Hardening & Safe Protocols

Palo Alto Networks: How to use SCP / SFTP instead of TFTP for file transfer

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorPalo Alto Networks
Operating systemPAN-OS
CategoryHardening & Safe Protocols
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need Palo Alto TAC + RMA.

What this guide covers

How to use SCP / SFTP instead of TFTP for file transfer on Palo Alto Networks devices (PAN-OS).

Recommendation

TFTP is unauthenticated + clear-text. Enable SCP / SFTP: both ride over SSH and authenticate.

CLI / commands

# Entered from: configure
set network interface ethernet ethernet1/1 layer3 ip 10.0.0.1/24
commit

# Save / commit
commit

Verify

Frequently asked questions

Will this work on my specific PAN-OS version?

The procedure reflects current PAN-OS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.

Should I open a Palo Alto TAC case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the Palo Alto Networks official documentation?

https://knowledgebase.paloaltonetworks.com. search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific PAN-OS version and test in a non-production environment before applying.

Common patterns we see

When this symptom shows up on a Palo device, three patterns repeat:

1. Recent firmware update changed behavior, the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger: temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear, components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.

Knowing which pattern applies saves time on the wrong fix.

Safety + preconditions

Before any work on a Palo device:

Verification checklist

After applying the fix on your Palo device, confirm:

When to call Palo support instead

Escalate if:

More frequently asked questions

How often should I run preventive checks?

Quarterly for most consumer devices; monthly for production / commercial devices. Set a calendar reminder so the device stays healthy between issues.

Are there safer alternatives for non-technical users?

Yes, the manufacturer's self-service troubleshooter (HP Smart, LG ThinQ, Samsung Members, similar) usually walks through the same steps in a guided UI. Use that first if you're not comfortable with menu paths.

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

What if the fix returns after a reboot?

Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).

Can I roll this back if something breaks?

Yes for software-level changes (firmware rollback, config rollback). Hardware changes are usually one-way. Always back up settings before starting.