You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama. If you’re using a Panorama virtual appliance, you can also use the settings on this page to configure Log Storage Partitions for a Panorama Virtual Appliance.
Manage Running and Candidate Configurations
You must Commit Changes you make in the candidate configuration to activate those changes, at which point they become part of the running configuration. As a best practice, periodically Save Candidate Configurations. You can use Secure Copy (SCP) commands from the CLI to export configuration files, logs, reports, and other files to an SCP server and import the files to another firewall or Panorama. However, because the log database is too large for an export or import to be practical on the following platforms, they do not support exporting or importing the entire log database—PA-7000 Series firewalls (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama releases).
Function Description
Configuration Management
Revert to last saved config Restores the default snapshot (.snapshot.xml) of the candidate configuration (the snapshot that you create or overwrite when you click Save at the top right of the web interface).
Revert to running config Restores the current running configuration. This operation undoes all the changes you made to the candidate configuration since the last commit.
Save named configuration snapshot Create a candidate configuration snapshot that does not overwrite the default snapshot (.snapshot.xml). Enter a Name for the snapshot or select an existing snapshot to overwrite.
Save candidate config Creates or overwrites the default snapshot of the candidate configuration (.snapshot.xml). This is the same action as when you click Save at the top right of the web interface.
Load named configuration snapshot ( Firewall only ) or Load named Panorama configuration snapshot Overwrites the current candidate configuration with one of the following: Custom-named candidate configuration snapshot (instead of the default snapshot). Custom-named running configuration that you imported. Current running configuration. The configuration must reside on the firewall or Panorama onto which you are loading it. Select the Name of the configuration and enter the Decryption Key, which is the master key of the firewall or Panorama (see Device > Master Key and Diagnostics). The master key is required to decrypt all the passwords and private keys within the configuration. If you are loading an imported configuration, you must enter the master key of the firewall or Panorama from which you imported. After the load operation finishes, the master key of the firewall or Panorama onto which you loaded the configuration re-encrypts the passwords and private keys.
Load configuration version ( Firewall only ) or Load Panorama configuration version Overwrites the current candidate configuration with a previous version of the running configuration that is stored on the firewall or Panorama. Select the Name of the configuration and enter the Decryption Key, which is the master key of the firewall or Panorama (see Device > Master Key and Diagnostics). The master key is required to decrypt all the passwords and private keys within the configuration. After the load operation finishes, the master key re-encrypts the passwords and private keys.
Export named configuration snapshot Exports the current running configuration, a candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the specified name. You can save the snapshot in any network location.
Export configuration version Exports a Version of the running configuration as an XML file.
Export Panorama and devices config bundle ( Panorama only ) Generates and exports the latest versions of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to an SCP or FTP server, see Panorama > Device Deployment.
Export or push device config bundle ( Panorama only ) Prompts you to select a firewall and perform one of the following actions on the firewall configuration stored on Panorama: Push & Commit the configuration to the firewall. This action cleans the firewall (removes any local configuration from it) and pushes the firewall configuration stored on Panorama. After you import a firewall configuration, use this option to clean that firewall so you can manage it using Panorama. Export the configuration to the firewall without loading it. To load the configuration, you must access the firewall CLI and run the configuration mode command load device-state. This command cleans the firewall in the same way as the Push & Commit option. These options are available only for firewalls running PAN-OS 6.0.4 and later releases.
Export device state ( Firewall only ) Exports the firewall state information as a bundle. In addition to the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect™ portal, the bundle also includes certificate information, a list of satellites that the portal manages, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle. You must manually run the firewall state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis because satellite certificates often change. To create the firewall state file from the CLI, from configuration mode run save device state . The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the firewall state file is scp export device-state (you can also use tftp export device-state ). For information on using the XML API, refer to the PAN-OS and Panorama XML API Usage Guide .
Import named config snapshot Imports a running or candidate configuration from any network location. Click Browse and select the configuration file to be imported.
Import device state ( Firewall only ) Imports the state information bundle that you exported from a firewall using the Export device state option. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the bundle also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, can you can restore the information on the replacement by importing the state bundle.
