How to perform an Enhanced Factory Reset (EFR) on NGFW and Panorama
188755
Created On 04/23/24 21:42 PM - Last Modified 06/27/25 01:12 AM
Objective
This article details how to initiate an Enhance Factory Reset on hardware PAN-OS devices (NGFW and Panorama) with assistance from Palo Alto Networks Support. This procedure does not rely on the integrity of a potentially compromised device to initiate a reset, and is recommended for customers that are concerned about potential persistent compromise due to unauthorized root access to a device.
Customers using a virtual machine (VM) for VM-Series NGFW and VM Panorama should follow these remediation steps. An EFR for VM's is not available.
Environment
- Palo Alto Networks Next Gen Firewall
- Panorama
Procedure
- An enhanced factory reset (“EFR”) procedure can be scheduled by opening a case through Customer Support (TAC).
- After an EFR is performed, the following restoration steps are strongly recommended:
- Change the master key and configure AES-256-GCM to encrypt system secrets.
- Reset passwords, pre-shared keys, private keys, secrets. (See the list of passwords and keys )
- Revoke and reissue all certificates with private-keys on PAN-OS; these certs-keys are on device > certificates (Revoke a certificate and generate a certificate ).