Use Secure Copy to Import and Export Files
Focus
Focus
Next-Generation Firewall

Use Secure Copy to Import and Export Files

Table of Contents

Use Secure Copy to Import and Export Files

Transfer configuration files, certificates, and other data securely between PAN-OS devices and external systems using SCP commands.
Where Can I Use This?What Do I Need?
NGFW (Managed by PAN-OS or Panorama)
  • No prerequisites needed
Secure Copy (SCP) is a convenient way to import and export files onto or off of a Palo Alto Networks device. For, example, you can use SCP to upload a new OS version to a device that does not have internet access, or you can export a configuration or logs from one device to import on another. The SCP commands require that you have an account (username and password) on the SCP server.
Because the file for the entire log database is too large for an export or import to be practical on the following models, they do not support the scp export logdb or scp import logdb commands: Panorama virtual appliance running Panorama 6.0 or later releases, Panorama M-Series appliances (all releases), and PA-7000 Series firewall (all releases).

Export a Saved Configuration from One Firewall and Import it into Another

After you import the saved configuration, you can then Load a Partial Configuration from the first firewall onto the second firewall.
  1. On the first firewall, save the current configuration to a named configuration snapshot using the save config to <filename> command in configuration mode. For example:
    admin@PA-fw1# save config to fw1-config
  2. Export the named configuration snapshot and log database to an SCP-enabled server using the scp export command in operational mode. When prompted, enter the password for your SCP server account.
    admin@fw1> scp export configuration from <named-config-file> to <username@host:path>
    For an SCP server running on Windows, the destination folder/filename path for both the export and import commands requires a drive letter followed by a colon. For example:
    admin@fw1> scp export configuration from fw1-config.xml to ccrisp@10.10.10.5:c:/fw-config
  3. Log in to the firewall to which you want to copy the configuration and logs, and then import the configuration snapshot and log database. When prompted, enter the password for your SCP server account.
    admin@fw2> scp import configuration from <username@host:path_to_named-config-file>
    For example (on a Windows-based SCP server):
    admin@fw2> scp import configuration from ccrisp@10.10.10.5:c:/fw-configs/fw1-config.xml

Export and Import a Complete Log Database (logdb)

Learn how to export and import a complete log database (logdb).
Because the file for the entire log database is too large for an export or import to be practical on the following models, they do not support the scp export logdb or scp import logdb commands:
  • Panorama virtual appliance running Panorama 6.0 or later releases.
  • Panorama M-Series appliances (all releases).
  • PA-7000 Series firewall (all releases).
  1. Export a log database to an SCP-enabled server using the scp export command in operational mode. When prompted, enter the password for your SCP server account.
    admin@fw1> scp export logdb to <username@host:path_to_destination_filename>
    For an SCP server running on Windows, the destination folder/filename path for both the export and import commands requires a drive letter followed by a colon. For example:
    admin@fw1> scp export logdb to ccrisp@10.10.10.5:c:/fw-logs/fw1-logdb
  2. Log in to the firewall on which to import a log database, and then enter the import command. When prompted, enter the password for your SCP server account.
    admin@fw2> scp import logdb from <username@host:path_to_destination_filename>
    For example (on a Windows-based SCP server):
    admin@fw2> scp import logdb from ccrisp@10.10.10.5:c:/fw-logs/fw1-logdb