https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/559008#M113382 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/187777">@DennyChanditya</a> ,</P> <P>&nbsp;</P> <P>That is a great question!&nbsp; You probably want to disable it for compliance reasons in which case my thoughts are no help.</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> and <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>, Is it true that the USB port is used only for bootstrapping, and the NGFW only reads the USB "only when it is in factory default state or has all private data deleted"?</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/usb-flash-drive-support" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/usb-flash-drive-support</A></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/prepare-a-usb-flash-drive-for-bootstrapping-a-firewall" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/prepare-a-usb-flash-drive-for-bootstrapping-a-firewall</A></P> <P>&nbsp;</P> <P>If so, then the USB port cannot be accessed after the NGFW has booted?&nbsp; I like that from a security perspective.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 21 Sep 2023 13:08:52 GMT TomYoung 2023-09-21T13:08:52Z https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/558924#M113366 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Can we disable physical USB port on the Firewall?</P> <P>I didn't find how to disable this usb interface on the firewall. or is there any documentation&nbsp; how to disable this?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Denny</P> Thu, 21 Sep 2023 06:19:56 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/558924#M113366 DennyChanditya 2023-09-21T06:19:56Z https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/558996#M113376 <P>I'm not entirely sure, but enabling FIPS-CC mode would be your most likely candidate. it does disable the console port for anything but output&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certifications/enable-fips-and-common-criteria-support/change-the-operational-mode-to-fips-cc-mode" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certifications/enable-fips-and-common-criteria-support/change-the-operational-mode-to-fips-cc-mode</A></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certifications/fips-cc-security-functions" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certifications/fips-cc-security-functions</A></P> Thu, 21 Sep 2023 11:49:12 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/558996#M113376 reaper 2023-09-21T11:49:12Z https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/558998#M113378 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/187777">@DennyChanditya</a> ,</P> <P>&nbsp;</P> <P><SPAN>The option to disable USB is currently not available. There is an existing feature request with ID:11893. <BR />Please reach out to your local SE to add your vote to this FR.</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590" target="_blank">https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590</A></SPAN></P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/blogs/how-to-add-a-new-feature/ba-p/272149" target="_blank">https://live.paloaltonetworks.com/t5/blogs/how-to-add-a-new-feature/ba-p/272149</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Kind regards,</SPAN></P> <P><SPAN>-Kim.</SPAN></P> Thu, 21 Sep 2023 11:53:31 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/558998#M113378 kiwi 2023-09-21T11:53:31Z https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/559008#M113382 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/187777">@DennyChanditya</a> ,</P> <P>&nbsp;</P> <P>That is a great question!&nbsp; You probably want to disable it for compliance reasons in which case my thoughts are no help.</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> and <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>, Is it true that the USB port is used only for bootstrapping, and the NGFW only reads the USB "only when it is in factory default state or has all private data deleted"?</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/usb-flash-drive-support" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/usb-flash-drive-support</A></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/prepare-a-usb-flash-drive-for-bootstrapping-a-firewall" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/prepare-a-usb-flash-drive-for-bootstrapping-a-firewall</A></P> <P>&nbsp;</P> <P>If so, then the USB port cannot be accessed after the NGFW has booted?&nbsp; I like that from a security perspective.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 21 Sep 2023 13:08:52 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/559008#M113382 TomYoung 2023-09-21T13:08:52Z https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/559057#M113390 <P>Hello,</P> <P>If this is for compliance, I would suggest using compensating physical controls, like locked cabinet doors, restricted access to room, etc. On a side note, its a great way to charge your phone if at the data center for a long time :).</P> <P>Regards,</P> Thu, 21 Sep 2023 20:01:57 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-usb-port-on-firewall/m-p/559057#M113390 OtakarKlier 2023-09-21T20:01:57Z