Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA-5220 downgraded to 8.1.24 after factory reset the admin account does not log in on the console port

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-5220 downgraded to 8.1.24 after factory reset the admin account does not log in on the console port

L1 Bithead

PA-5220 came with PANOS 9.1 but the customer runs 8.1 on older Panorama gear.  After downgrading PANOS they were setup and run successfully.  The PA-5220 was reset to factory default for being deployed in a new location.  After reboot waited 24 hours and still cannot log in with default admin account.

Booted in to maintenance mode and found the image is still 8.1.24 but there is no valid configuration file found.  Not sure if that is why the admin account does not work. 

 

Have tried multiple resets on the PA-5220 but still the same results.  This is repeatable as I found another PA-5220 with the same configuration that was reset and also the admin account does not work.  Wondering if it is a bug as result of the downgrade.  I need away to log into these boxes any help would be greatly appreciated.

 

Thanks 

1 accepted solution

Accepted Solutions

So through digging and searching on the KB I found and article that supplied the advanced option password for maint mode.  Once in there I was able to revert PANOS to 9.0.4 which is the version that came on the box.  Once I rebooted into PANOS 9.0.4 the default username/password worked.  

 

Thank you both for your suggestions and time with this issue.

View solution in original post

10 REPLIES 10

L4 Transporter

Hello VerizonNSE,

 

There is a customer advisory about PA-5200 Series firewalls which could explain you issue.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Cyber Elite
Cyber Elite

Hi @VerizonNSE ,

 

What does the login prompt say?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

The prompt says PA-5220 Login:  

Type default admin / admin

Then says Login incorrect 

changes to login:

 

 

Cyber Elite
Cyber Elite

Thank you, sir.

 

Just verifying you were not at one of the earlier prompts.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloQCAS

 

You said that you waited 24 hours.  So, I should have known.

 

Hi @ozheng ,

 

Can you share the URL for the customer advisory?  What is the solution?  Open a support case?  Does he need to RMA the device?

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

Hello TomYoung,

 

https://live.paloaltonetworks.com/t5/customer-advisories/important-information-regarding-pa-5200-ser...

- Access restricted -

 

If it is due to the issue documented in the customer advisory, RMA will not help.

As per the customer advisory, open a case if you have any question.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Cyber Elite
Cyber Elite

Hi @ozheng ,

 

That is really good information!  Thank you!

 

I have seen some of your other posts on this community, and they are good.  Including the URL and adding more detail in your 1st post would have been very helpful.

 

@VerizonNSE - So, it looks like your options are to upgrade back to 9.1 (>= 9.1.15-h1) from Maintenance Mode or open a TAC case.  Now that I think of it, even this link says that the PA-5200 Series does not support PAN-OS 8.1 -> https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-netw....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I do not believe that is the issue here.  These boxes were deployed before 10/2022 and the serial numbers of these boxes are not in effected range. 

The PA-5220 runs fine with PANOS 8.1 as these were deployed with that version and ran fine for a year or more.  I suspect the matrix shows it is not supported because it is dated July 2023 and 8.1 went EOL in May and with the advisory any new box should not run that version.

 

Thank you for your suggestions 

Cyber Elite
Cyber Elite

Hi @VerizonNSE ,

 

Good point!  So, it was fine with 8.1.

 

Well, you can't login, and PAN-OS 8.1 is EoL now.  TAC may not help.  I would use maintenance mode to load the previous 9.1 PAN-OS version and see if you can login then unless you want to RMA the devices or something else.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm9zCAC

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Yeah tried that already but the only image on the box is the 8.1 image.  Not sure what happened to these boxes but they are not in good shape right now.  

So through digging and searching on the KB I found and article that supplied the advanced option password for maint mode.  Once in there I was able to revert PANOS to 9.0.4 which is the version that came on the box.  Once I rebooted into PANOS 9.0.4 the default username/password worked.  

 

Thank you both for your suggestions and time with this issue.

  • 1 accepted solution
  • 2845 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!