Access the Maintenance Recovery Tool (MRT)
Focus
Focus

Access the Maintenance Recovery Tool (MRT)

Table of Contents

Access the Maintenance Recovery Tool (MRT)

The Maintenance Recovery Tool (MRT) enables you to perform several tasks on Palo Alto Networks firewalls and appliances. For example, you can revert the firewall or appliance to factory default settings, revert PAN-OS or a content update to a previous version, run diagnostics on the file system, gather system information, and extract logs. Additionally, you can use the MRT to Change the Operational Mode to FIPS-CC Mode or from FIPS-CC mode to normal mode.
The following procedures describe how to access the Maintenance Recovery Tool (MRT) on various Palo Alto Networks products.
  • Access the MRT on hardware firewalls and appliances (such as PA-220 firewalls, PA-7000 Series firewalls, or M-Series appliances).
    1. Establish a serial console session to the firewall or appliance.
      1. Connect a serial cable from the serial port on your computer to the console port on the firewall or appliance.
        If your computer does not have a 9-pin serial port but does have a USB port, use a serial-to-USB converter to establish the connection. If the firewall has a micro USB console port, connect to the port using a standard Type-A USB to micro USB cable.
      2. Open terminal emulation software on your computer and set to 9600-8-N-1 and then connect to the appropriate COM port.
        On a Windows system, you can go to the Control Panel to view the COM port settings for Device and Printers to determine which COM port is assigned to the console.
      3. Log in using an administrator account. (The default username/password is admin/admin.)
    2. Enter the following CLI command and press
      y
      to confirm:
      debug system maintenance-mode
    3. After the firewall or appliance boots to the MRT welcome screen (in approximately 2 to 3 minutes), press Enter on
      Continue
      to access the MRT main menu.
      You can also access the MRT by rebooting the firewall or appliance and entering
      maint
      at the maintenance mode prompt. A direct serial console connection is required.
      After the firewall or appliance boots into the MRT, you can access the MRT remotely by establishing an SSH connection to the management (MGT) interface IP address. At the login prompt, enter
      maint
      as the username and the firewall or appliance serial number as the password.
  • Access the MRT on VM-Series firewalls deployed in a private cloud (such as on a VMware ESXi or KVM hypervisor).
    1. Establish an SSH session to the management IP address of the firewall and log in using an administrator account.
    2. Enter the following CLI command and press
      y
      to confirm:
      debug system maintenance-mode
      It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.
    3. After the firewall boots to the MRT welcome screen, log in based on the operational mode:
      • Normal mode
        —Establish an SSH session to the management IP address of the firewall and log in using
        maint
        as the username and the firewall or appliance serial number as the password.
      • FIPS-CC mode
        —Access the virtual machine management utility (such as the vSphere client) and connect to the virtual machine console.
    4. From the MRT welcome screen, press Enter on
      Continue
      to access the MRT main menu.
  • Access the MRT on VM-Series firewalls deployed in the public cloud (such as AWS or Azure).
    1. Establish an SSH session to the management IP address of the firewall and log in using an administrator account.
    2. Enter the following CLI command and press
      y
      to confirm:
      debug system maintenance-mode
      It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.
    3. After the firewall boots to the MRT welcome screen, log in based on the virtual machine type:
      • AWS
        —Log in as
        ec2-user
        and select the SSH public key associated with the virtual machine when you deployed it.
      • Azure
        —Enter the credentials you created when you deployed the VM-Series firewall.
      • GCP
        —Log in as
        gcp-user
        and select the SSH public key associated with the virtual machine when you deployed it.
    4. From the MRT welcome screen, press Enter on
      Continue
      to access the MRT main menu.

Recommended For You