Access the Maintenance Recovery Tool (MRT)

• Access the MRT on hardware firewalls and appliances (such as PA-220 firewalls, PA-7000 Series firewalls, or M-Series appliances).
  1. Establish a serial console session to the firewall or appliance.
     1. Connect a serial cable from the serial port on your computer to the console port on the firewall or appliance.
        If your computer does not have a 9-pin serial port but does have a USB port, use a serial-to-USB converter to establish the connection. If the firewall has a micro USB console port, connect to the port using a standard Type-A USB to micro USB cable.
     2. Open terminal emulation software on your computer and set to 9600-8-N-1 and then connect to the appropriate COM port.
        On a Windows system, you can go to the Control Panel to view the COM port settings for Device and Printers to determine which COM port is assigned to the console.
     3. Log in using an administrator account. (The default username/password is admin/admin.)
  2. Enter the following CLI command and press y to confirm:

     debug system maintenance-mode

  3. After the firewall or appliance boots to the MRT welcome screen (in approximately 2 to 3 minutes), press Enter on Continue to access the MRT main menu.
     You can also access the MRT by rebooting the firewall or appliance and entering maint at the maintenance mode prompt. A direct serial console connection is required.

     After the firewall or appliance boots into the MRT, you can access the MRT remotely by establishing an SSH connection to the management (MGT) interface IP address. At the login prompt, enter maint as the username and the firewall or appliance serial number as the password.
• Access the MRT on VM-Series firewalls deployed in a private cloud (such as on a VMware ESXi or KVM hypervisor).
  1. Establish an SSH session to the management IP address of the firewall and log in using an administrator account.
  2. Enter the following CLI command and press y to confirm:

     debug system maintenance-mode

     It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.
  3. After the firewall boots to the MRT welcome screen, log in based on the operational mode:
     • Normal mode—Establish an SSH session to the management IP address of the firewall and log in using maint as the username and the firewall or appliance serial number as the password.
     • FIPS-CC mode—Access the virtual machine management utility (such as the vSphere client) and connect to the virtual machine console.
  4. From the MRT welcome screen, press Enter on Continue to access the MRT main menu.
• Access the MRT on VM-Series firewalls deployed in the public cloud (such as AWS or Azure).
  1. Establish an SSH session to the management IP address of the firewall and log in using an administrator account.
  2. Enter the following CLI command and press y to confirm:

     debug system maintenance-mode

     It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.
  3. After the firewall boots to the MRT welcome screen, log in based on the virtual machine type:
     • AWS—Log in as ec2-user and select the SSH public key associated with the virtual machine when you deployed it.
     • Azure—Enter the credentials you created when you deployed the VM-Series firewall.
     • GCP—Log in as gcp-user and select the SSH public key associated with the virtual machine when you deployed it.
  4. From the MRT welcome screen, press Enter on Continue to access the MRT main menu.