Enable SCP Uploads for an Administrator
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Enable SCP Uploads for an Administrator
Enable Secure Protocol Copy (SCP) uploads for a firewall Superuser
administrator.
Enable Use Secure Copy Protocol (SCP) for Superuser administrators on your
Next-Generation firewalls to upload supported files, such as PAN-OS software
updates, dynamic content updates, and configuration file import from a local device
to a Palo Alto Networks Next-Generation firewall. This allows you to automate
supported file uploads using CLI rather than uploading using the firewall web
interface.
A system log is generated when you successfully SCP to your Next-Gen firewall or if
an SCP upload fails for any reason.
Palo Alto Networks support SCP uploads of PAN-OS software versions, PAN-OS software
changes, dynamic content updates, PAN-OS plugin versions, configuration files, and
license key files.
- In this example, a Superuser firewall administrator namedscp_adminwas created.
- Enable SCP functionality for a Superuser admin.The admin initiating SCP must have Superuser privileges.In this example, SCP functionality is enabled for the dedicated Superuserscp_admincreated in the previous step.
- Enter configuration mode.admin>configureEnable SCP functionality for a Superuser admin.admin#set mgt-config users <admin_name> preferences enable-scp-server yesVerify that SCP functionality was successfully enabled for the Superuser admin.admin#show mgt-config users <admin_name>In thepermissions, verify thatenable-scp-serverdisplaysyes.Commit.admin#commitPerform an SCP upload to your firewall.To upload a file to your firewall using SCP, the local device you are uploading from and the firewall must be on the same subnet. This step assumes you already have the file you want to upload to your firewall available on your local device.This example demonstrates how to upload an Application & Threats content update to your firewall. The predefined target directories for SCP uploads are:
- PAN-OS Software Versions—/scp/software/
- PAN-OS Software Patches—/scp/patch/
- Application & Threats Content Updates—/scp/content/
- WildFire Content Updates—/scp/wildfire/
- Antivirus Content Updates—/scp/anti-virus/
- PAN-OS Plugin Versions—/scp/plugin/
- XML Configuration Files—/scp/config/All PAN-OS config files must have the.xmlextension appended to the file name for SCP uploads to succeed.
- License Key Files—/scp/license/
- Open a CLI terminal and use thecdcommand to navigate to the folder or directory where the file you want to SCP is located.After navigating to the correct folder or directory, enterlsto view the folder or directory contents.In this example, you can see thepanupv2-all-contents-8765-8342file we will upload to the firewall.
- Upload a file to the firewall using the SCP-enabled Superuser admin.SCP applications like WinSCP and FileZilla are not supported. The SCP command must be run from the device command line.
- Operating System running OpenSSH 8 or earlierscp <file_name> <scp_superuser>@<firewall_IP>:/scp/<file_type>/<file_name>Example of the SCP command to upload the Application & Threats content update using thescp_admin.scp panupv2-all-contents-8765-8342 scp_admin@<firewall_IP>:/scp/content/panupv2-all-contents-8765-8342Operating System running OpenSSH 9 or laterscp -O <file_name> <scp_superuser>@<firewall_IP>:/scp/<file_type>/<file_name>Example of the SCP command to upload the Application & Threats content update using thescp_admin.scp -O panupv2-all-contents-8765-8342 scp_admin@<firewall_IP>:/scp/content/panupv2-all-contents-8765-8342
- Enteryeswhen prompted to verify the authenticity of the firewall.You are not prompted to verify authenticity if you have already connected to the firewall using SSH from this device and can skip this step.
- Enter the SCP adminPasswordwhen prompted and click Enter to continue.
- The SCP upload progress is displayed.The SCP upload is complete when the progress status displays100%and the CLI command prompt is becomes available.
Review the system logs to verify the SCP upload was successful.You can verify that the SCP upload was successful by reviewing the generated system log and confirm that the uploaded file is available. In this example, we review the system log for the SCP upload of Application & Threats content update version 8765-8342.- Selectand filter for SCP uploads.MonitorLogsSystemTo system logs are displayed to verify the SCP upload.( description contains 'SCP' )Selectand confirm the uploaded content version is available toDeviceDynamic UpdatesDownload.
Recommended For You