Recover a Palo Alto Firewall Config with the MRT

I’ve always been fascinated by the quiet resilience of infrastructure — the invisible backbone that keeps businesses humming. But nothing highlights that resilience quite like an unexpected outage in the field.

The Situation: When a Firewall Stops Handing Out IPs 

It began with reports from a customer: users couldn’t get on the internet, and new devices weren’t receiving IP addresses. The firewall — which also served as the DHCP server — had gone silent. Connectivity dropped across multiple segments, and all signs pointed to a configuration failure or corruption within the device itself. 

From a network operations standpoint, this was more than a connectivity issue — it was a system paralysis. The Palo Alto firewall wasn’t just blocking traffic; it had seemingly lost access to its own running configuration, the file that defines how it routes, secures, and manages the network. 

With critical services offline and DHCP leases timing out, I turned to one of Palo Alto Networks’ lesser-known lifelines: the Maintenance Recovery Tool (MRT). 

Enter the Maintenance Recovery Tool 

Palo Alto firewalls ship with a Maintenance Recovery Tool, accessible from the boot menu. It’s a lightweight recovery environment that allows administrators to repair or extract data from a malfunctioning device. 

Accessing it required a console connection. Once connected, I rebooted the firewall and interrupted the startup sequence to select Maintenance Mode. After authenticating, the tool presented a menu of recovery options — including the one I needed most: export configuration files. 

The Recovery Process: Extracting the Running Configuration 

1. Console Access: I connected via the serial console cable and entered maintenance mode. 
2. Log Files Menu: From the menu, I selected “Log Files” → “Copy logs to an external location.” 
3. Export Setup: I entered the SCP server details — server IP, destination path, username, and password. (TFTP is also supported, but SCP is preferred for security.) 
4. Transfer Initiation: After confirming, the firewall created and transferred a Tech Support File named maint_logs.tar.gz to the external server. 
5. Extract the Config: Inside that archive was the live configuration file located at mgmt/saved-configs/running-config.xml. This XML contained the firewall’s entire operational setup — policies, objects, and network parameters. 

Figure 1 — Maintenance Recovery Tool main menu  

Figure 2 — Selecting the option to copy logs to an external location 

Figure 3 — SCP export process underway in maintenance mode 

Lessons from the Recovery 

What impressed me most was how thoughtfully Palo Alto Networks built its recovery environment. Even when the web interface and CLI were inaccessible, the firewall still offered a secure, structured way to recover its configuration — proof of design resilience in action. 

Key takeaways: 

• Always back up your configurations regularly, even if you rely on Panorama or automation. 

• Test your recovery process before you need it — the maintenance tool interface can be intimidating if you’ve never seen it. 

• Secure your SCP server; the Tech Support File contains sensitive system data. 

As always if you have any questions on getting Palo Alto Networks Recovery set up for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!