Whether you are preparing a Palo Alto Networks firewall for resale, recovering from a lost admin password, or clearing a corrupted configuration in a lab environment, performing a factory reset is a critical task. A factory reset wipes the device clean, returning it to its out-of-the-box state. In this guide, we cover the main methods to reset your PA series firewall, including the Web GUI method, CLI method, and Maintenance Mode for emergencies.
Table of Contents
- Part 1: Critical Warnings Before You Start
- Part 2: Web GUI Reset for Palo Alto Factory Default
- Part 3: CLI Reset for PA Series Factory Default
- Part 4: Maintenance Mode Factory Reset / Console Recovery
- Part 5: Alternative Method – Private Data Reset
- Part 6: FAQ – Reset Palo Alto Firewalls and Default Login

Part 1: Critical Warnings Before You Start
Stop and Read:
Performing a factory reset is irreversible.
- Data Loss: All Security Policies, NAT rules, VPN configurations, Certificates, and Logs will be deleted.
- HA Clusters: If your firewall is part of a High Availability (HA) pair, suspend the device and remove it from the cluster configuration to prevent synchronization errors.
- Licenses: Local license keys will be wiped. Ensure you have access to the Palo Alto support portal to retrieve them later.
- Recommendation: Always perform a Snapshot and export the named-configuration via the Device tab before proceeding, in case you need to rollback.
Part 2: Web GUI Reset for Palo Alto Factory Default
Use this method if you have admin access to the web interface and want to safely repurpose the device.
- Log in to the Palo Alto Web Interface.
- Navigate to Device > Setup > Operations.
- Locate Configuration Management.
- Click Load Configuration Version, select factory-default.xml, and click OK.
- Click Commit at the top right to apply the changes.
- (Optional) Use the Reset to Factory Default option under Operations to scrub logs and sensitive data.
The device will reload with the default IP 192.168.1.1 on the MGT interface. For PA-440, the default login after factory reset is admin/admin.

Part 3: CLI Reset for PA Series Factory Default
For network engineers who prefer SSH or Console access:
- SSH into the firewall or connect via Console cable.
- Enter Configure mode:
admin@PA-220> configure - Remove device configuration:
admin@PA-220# delete deviceconfig system(Alternatively, you can load config from factory-default.xml)
- Commit changes:
admin@PA-220# commit - Restart system (also restarts management plane):
admin@PA-220# request restart system
Part 4: Maintenance Mode Factory Reset / Console Recovery
Use this if the admin password is lost, the firewall is in a boot loop, or PAN-OS is corrupted. Requires a serial console cable.
- Connect console cable and open terminal (PuTTY/TeraTerm) at 9600, 8, N, 1.
- Reboot the firewall. During boot, when prompted:
Type maint and press Enter.Autoboot in 2 seconds... Type 'maint' for maintenance mode. - In the Maintenance Recovery Tool, select Factory Reset.
- Confirm by selecting Factory Reset again. On some older models, choose Advanced -> Disk Image.
- Reboot. Credentials reset to admin/admin.
Part 5: Alternative Method – Private Data Reset
If you only need to clear logs and configuration without fully zeroing out disks:
request system private-data-reset
This restores default configuration and clears logs, followed by a system restart. System disks remain intact.
Part 6: FAQ – Reset Palo Alto Firewalls and Default Login
Q1: Will a factory reset remove my PAN-OS updates?
If using Maintenance Mode, it typically reverts to the version the device shipped with or the base image stored on the recovery partition. You may need to upgrade PAN-OS again after the reset.
Q2: How do I access the device after the reset?
Connect your laptop to the MGT port, set IP to 192.168.1.2, and browse to https://192.168.1.1. Default login: admin/admin. For PA-440, credentials are the same.
Q3: Does resetting affect HA clusters?
Yes. After a reset, reconfigure HA settings (Group ID, Peer IP, Priority) before rejoining the cluster.
Q4: Will the reset delete licenses?
Local license keys are deleted. Restore via Device > Licenses > Retrieve license keys from license server.
Q5: What is the difference between CLI, Web GUI, and Maintenance Mode resets?
Web GUI: Safest for standard admin access and repurposing.
CLI: Quick for engineers with SSH/Console access.
Maintenance Mode: Hard reset for lost passwords or boot loop recovery.
Mastering the factory reset process ensures your Palo Alto firewall is restored to a secure, clean state, whether for redeployment, resale, or emergency recovery.

Expertise Builds Trust
20+ Years • 200+ Countries • 21500+ Customers/Projects
CCIE · JNCIE · NSE7 · ACDX · HPE Master ASE · Dell Server/AI Expert



































































































































