Palo Alto Networks Knowledgebase: How to Securely Erase a Hard Disk with Factory Reset—DoD and NNSA Compliant
How to Securely Erase a Hard Disk with Factory Reset—DoD and NNSA Compliant
Created On 02/08/19 00:02 AM - Last Updated 02/08/19 00:02 AM
Palo Alto Networks devices offer two variations of securely wiping the internal hard drive, both of which can be found within maintenance mode.
Let's cover the options that are available for us to use.
The dod scrub sequence is compliant with the DoD 5220.22-M procedure for sanitizing removeable and non-removeable rigid disks which requires overwriting all addressable locations with a character, its complement, then a random character, and verify. Please refer to the DoD document for additional constraints.
The nnsa (default) scrub sequence is compliant with a Dec. 2005 draft of NNSA Policy Letter NAP-14.x for sanitizing removable and non-removable hard disks, which requires overwriting all locations with a pseudorandom pattern twice and then with a known pattern. Please refer to the NNSA document for additional constraints.
Assuming we have successfully entered maintenance mode on your Palo Alto appliance, we can proceed by selecting 'Continue,' then the 'Factory Reset' option from the main menu and choosing 'Advanced', as seen below.
At this point, you will be prompted for the 'Advanced' password, which is listed below:
FIPS Maintenance Mode password is:
After submitting the 'Advanced' password, you should see a 'Factory Reset' screen, but with more options than before, as seen below:
In the above example, I have selected to 'Factory Reset' the appliance with PAN-OS version 7.0.1 with the option to scrub with dod scrub type. Please select the options that apply to you.
As mentioned in the WARNING above, the scrub process can take up to forty eight hours. Please take this into account when selecting these options.