https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/ta-p/562294 <DIV class="lia-message-template-content-zone"> <DIV>New Generation Firewalls are equipped with TPM chips to help secure the devices</DIV> <P>These systems are designed to "Lockout" after 32 abrupt power down events(Power Failure, Pulling power cord to turn the device down).<BR />For every ungraceful shutdown(Power Failure, Pulling power cord to turn the device down).the TPM counter is incremented by 1 , after 32 such events the device goes into Lockout mode.<BR />Once the system is in lockout mode , the system will not boot properly. For systems with encrypted drives, the system will stay at BIOS level. For systems with non-encrypted drives, it will boot into maintenance mode<BR />For the system to recover, keep the system powered on for at least two hours. For systems with encrypted drives, the system will auto-reboot and should come back up properly. For systems with non-encrypted drives, perform a reboot from the maintenance mode<BR />For every two hours the device is powered on, the TPM lockout counter will be decremented by one</P> <DIV>To make sure that the device does not go into lockout mode make sure that the device has proper power and when ever we need to turn the device off make sure we are doing so gracefully by navigating to the option and turning the device off using the power down option<BR /><BR />Follow the steps outlined in this&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaZCAS" target="_self">Document</A>&nbsp;to perform a graceful shutdown from the operational cli/GUI when ever you want to power the device down&nbsp;<BR /><BR /></DIV> </DIV> Tue, 31 Oct 2023 18:01:04 GMT agawade 2023-10-31T18:01:04Z https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/ta-p/562294 <DIV class="lia-message-template-content-zone"> <DIV>New Generation Firewalls are equipped with TPM chips to help secure the devices</DIV> <P>These systems are designed to "Lockout" after 32 abrupt power down events(Power Failure, Pulling power cord to turn the device down).<BR />For every ungraceful shutdown(Power Failure, Pulling power cord to turn the device down).the TPM counter is incremented by 1 , after 32 such events the device goes into Lockout mode.<BR />Once the system is in lockout mode , the system will not boot properly. For systems with encrypted drives, the system will stay at BIOS level. For systems with non-encrypted drives, it will boot into maintenance mode<BR />For the system to recover, keep the system powered on for at least two hours. For systems with encrypted drives, the system will auto-reboot and should come back up properly. For systems with non-encrypted drives, perform a reboot from the maintenance mode<BR />For every two hours the device is powered on, the TPM lockout counter will be decremented by one</P> <DIV>To make sure that the device does not go into lockout mode make sure that the device has proper power and when ever we need to turn the device off make sure we are doing so gracefully by navigating to the option and turning the device off using the power down option<BR /><BR />Follow the steps outlined in this&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaZCAS" target="_self">Document</A>&nbsp;to perform a graceful shutdown from the operational cli/GUI when ever you want to power the device down&nbsp;<BR /><BR /></DIV> </DIV> Tue, 31 Oct 2023 18:01:04 GMT https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/ta-p/562294 agawade 2023-10-31T18:01:04Z https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/tac-p/1225834#M783 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23302">@agawade</a></P><P>Thanks a lot for your data.</P><P>Is there a command via CLI&nbsp; to check the TPM_PT value to avoid hitting 32?</P><P>Regards</P> Mon, 07 Apr 2025 10:41:55 GMT https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/tac-p/1225834#M783 Alpalo 2025-04-07T10:41:55Z https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/tac-p/1235143#M822 <P>Note: Starting with PAN-OS 11.1.0, the following command has been added so that the TPM_PT_LOCKOUT_COUNTER can be viewed without performing a system reboot to check the boot sequence output.</P><PRE>admin@PA-440&gt; debug system tpm tpm-lockout-counter-value<BR />TPM_PT_LOCKOUT_COUNTER: 0x00000001</PRE> Thu, 31 Jul 2025 17:16:02 GMT https://live.paloaltonetworks.com/t5/general-articles/tpm-lockout/tac-p/1235143#M822 Suscripciones 2025-07-31T17:16:02Z