Save and Export Firewall Configurations
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Save and Export Firewall Configurations
Saving a backup of the candidate configuration
to persistent storage on the firewall enables you to later revert
to that backup (see Revert
Firewall Configuration Changes). This is useful for preserving
changes that would otherwise be lost if a system event or administrator
action causes the firewall to reboot. After rebooting, PAN-OS automatically
reverts to the current version of the running configuration, which
the firewall stores in a file named running-config.xml. Saving backups
is also useful if you want to revert to a firewall configuration
that is earlier than the current running configuration. The firewall
does not automatically save the candidate configuration to persistent
storage. You must manually save the candidate configuration as a
default snapshot file (.snapshot.xml) or as a custom-named snapshot
file. The firewall stores the snapshot file locally but you can
export it to an external host.
You don’t have to save
a configuration backup to revert the changes made since the last
commit or reboot; just select ConfigRevert Changes (see Revert
Firewall Configuration Changes).
When you edit a setting
and click OK, the firewall updates the candidate
configuration but does not save a backup snapshot.
Additionally,
saving changes does not activate them. To activate changes, perform
a commit (see Commit,
Validate, and Preview Firewall Configuration Changes).
Palo
Alto Networks recommends that you back up any important configuration
to a host external to the firewall.
- Save a local backup snapshot of the candidate configuration if it contains changes that you want to preserve in the event the firewall reboots.These are changes you are not ready to commit—for example, changes you cannot finish in the current login session.To overwrite the default snapshot file (.snapshot.xml) with all the changes that all administrators made, perform one of the following steps:
- Select DeviceSetupOperations and Save candidate configuration.
- Log in to the firewall with an administrative account that is assigned the Superuser role or an Admin Role profile with the Save For Other Admins privilege enabled. Then select ConfigSave Changes at the top of the web interface, select Save All Changes and Save.
To create a snapshot that includes all the changes that all administrators made but without overwriting the default snapshot file:- Select DeviceSetupOperations and Save named configuration snapshot.Specify the Name of a new or existing configuration file.Click OK and Close.To save only specific changes to the candidate configuration without overwriting any part of the default snapshot file:
- Log in to the firewall with an administrative account that has the role privileges required to save the desired changes.Select ConfigSave Changes at the top of the web interface.Select Save Changes Made By.To filter the Save Scope by administrator, click <administrator-name>, select the administrators, and click OK.To filter the Save Scope by location, clear any locations that you want to exclude. The locations can be specific virtual systems, shared policies and objects, or shared device and network settings.Click Save, specify the Name of a new or existing configuration file, and click OK.Export a candidate configuration, a running configuration, or the firewall state information to a host external to the firewall.Select DeviceSetupOperations and click an export option:
- Export named configuration snapshot—Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the Name you specify.
- Export configuration version—Select a Version of the running configuration to export as an XML file. The firewall creates a version whenever you commit configuration changes.
- Export device state—Export the firewall state information as a bundle. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.