Next-Generation Firewall
Use Secure Copy to Import and Export Files
Table of Contents
Use Secure Copy to Import and Export Files
Transfer configuration files, certificates, and other data securely between PAN-OS devices and external systems using SCP commands.
| Where Can I Use This? | What Do I Need? |
|---|---|
| NGFW (Managed by PAN-OS or Panorama) |
|
Secure Copy (SCP) is a convenient way to import and
export files onto or off of a Palo Alto Networks device. For, example,
you can use SCP to upload a new OS version to a device that does
not have internet access, or you can export a configuration or logs
from one device to import on another. The SCP commands require that
you have an account (username and password) on the SCP server.
Because the file for the entire log database is too large
for an export or import to be practical on the following models,
they do not support the scp export logdb or scp import logdb commands:
Panorama virtual appliance running Panorama 6.0 or later releases,
Panorama M-Series appliances (all releases), and PA-7000 Series
firewall (all releases).
Export a Saved Configuration from One Firewall and Import it into Another
After you import the saved configuration, you can then Load a Partial Configuration from the first firewall onto the second
firewall.
- On the first firewall, save the current configuration to a named configuration snapshot using the save config to <filename> command in configuration mode. For example:
admin@PA-fw1# save config to fw1-configExport the named configuration snapshot and log database to an SCP-enabled server using the scp export command in operational mode. When prompted, enter the password for your SCP server account.admin@fw1> scp export configuration from <named-config-file> to <username@host:path>For an SCP server running on Windows, the destination folder/filename path for both the export and import commands requires a drive letter followed by a colon. For example:admin@fw1> scp export configuration from fw1-config.xml to ccrisp@10.10.10.5:c:/fw-config
Log in to the firewall to which you want to copy the configuration and logs, and then import the configuration snapshot and log database. When prompted, enter the password for your SCP server account.admin@fw2> scp import configuration from <username@host:path_to_named-config-file>For example (on a Windows-based SCP server):admin@fw2> scp import configuration from ccrisp@10.10.10.5:c:/fw-configs/fw1-config.xml
Export and Import a Complete Log Database (logdb)
Learn how to export and import a complete log database (logdb).Because the file for the entire log database is too large for an export or import to be practical on the following models, they do not support the scp export logdb or scp import logdb commands:- Panorama virtual appliance running Panorama 6.0 or later releases.
- Panorama M-Series appliances (all releases).
- PA-7000 Series firewall (all releases).
- Export a log database to an SCP-enabled server using the scp export command in operational mode. When prompted, enter the password for your SCP server account.
admin@fw1> scp export logdb to <username@host:path_to_destination_filename>For an SCP server running on Windows, the destination folder/filename path for both the export and import commands requires a drive letter followed by a colon. For example:admin@fw1> scp export logdb to ccrisp@10.10.10.5:c:/fw-logs/fw1-logdb
Log in to the firewall on which to import a log database, and then enter the import command. When prompted, enter the password for your SCP server account.admin@fw2> scp import logdb from <username@host:path_to_destination_filename>For example (on a Windows-based SCP server):admin@fw2> scp import logdb from ccrisp@10.10.10.5:c:/fw-logs/fw1-logdb
