Palo Alto Networks: How to use SCP / SFTP instead of TFTP for file transfer
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Vendor | Palo Alto Networks |
|---|---|
| Operating system | PAN-OS |
| Category | Hardening & Safe Protocols |
| Skill level | Intermediate to advanced |
| DIY-able? | Yes with CLI access; some scenarios need Palo Alto TAC + RMA. |
What this guide covers
How to use SCP / SFTP instead of TFTP for file transfer on Palo Alto Networks devices (PAN-OS).
Recommendation
TFTP is unauthenticated + clear-text. Enable SCP / SFTP: both ride over SSH and authenticate.
CLI / commands
# Entered from: configure
set network interface ethernet ethernet1/1 layer3 ip 10.0.0.1/24
commit
# Save / commit
commit
Verify
- Test from a non-admin workstation.
- Confirm fallback works if AAA or external service is down.
- Document the change in your CMDB / change-control.
Frequently asked questions
Will this work on my specific PAN-OS version?
The procedure reflects current PAN-OS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.
Should I open a Palo Alto TAC case immediately?
Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.
Where can I find the Palo Alto Networks official documentation?
https://knowledgebase.paloaltonetworks.com. search the product family + feature name.
Is this procedure safe in production?
Test in a lab or maintenance window first. Capture pre-change state so you can roll back.
Related guides
- All Palo Alto Networks fix guides → /paloalto/
- All vendor guides → /vendors/
Related fixes
Related guides worth a look while you sort this one out:
- Palo Alto Networks: How to use modern password hashing (no clear-text)
- Palo Alto Networks: How to configure logging to a central SIEM
- Palo Alto Networks: How to disable unused services and protocols
- Palo Alto Networks: How to enable control-plane policing / rate-limiting
- Palo Alto Networks: How to enable HTTPS-only management
- Palo Alto Networks: How to enable management ACL to lock down access
References
- Palo Alto Networks support portal: https://support.paloaltonetworks.com
- Palo Alto Networks knowledge base: https://knowledgebase.paloaltonetworks.com
- Palo Alto Networks security advisories: https://security.paloaltonetworks.com
- Open a case: https://support.paloaltonetworks.com/Support/Index
Reference material, not professional advice. Validate against your specific PAN-OS version and test in a non-production environment before applying.
Common patterns we see
When this symptom shows up on a Palo device, three patterns repeat:
1. Recent firmware update changed behavior, the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger: temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear, components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.
Knowing which pattern applies saves time on the wrong fix.
Safety + preconditions
Before any work on a Palo device:
- Unplug from mains for any internal-access procedure.
- Discharge stored energy (capacitors in PSUs, residual battery charge) per manufacturer guidance.
- Use ESD-safe handling for boards and modules. no carpet, no wool sleeves.
- Avoid moisture; never apply liquids near vents or connectors.
- If you smell smoke, see scorch marks, or feel uneven heat, stop and escalate.
Verification checklist
After applying the fix on your Palo device, confirm:
- The original symptom is no longer reproducible.
- Related features (status LEDs, app sync, paired accessories) still work.
- The device responds to a soft reboot without the fault returning.
- Any error codes that were on display have cleared.
- Documentation (your service log, the brand companion app) reflects the change.
When to call Palo support instead
Escalate if:
- The same symptom returns within 24 hours of a clean fix.
- You see physical damage (burn marks, swollen battery, cracked PCB).
- The device is in warranty and a hardware replacement is the cheaper outcome.
- Repair requires specialised tools you don't own (alignment jigs, calibration software).
- Following the official path keeps the warranty intact, which matters more than the time spent.
More frequently asked questions
How often should I run preventive checks?
Quarterly for most consumer devices; monthly for production / commercial devices. Set a calendar reminder so the device stays healthy between issues.
Are there safer alternatives for non-technical users?
Yes, the manufacturer's self-service troubleshooter (HP Smart, LG ThinQ, Samsung Members, similar) usually walks through the same steps in a guided UI. Use that first if you're not comfortable with menu paths.
Does this affect other devices on my network?
Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.
What if the fix returns after a reboot?
Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).
Can I roll this back if something breaks?
Yes for software-level changes (firmware rollback, config rollback). Hardware changes are usually one-way. Always back up settings before starting.