Can Panorama manage master-key on the firewall?

Question

Panorama, firewalls, Log Collectors, and WF-500 appliances use a master key to encrypt sensitive elements in a configuration. As part of a standard security practice, you must renew the key on each individual firewall, Log Collector, WildFire appliance, and Panorama when your master key expires

Environment

• Panorama

• Firewall

• PAN-OS 9.0

• Master key

Answer

Starting with PAN-OS 9.0, deploying a new master key to multiple firewalls can be performed centrally through the Panorama. Before PAN-OS 9.0, the master keys must be updated individually on each device.

A new “Deploy Master Key” button has been added:

• Managed Devices

• Managed Collectors

• Managed WildFire Appliances

On the GUI, navigate to Panorama > Managed Devices > Summary

The Deploy Master Key dialog box will display a list of all connected devices

• No filter for connection state

• Devices must be connected in order to deploy Master Keys

• Select devices for deployment, then click “Change”