PA-400 Series Firewall is not booting

• PA-400 Series firewalls
• Supported PAN-OS

1. The TPM chip has locked the system

• All the new New Generation Firewalls have a TPM chip in the hardware to securely encrypt the sensitive information.
• Every time the firewall is hard rebooted (power cycle) in less than 2 hours, the TPM chip increments a counter by 1.
• If the firewall is restarted 32 times with less than 2 hours of running time in between, the TPM chip will lock the entire firewall.
• This is an expected behavior. Refer TPM Lockout Official Live Community Page

2. The PAN-OS image is corrupted

• The PAN-OS image may be corrupted preventing the system to boot. 
• PAN-OS version prior to 10.1.10, 10.2.5, 11.0.2. Refer PAN-OS Image Corruption Official Live Community Page

Resolution when the TPM chip is locked:

1. The RMA is not required.
2. In this scenario, the firewall should display some output from the serial console.
3. The PAN-OS boot fails and shows a reboot to maintenance mode

4. To recover the device, leave it up and running for at least 2 hours, no matter what is the status on the serial console.
5. After 2 hours, enter in the Maintenance Mode and perform a normal reboot.

6. If this Maintenance mode menu is not available after 2 hours, please wait longer up to 6 hours, and do not perform any reboots.
7. Note: Avoid unnecessary Hard Reboots and avoid removing the Power Cord and always prefer a graceful restart/shutdown.

Resolution when the PAN-OS image is corrupted:

1. There is no console output and the PAN-OS version is below 10.1.10, 10.2.5, 11.0.2. 
2. Contact the Palo Alto Networks Support Team and proceed with the RMA.
3. Later, please ensure your device is running PAN-OS version 10.1.10, 10.2.5, 11.0.2 or later.