Device > Master Key and Diagnostics
Select Device > Master Key and Diagnostics or Panorama > Master Key and Diagnostics to configure the master key that encrypts all passwords and private keys on the firewall or Panorama (such as the RSA key for authenticating administrator access to the CLI).
As a best practice, configure a new master key instead of using the default, periodically change the key, and store the key in a safe location. You can also use a hardware security module to encrypt the master key (see Device > Setup > HSM). The only way to restore the default master key is to perform a factory reset .
If you deploy firewalls or Panorama in a high availability (HA) configuration, use the same master key on both HA peers. Otherwise, HA synchronization will not work properly.
If you use Panorama, configure the same master key on Panorama and all managed firewalls. Otherwise, Panorama cannot push configurations to the firewalls.
To configure a master key, edit the Master Key settings using the following table to determine the appropriate values.
Master Key and Diagnostics Setting Description
Current Master Key Specify the current master key if one exists.
New Master Key Confirm Master Key To change the master key, enter a 16-character string and confirm the new key.
Life Time Specify the number of Days and Hours after which the master key expires (range 1–730 days). You must configure a new master key before the current key expires. If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then perform a factory reset .
Time for Reminder Enter the number of Days and Hours before the master key expires when the firewall generates an expiration alarm. The firewall automatically opens the System Alarms dialog to display the alarm. When the Time for Reminder period starts, the firewall also generates a System log with critical severity every hour until you configure a new master key. To ensure the expiration alarm displays, select Device > Log Settings, edit the Alarm Settings, and Enable Alarms.
Stored on HSM Check this box if the master key is encrypted on a Hardware Security Module (HSM). You cannot use HSM on a dynamic interface such as a DHCP client or PPPoE. The HSM configuration is not synchronized between peer firewalls in high availability mode. Therefore, each peer in an HA pair can connect to a different HSM source. If you are using Panorama and would like to keep the configuration on both peers in sync, use Panorama templates to configure the HSM source on the managed firewalls. HSM is not supported the PA-200, PA-500 and PA-2000 Series firewalls.
Common Criteria In Common Criteria mode, additional options are available to run a cryptographic algorithm self-test and software integrity self-test. A scheduler is also included to specify the times at which the two self-tests will run.

Related Documentation