Introduction

This Integration Guide describes the deployment of a Palo Alto Networks Firewall with an nShield Connect hardware security module (HSM). The HSM securely generates and stores digital keys. It provides both logical and physical protection from non-authorized use and potential adversaries. The HSM-Firewall integration provides security by protecting the master keys. The HSM can also provide protection for the private keys used in SSL/TLS decryption, both in SSL forward proxy and SSL inbound inspection.

This guide assumes that there is no existing nShield Security World. For instructions to create a Security World, see the User Guide for your HSM. In situations in which a Security World already exists, parts of this integration guide can still be used for the generation and subsequent storage of keys.

The benefits of using an nShield HSM with the Palo Alto Networks Firewall include:

  • Secure encryption and storage of the firewall master key and private keys.

  • FIPS 140 Level 3 validated hardware.

Product configurations

Entrust has successfully tested nShield HSM integration with the Palo Alto Networks Firewall in the following configurations:

  • PAN-OS v10.1, v10.2, v11.0 with Entrust Security World v12.40.2

Palo Alto does not support firewall master key protection when using Entrust nShield HSM firmware 12.72.1 and 13.2.2. In addition, firewall master key protection is not supported with the use of a FIPS 140 Level 3 enabled Security World. FIPS 140 Level 2 is required for this feature.
nShield Model Security World Client Connect Image Firmware Security World Version Tested / Validated*

nShield 5c

12.40.2

13.3.2

13.2.2

v3

Not Supported

Connect XC

12.40.2

12.80.4

12.72.1 (FIPS 140-2 certified)

v2**

1,2,3 / 2,3

Connect XC

12.40.2

12.60.10

12.50.11 (FIPS 140-2 certified)

v2**

1,2,3 / 1,2,3

*Tested/Validated use cases:

  1. Firewall Master Key Protection

  2. SSL/TLS encrypt/decrypt (Inbound Inspection)

  3. SSL/TLS Outbound encrypt/decrypt (Forward Proxy)

**Compatibility Pack 1.1.0 required to build v2 world.

Requirements

Before starting the integration process

Familiarize yourself with:

Before using Entrust hardware and software

The following preparations must be made before starting to use Entrust products:

  • Each HSM uses a remote file system (RFS). You can configure the RFS on any computer running nShield Security World software.

  • The RFS computer can also be used as a client to the HSM, to allow presentation of smart cards using nShield Remote Administration, an optional product. For information, see the nShield Remote Administration User Guide.

  • A correct quorum for the Administrator Card Set (ACS).

    • For creating the Security World, determine who within the organization will act as custodians of the ACS.

    • Obtain enough blank smart cards to create the Administrator Card Set (ACS).

  • Operator Card Set (OCS), Softcard, or Module-Only protection.

    • If OCS protection is to be used, a 1-of-N quorum must be used.

  • Firewall configuration with usable ports:

    • 9004 for the HSM nfast server (hardserver).

    • 8200 for the Firewall.

Furthermore, the Security World parameters must be defined. For details of the security implications of the choices, see the nShield Security Manual:

  • Whether your Security World must comply with FIPS 140 Level 3 standards.

    • If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Firewall master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

      Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

  • Whether to instantiate the Security World as recoverable or not.

Before using the Palo Alto Networks Firewall

The following preparations must be made before starting to use the Palo Alto Networks Firewall:

  • Obtain a Palo Alto Networks customer support account. This account requires access to the latest software releases.

  • Procure a Palo Alto Networks Firewall appliance, or set up the Firewall in a bare-metal computer. A virtual machine (VM) can also be used. This guide was tested using a VMWare ESXi virtual machine.

  • Upgrade the Firewall installation software with the latest package to be tested.

  • The nShield RFS version must be compatible with the Palo Alto Networks Firewall, see Product configurations.

Considerations for keys

1024-bit and 2048-bit RSA keys are supported but it is recommended to use 2048-bit keys. Security Worlds that meet FIPS 140 Level 3 standards require 2048-bit keys.