PAM physical appliances have two SSDs, a primary on which PAM runs and a Secondary containing a backup image. The backup image is written any time a patch requiring a reboot is installed. You may also request PAM to write a backup at any time. This is done by selecting Perform Full Appliance Backup on the Config --> Upgrade --> Backup & Recovery page. Bear in mind that PAM can only go back to whatever is on that backup disk, so be careful about doing that. You don't want to inadvertently overwrite a recovery image you wish to maintain.
When you are ready to Recover you may just click on Recover Appliance From Latest Backup. In some circumstances, where PAM is not booting, you may wish to do a recovery without being able to use the PAM GUI. This is done by interacting with grub. In order to do so you must connect the console cable, provided when the X304L was delivered, between a PC and PAM's console port. You may then connect to the console port with putty, or a similar terminal emulator, using the settings described in our documentation wiki. Here is a link to the appropriate page for 3.1.1: Configure Network Connections for the Appliance - CA Privileged Access Manager - 3.1.1 - CA Technologies Documentation. The settings should be the same for all PAM versions.
Once a connection is made to the console port you will start seeing console messages. Users are not able to interact with the console when PAM is running. You can interact with the system as it is booting. For the purpose of Recovery, you will need to hit the esc grub menu. Doing so will give you a list of items from which to select, including one titled with the date and time of the full backup. In this case it looked like this: "CA PAM 3.0.2.46 Backup as of Mon May 7 14:40:14 UTC 2018".
If successful, the contents of the primary SSD will be replaced with what was on the Backup SSD, and the system will be running as it was at the time of the backup. You may have to install patches or make configuration changes that occurred after that time. If this was done for a primary system in a cluster, you will most likely want to make it a secondary when you are ready to return it to your cluster. If you have any questions about this procedure please open a Support ticket.