Palo Alto Networks Knowledgebase: PAN-OS 8.1.1 Software Integrity Check – What Happens When a Device Fails this Check?
PAN-OS 8.1.1 Software Integrity Check – What Happens When a Device Fails this Check?
Created On 08/05/19 19:22 PM - Last Updated 08/05/19 19:48 PM
Cortex Data Lake
Starting with PAN-OS 8.1.1, hardware-based and VM-Series firewalls, WildFire appliances, PAN-DB private cloud, and Panorama appliances perform software integrity checks for tamper detection and software corruption. The software integrity check runs transparently in the background at start up and periodically while the device is running to validate that the operating system and data file structure are intact and as delivered by Palo Alto Networks.
Note 1: If you’re using Panorama with GlobalProtect Cloud Service or the Logging Service, you must install the Cloud Services plugin version 1.0.3 before upgrading Panorama to PAN-OS 8.1.1. Otherwise, your Panorama upgrade to 8.1.1 will fail.
If everything is ok and the check passes, the appliance generates a System log (Monitor > System Log) of informational severity and boots successfully. If the check detects a software corruption or possible device tampering, starting with 8.1.3, the appliance boots in to maintenance mode and you must contact Palo Alto Networks Customer Support for assistance. We’ll help you to learn more about what caused the check to fail.
Note 2: In the event that you simultaneously boot up multiple instances of the VM-Series firewall on a single host or the VM-Series firewall has CPU oversubscription, the firewall may boot in to maintenance mode if a processing delay causes a response timeout during the integrity check. If your VM-Series firewall goes in to maintenance mode, you can check the errors and warnings logged to the fips.log.