HSM.

Use the following command to rotate the wrapping key for the master key on an HSM:

request hsm mkey-wrapping-key-rotation

For example:

admin@PA-VM> request hsm mkey-wrapping-key-rotation
Mkey wrapping key rotation succeeded.
New key handle 1119.
admin@PA-VM>

The mkey-wrapping-key-rotation command does not delete the old wrapping key.

If the master key is encrypted on the HSM, the command generates a new wrapping key on the HSM and encrypts the master key with the new wrapping key.
If the master key is not encrypted on the HSM, the command generates a new wrapping key on the HSM for future use.

Store the key used in SSL/TLS decryption

The HSM can be used to securely store the private keys used in SSL/TLS decryption for:

SSL forward proxy - Store the private key of the Forward Trust certificate that signs certificates in SSL/TLS forward proxy operations. The Firewall will then send the certificates that it generates during such operations to the HSM for signing before forwarding these to the clients.
SSL inbound inspection - Store the private keys for the internal servers for which it is performing SSL/TLS inbound inspection.

Generate a self-signed certificate and key

This section describes a method to generate a self-signed certificate and key for purposes of this guide using the HSM. This is the preferred method to generate such key and certificate. For information about importing existing keys and certificates, see the User Guide for your HSM.

The HSM generatekey command generates a key file with the same syntax as an RSA private key file, but contains the key identifier rather than the key itself, which remains protected in the HSM.

Log in to the RFS.
Assume root privileges by running the su command:
```
su
```

Run the generatekey command:

cd /opt/nfast/kmdata/local
generatekey pkcs11 selfcert=yes

For example, with softcard protection:

[root@red_hat_8_rfs local]# generatekey pkcs11 selfcert=yes
module: Module to use? (1, 2) [1] >
protect: Protected by? (token, softcard, module) [token] > softcard
recovery: Key recovery? (yes/no) [yes] >
type: Key type? (DES3, DH, DHEx, DSA, HMACSHA1, HMACSHA256, HMACSHA384,
HMACSHA512, RSA, DES2, AES, Rijndael, Ed25519, X25519) [RSA]
>
size: Key size? (bits, minimum 1024) [2048] >
OPTIONAL: pubexp: Public exponent for RSA key (hex)? []
>
plainname: Key name? [] > paloaltossl
x509country: Country code? [] > US
x509province: State or province? [] > FL
x509locality: City or locality? [] > Sunrise
x509org: Organization? [] > SWTesting
x509orgunit: Organization unit? [] > InterOp
x509dnscommon: Domain name? [] > paloaltofirewall
x509email: Email address? [] > [email protected]
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > no
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha256] >
key generation parameters:
operation      Operation to perform            generate
application    Application                     pkcs11
module         Module to use                   1
protect        Protected by                    softcard
softcard       Soft card to protect key        <softcard-name>
recovery       Key recovery                    yes
verify         Verify security of key          yes
type           Key type                        RSA
size           Key size                        2048
pubexp         Public exponent for RSA key (hex)
plainname      Key name                        HSMKey
x509country    Country code                    US
x509province   State or province               FL
x509locality   City or locality                Sunrise
x509org        Organization                    SWTesting
x509orgunit    Organization unit               InterOp
x509dnscommon  Domain name                     paloaltofirewall
x509email      Email address                   [email protected]
nvram          Blob in NVRAM (needs ACS)       no
digest         Digest to sign cert req with    sha256
Please enter the pass phrase for softcard '<softcard-name>':

Please wait........
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua5efdb72cb623c41d6ec9baeacc1eac95be8ada2b
Path to self-cert: /opt/nfast/kmdata/local/pkcs11_ua5efdb72cb623c41d6ec9baeacc1eac95be8ada2b_selfcert
[root@red_hat_8_rfs local]#

If you selected token for OCS protection, you must provide the OCS 1/N quorum for fips-auth . If you provide the ACS quorum, the generatekey command will fail.
If you selected module for module protection, you need to provide either the ACS or OCS 1/N quorum to provide fips-auth for this HSM operation.

Two files are created. The key file has the same syntax as an RSA private key file, but actually contains the key identifier rather than the key itself, which remains protected. The file type and naming are:

File Type Naming

Key file (key identifier rather than the key itself)

key_pkcs11_…

Self-signed certificate

pkcs11_…_selfcert

File Type	Naming
Key file (key identifier rather than the key itself)	`key_pkcs11_…`
Self-signed certificate	`pkcs11_…_selfcert`

You can view the content of the certificate created above by viewing the self-signed certificate ( .crt ):

openssl x509 -text -noout
-in /opt/nfast/kmdata/local/pkcs11_ua5efdb72cb623c41d6ec9baeacc1eac95be8ada2b_selfcert

Synchronize the key data from the RFS to the Firewall

In the Palo Alto Networks Firewall web interface, and select Device > Setup > HSM .
In the Hardware Security Operations settings, select Synchronize with Remote Filesystem .

The Firewall confirms when the synchronization is complete.

Import into the Firewall the certificate that corresponds to the HSM-stored key

Sign in to the Palo Alto Networks Firewall web interface from the RFS.
Launch the browser from the RFS to be able to upload files from the RFS files system to the Palo Alto Networks Firewall.
Select Device > Certificate Management > Certificates > Device Certificates
Select Import .
For Certificate Type , select the Local option.
Enter the Certificate Name .
Browse to the Certificate File on the RFS. This is the file ending in _selfcert from the certificate generated in the previous step.
```
/opt/nfast/kmdata/local/pkcs11_ua5efdb72cb623c41d6ec9baeacc1eac95be8ada2b_selfcert
```
From the File Format list, select Base64 Encoded Certificate (PEM) .
Select the Private key resides on Hardware Security Module check box.
Select OK .
Select the Commit icon and close the dialog box.

A new certificate has been imported:

Enable the certificate for use in SSL/TLS forward proxy

In the Firewall web interface, open the certificate that you have imported: select Device > Certificate Management > Certificates > Device Certificates .
Select the certificate to open it.
Select the Forward Trust Certificate check box.
Select OK .
Commit your changes.

The USAGE column now shows Forward Trust Certificate .

Verify the certificate import into the Firewall

Locate the certificate that you have just imported.
Check the icon in the KEY column:
- Lock icon — The private key for the certificate is on the HSM.
- Error icon — The private key is not on the HSM or the HSM is not properly authenticated or connected.
Check the USAGE column. It should be Forward Trust Certificate .

Adding more HSMs

Adding more HSMs after the master key has been encrypted and stored in an HSM (see Encrypt the master key using the HSM ) is only possible by first removing the master key from the HSM. The master key is needed to perform the removal. Then encrypt and store the master key again in the HSM after adding a new HSM. Any new HSMs that are added must share the same v2 security world being used.

Two HSMs are shown in the Hardware Security Module Status pane:

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
Palo Alto Networks Firewall nShield HSM Integration Guide
Web Page
nShield® Integration with Palo Alto Next Generation Firewall

Table of Contents