Access the Maintenance Recovery Tool (MRT)
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Access the Maintenance Recovery Tool (MRT)
The Maintenance Recovery Tool (MRT) enables
you to perform several tasks on Palo Alto Networks firewalls and
appliances. For example, you can revert the firewall or appliance
to factory default settings, revert PAN-OS or a content update to
a previous version, run diagnostics on the file system, gather system
information, and extract logs. Additionally, you can use the MRT
to Change
the Operational Mode to FIPS-CC Mode or from FIPS-CC mode
to normal mode.
The following procedures describe how to access
the Maintenance Recovery Tool (MRT) on various Palo Alto Networks
products.
- Access the MRT on hardware firewalls and appliances (such as PA-220 firewalls, PA-7000 Series firewalls, or M-Series appliances).
- Establish a serial console session to the firewall or appliance.
- Connect a serial cable from the serial port on your computer to the console port on the firewall or appliance.If your computer does not have a 9-pin serial port but does have a USB port, use a serial-to-USB converter to establish the connection. If the firewall has a micro USB console port, connect to the port using a standard Type-A USB to micro USB cable.
- Open terminal emulation software on your computer and set to 9600-8-N-1 and then connect to the appropriate COM port.On a Windows system, you can go to the Control Panel to view the COM port settings for Device and Printers to determine which COM port is assigned to the console.
- Log in using an administrator account. (The default username/password is admin/admin.)
Enter the following CLI command and press y to confirm:debug system maintenance-mode
After the firewall or appliance boots to the MRT welcome screen (in approximately 2 to 3 minutes), press Enter on Continue to access the MRT main menu.You can also access the MRT by rebooting the firewall or appliance and entering maint at the maintenance mode prompt. A direct serial console connection is required.After the firewall or appliance boots into the MRT, you can access the MRT remotely by establishing an SSH connection to the management (MGT) interface IP address. At the login prompt, enter maint as the username and the firewall or appliance serial number as the password.Access the MRT on VM-Series firewalls deployed in a private cloud (such as on a VMware ESXi or KVM hypervisor).- Establish an SSH session to the management IP address of the firewall and log in using an administrator account.Enter the following CLI command and press y to confirm:
debug system maintenance-mode
It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.After the firewall boots to the MRT welcome screen, log in based on the operational mode:- Normal mode—Establish an SSH session to the management IP address of the firewall and log in using maint as the username and the firewall or appliance serial number as the password.
- FIPS-CC mode—Access the virtual machine management utility (such as the vSphere client) and connect to the virtual machine console.
From the MRT welcome screen, press Enter on Continue to access the MRT main menu.Access the MRT on VM-Series firewalls deployed in the public cloud (such as AWS or Azure).- Establish an SSH session to the management IP address of the firewall and log in using an administrator account.Enter the following CLI command and press y to confirm:
debug system maintenance-mode
It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.After the firewall boots to the MRT welcome screen, log in based on the virtual machine type:- AWS—Log in as ec2-user and select the SSH public key associated with the virtual machine when you deployed it.
- Azure—Enter the credentials you created when you deployed the VM-Series firewall.
- GCP—Log in as gcp-user and select the SSH public key associated with the virtual machine when you deployed it.
From the MRT welcome screen, press Enter on Continue to access the MRT main menu.