Deploying Palo Alto FIrewall in Azure – Maintenance Mode

I deployed a Palo Alto VM firewall into Azure recently. Every time I deployed it from the Azure template from the Marketplace or using bootstrap (which still uses the Azure template to get started) the firewall would take about 20-30 minutes and then wind up in maintenance mode without a usable IP address, and no management GUI.

Errors on the serial console were “Entry Reason: System Startup error.” and the Maintenance Entry Reason was “System start failed multiple times. Caused by service: mgmtsrvr”. I deployed the latest version of Palo Alto firewall (version 9.1.3 as of this writing).

Eventually I was able to solve the problem by trying a different password. Even though the template has the following requirements for passwords:

Our original auto generated password that broke the firewall was “wQCoPb7E7T9c5844FbbA@r5iVFQu8V2Sā€ (no quotes). I don’t know if the @ (asterisk) symbol broke the firewall or there was a length issue, but after we changed the password the firewall deployed quickly and easily into Azure. So if you are immediately kicked into maintenance mode with your Palo Alto firewall, try a different password.

One thought on “Deploying Palo Alto FIrewall in Azure – Maintenance Mode”

  1. Wow, you’re a lifesaver. No I absolutely did not spend the better part of the last two evenings on this…, on the weekend no less.

    I used the arm templates as I’m going to deploy HA, and immediately put all the interfaces in my preconfigured VNETs and subnets. So I started fiddling with that. I even tried the Marketplace image without modifications, but I used the same user AND password every time… (I have to migrate a PA-VM cluster from one subscription to another, which unfortunately isn’t just “move to new subscription šŸ™ “)

    Luckily I tried google with “palo alto azure marketplace maintenance mode” and this is the third result. I usually use Duckduckgo and there this page is not found at all.

    Anyway thank you very much. No I can setup this new firewall on Monday and still meet the deadline.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.