Enable SCP Uploads for an Administrator

(

Optional

) Configure a Panorama administrator with Superuser privileges for SCP functionality.

In this example, we created a Superuser Panorama administrator named

scp_admin

.

Log in to the Panorama CLI.

Enable SCP functionality for a Superuser admin.

The admin initiating SCP must have Superuser privileges.

In this example, SCP functionality is enabled for the dedicated Superuser

scp_admin

created in the previous step.

Enter configuration mode.

admin>
configure

Enable SCP functionality for a Superuser admin.

admin#
set mgt-config users <admin_name> preferences enable-scp-server yes

Verify that SCP functionality was successfully enabled for the Superuser admin.

admin#
show mgt-config users <admin_name>

In the

permissions

, verify that

enable-scp-server

displays

yes

.



Commit.

admin# 
commit

Perform an SCP upload to Panorama.

To upload a file to Panorama using SCP, the local device you are uploading from and Panorama must be on the same subnet. This step assumes you already have the file you want to upload to Panorama available on your local device.

This example demonstrates how to upload an Application & Threats content update to Panorama. The predefined target directories for SCP uploads are:

PAN-OS Software Versions
—
/scp/software/
PAN-OS Software Patches
—
/scp/patch/
Application & Threats Content Updates
—
/scp/content/
WildFire Content Updates
—
/scp/wildfire/
Antivirus Content Updates
—
/scp/anti-virus/
PAN-OS Plugin Versions
—
/scp/plugin/
XML Configuration Files
—
/scp/config/
All PAN-OS config files must have the
.xml
extension appended to the file name for SCP uploads to succeed.
License Key Files
—
/scp/license/

Open a CLI terminal and use the

cd

command to navigate to the folder or directory where the file you want to SCP is located.

After navigating to the correct folder or directory, enter

ls

to view folder or directory contents.

In this example, you can see the

panupv2-all-contents-8765-8342

file we will upload to Panorama.

Upload a file to Panorama using the SCP-enabled Superuser admin.

SCP applications like WinSCP and FileZilla are not supported. The SCP command must be run from the device command line.

Operating System running OpenSSH 8 or earlier

 scp <file_name> <scp_superuser>@<panorama_IP>:/scp/<file_type>/<file_name>

Example of the SCP command to upload the Application & Threats content update using the

scp_admin

.

scp panupv2-all-contents-8765-8342 scp_admin@<panorama_IP>:/scp/content/panupv2-all-contents-8765-8342

Operating System running OpenSSH 9 or later

 scp -o <file_name> <scp_superuser>@<panorama_IP>:/scp/<file_type>/<file_name>

Example of the SCP command to upload the Application & Threats content update using the

scp_admin

.

scp -o panupv2-all-contents-8765-8342 scp_admin@<panorama_IP>:/scp/content/panupv2-all-contents-8765-8342

Enter

yes

when prompted to verify Panorama authenticity.

You are not prompted to verify authenticity if you have already connected to Panorama using SSH from this device and can skip this step.

Enter the SCP admin

Password

when prompted and click Enter to continue.

The SCP upload progress is displayed.

The SCP upload is complete when the progress status displays

100%

and the CLI command prompt is becomes available.



Verify the SCP upload.

You can verify that the SCP upload was successful by reviewing the generated system log and confirm that the uploaded file is available. In this example, we review the system log for the SCP upload of Application & Threats content update version 8765-8342.

Log in to the Panorama Web Interface.

Select

Monitor

System

and filter for SCP uploads.

( description contains 'SCP' )



Select

Panorama

Dynamic Updates

and confirm the uploaded content version is available to

Download

.