Introduction

This Integration Guide describes the deployment of a Palo Alto Networks Firewall with a nShield HSM. The HSM securely generates and stores digital keys. It provides both logical and physical protection from non-authorized use and potential adversaries. The HSM-Firewall integration provides security by protecting the master keys. The HSM can also provide protection for the private keys used in SSL/TLS decryption, both in SSL forward proxy and SSL inbound inspection.

This guide assumes that there is no existing nShield Security World. For instructions to create a Security World, see the User Guide for your HSM. In situations in which a Security World already exists, parts of this integration guide can still be used for the generation and subsequent storage of keys.

The benefits of using an nShield HSM with the Palo Alto Networks Firewall include:

  • Secure encryption and storage of the firewall master key and private keys.

  • FIPS 140 Level 3 validated hardware.

Product configurations

Entrust has successfully tested nShield HSM integration with the Palo Alto Networks Firewall in the following configurations:

  • PAN-OS v12.1.2 with Entrust Security World v13.6.3, the version integrated with PAN OS.

The usage of a strict FIPS 140 Level 3 enabled Security World is supported with local cards only. RA cards are not supported in this version of PAN-OS. When using local cards with a strict FIPS 140 Level 3 world, the customer must create an OCS with no passphrase using a local card and present the local card in the front slot of the HSM. This OCS card will be used to provide FIPS authorization.

Non-FIPS world files are fully supported and do not require cards, as module protection is currently the only type of protection supported.

nShield Model PAN OS Security World Client Connect Image Firmware Security World Version Non - Strict FIPS 140 Level 3 Strict FIPS 140 Level 3

nShield 5c

13.6.3

13.6.11

13.4.5 (FIPS 140-3 certified)

v3

Supported

Supported

Connect XC

13.6.3

13.6.11

12.72.1 and 12.72.3 (FIPS 140-2 certified)

v3

Supported

Supported

  • Supported use cases: (Module protection Only)

    1. Firewall Master Key Protection

    2. SSL/TLS encrypt/decrypt (Inbound Inspection)

    3. SSL/TLS Outbound encrypt/decrypt (Forward Proxy)

Requirements

Before starting the integration process

Familiarize yourself with:

Before using Entrust hardware and software

The following preparations must be made before starting to use Entrust products:

  • Each HSM uses a remote file system (RFS). You can configure the RFS on any computer running nShield Security World software. A HSM estate utilizes an RFS to store key objects and hsm configuration files for resilience and can be deployed on either a Windows or Linux host.

  • A correct quorum for the Administrator Card Set (ACS).

    • For creating the Security World, determine who within the organization will act as custodians of the ACS.

    • Obtain enough blank smart cards to create the Administrator Card Set (ACS).

  • Operator Card Set (OCS), Softcard, or Module-Only protection.

    • Module-Only protection is supported.

    • If OCS protection is utilized, it requires local cards with no passcode and a 1-of-N quorum.

  • Firewall configuration with usable ports:

    • 9004 for the HSM nfast server (hardserver).

    • 8200 for the Firewall.

Furthermore, the Security World parameters must be defined. For a detail of security implications of choices, see the nShield Security Manual:

  • Whether your Security World must comply with FIPS 140 standards.

    • Currently FIPS 140-3 and 140-2 are supported with local cards, not remote cards.

    • If you are using FIPS 140-3 or 140-2, you must create a local OCS without a passphrase for FIPS authorization This card must be presented on the front slot of the HSM. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

  • Whether to instantiate the Security World as recoverable or not.

Before using the Palo Alto Networks Firewall

The following preparations must be made before starting to use the Palo Alto Networks Firewall:

  • Obtain a Palo Alto Networks customer support account. This account requires access to the latest software releases.

  • Procure a Palo Alto Networks Firewall appliance, or set up the Firewall in a bare-metal computer. A virtual machine (VM) can also be used. This guide was tested using a VMWare ESXi virtual machine.

  • Upgrade the Firewall installation software with the latest package to be tested.

  • The nShield RFS version must be compatible with the Palo Alto Networks Firewall, see Product configurations.

Considerations for keys

Security Worlds that meet FIPS 140-3 standards require 2048-bit RSA keys.