How to Perform Remediation of Compromised NGFW and Panorama Devices

How to Perform Remediation of Compromised NGFW and Panorama Devices

202438
Created On 04/23/24 21:42 PM - Last Modified 08/11/25 19:11 PM


Objective


This article details how to initiate an enhanced factory reset (EFR) on hardware PAN-OS devices (NGFW and Panorama M-Series appliances) with help from Palo Alto Networks Customer Support. This procedure is required for remediation of a compromised or potentially compromised PAN-OS device to initiate a complete clean up of the device, and is recommended for customers that are concerned about potential persistent compromise. 

For virtual machines of NGFWs (VM-Series) and Panorama Virtual Appliance skip to the Virtual Appliances steps provided below.

Environment


  • Palo Alto Networks Next Gen Firewall
  • Panorama

Procedure


Hardware Device (e.g., PA-Series, M-Series)

To remediate this compromise, you must work with our customer support team to perform an Enhanced Factory Reset (EFR).

  1. Save Your Configuration: Before beginning, it is critical to export current configuration. This is required to restore your policies after the EFR is complete. 

  2. Contact Customer Support: Please engage with our support team via the Customer Support Portal (CSP) to initiate the EFR process.

  3. Follow Support Guidance: The Customer Support team will provide specific instructions and guide you through the EFR and restoration process. Please note that EFR may not be available for all hardware models, and our team will provide alternative guidance if necessary.

Virtual Appliances

To remediate a VM-Series instance or Panorama Virtual Appliance, you must deploy a new replacement instance. VMs do not require direct help from customer support.

  1. Save Your Configuration: Before shutting down, export current configuration. This is essential for restoring policies on the new instance.

  2. Isolate and Preserve the VM: Shut down the compromised VM instance immediately. This halts malicious activity and preserves the virtual disk for forensic analysis by your Incident Response (IR) team. 

  3. Deploy a New VM Instance: Deploy a new, replacement instance. You can transfer the VM-Series license to the new instance by following the steps outlined in this KnowledgeBase article.

  4. Restore and Validate: Import the saved configuration onto the new firewall and validate its operational status.

  5. Decommission Old VM: Once the new firewall is confirmed to be fully operational and your IR team has completed its analysis, permanently terminate the compromised VM instance.

 

Additional Steps for Restoration

After completing the above steps, follow the steps below to restore normal operational use.

    1. Review the backed up configuration for any unauthorized changes before restoring it or restore the configuration from a version control repository. 

    2. Change the master key and configure AES-256-GCM to encrypt system secrets.

    3. Reset all passwords, pre-shared keys, private keys, secrets. (See the list of passwords and keys)

    4. Revoke and reissue all certificates with private keys on PAN-OS; these certificate keys are under web interface > Device > Certificates (Revoke a certificate and generate a certificate).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrO6CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language