Import Device Configuration to Panorama ( Panorama only ) Imports a firewall configuration into Panorama. Panorama automatically creates a template to contain the network and device configurations. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. The device groups will be one level below the Shared location in the hierarchy, though you can reassign them to a different parent device group after finishing the import (see Panorama > VMware Service Manager). The content versions on Panorama (for example, Applications and Threats database) must be the same as or higher than the versions on the firewall from which you will import a configuration. Configure the following import options: Device —Select the firewall from which Panorama will import the configurations. The drop-down includes only firewalls that are connected to Panorama and are not assigned to any device group or template. You can select only an entire firewall, not an individual vsys. Template Name —Enter a name for the template that will contain the imported device and network settings. For a multi-vsys firewall, the field is blank. For other firewalls, the default value is the firewall name. You cannot use the name of an existing template. Device Group Name Prefix (multi-vsys firewalls only)—Optionally, add a character string as a prefix for each device group name. Device Group Name —For a multi-vsys firewall, each device group has a vsys name by default. For a other firewalls, the default value is the firewall name. You can edit the default names but cannot use the name of an existing device group. Import devices' shared objects into Panorama's shared context —This option is selected by default, which means Panorama imports objects that belong to Shared in the firewall to Shared in Panorama. Note that Panorama regards all objects as shared on a firewall without multiple virtual systems. If you clear this option, Panorama copies shared firewall objects into device groups instead of Shared. This setting has the following exceptions: If a shared firewall object has the same name and value as an existing shared Panorama object, the import excludes that firewall object. If the name or value of the shared firewall object differs from the shared Panorama object, Panorama imports the firewall object into each device group. If a configuration imported into a template references a shared firewall object, Panorama imports that object into Shared regardless of whether you select this option. If a shared firewall object references a configuration imported into a template, Panorama imports the object into a device group regardless of whether you select this option. Rule Import Location —Select whether Panorama will import policies as pre-rules or post-rules. Regardless of your selection, Panorama imports default security rules (intrazone-default and interzone-default) into the post-rulebase. If Panorama has a rule with the same name as a firewall rule that you import, Panorama displays both rules. However, rule names must be unique—delete one of the rules before performing a commit on Panorama or else the commit will fail.
Device Operations
Reboot To restart the firewall or Panorama, click Reboot Device. The firewall or Panorama logs you out, reloads the software (PAN-OS or Panorama) and active configuration, closes and logs existing sessions, and creates a System log entry that shows the name of the administrator who initiated the shutdown. Any configuration changes that were not saved or committed are lost (see Device > Setup > Operations). If the web interface is not available, use the request restart system operational CLI command.
Shutdown To perform a graceful shutdown of the firewall or Panorama, click Shutdown Device or Shutdown Panorama and then click Yes on the confirmation prompt. Any configuration changes that have not been saved or committed are lost. All administrators will be logged off and the following processes will occur: All login sessions will be logged off. Interfaces will be disabled. All system processes will be stopped. Existing sessions will be closed and logged. System Logs will be created that will show the administrator name who initiated the shutdown. If this log entry cannot be written, a warning will appear and the system will not shutdown. Disk drives will be cleanly unmounted and the firewall or Panorama will powered off. You need to unplug the power source and plug it back in before you can power on the firewall or Panorama. If the web interface is not available, use the request shutdown system CLI command.
Restart Data Plane To restart the data functions of the firewall without rebooting, click Restart Dataplane. This option is not available on the PA-200 firewall and on Panorama. If the web interface is not available, use the request restart dataplane CLI command.
Miscellaneous
Custom Logos Use this option to customize any of the following: Login Screen background image Main UI (User Interface) header image PDF Report Title Page image (Refer to Monitor > PDF Reports > Manage PDF Summary.) PDF Report Footer image Click to upload an image file, click to preview an image, or click to remove a previously-uploaded image. To return to the default logo, remove your entry and Commit. For the Login Screen and Main UI options, clicking displays the image as it will appear. If necessary, the firewall crops the image to fit. For PDF reports, the firewall automatically resizes the images to fit without cropping. In all cases, the preview displays the recommended image dimensions. The maximum image size for any logo is 128KB. The supported file types are png, gif, and jpg. The firewall does not support image files that are interlaced or that contain alpha channels; such files interfere with PDF report generation. You might need to contact the illustrator who created an image to remove alpha channels or make sure the graphics software you are using does not save files with the alpha channel feature. For information on generating PDF reports, see Monitor > PDF Reports > Manage PDF Summary.
SNMP Setup Enable SNMP Monitoring.
Statistics Service Setup The Statistics Service feature allows the firewall to send anonymous application, threat, and crash information to the Palo Alto Networks research team. The information collected enables the research team to continually improve the effectiveness of Palo Alto Networks products based on real-world information. This service is disabled by default and once enabled, information will be uploaded every 4 hours.You can allow the firewall to send any of the following types of information: Application and Threat Reports Unknown Application Reports URL Reports Device traces for crashes To view a sample of the content in a statistical report to be sent, click the report. The Report Sample tab opens to display the report code. To view a report, select the desired report, then click Report Sample.
Storage Partition Setup ( Panorama only ) Log Storage Partitions for a Panorama Virtual Appliance.
Enable SNMP Monitoring
Simple Network Management Protocol (SNMP) is a standard protocol for monitoring the devices on your network. Select Operations to configure the firewall to use the SNMP version that your SNMP manager supports (SNMPv2c or SNMPv3). For a list of the MIBs that you must load into the SNMP manager so it can interpret the statistics it collects from the firewall, see Supported MIBs . To configure the server profile that enables the firewall to communicate with the SNMP trap destinations on your network, see Device > Server Profiles > SNMP Trap. The SNMP MIBs define all SNMP traps that the firewall generates. An SNMP trap identifies an event with a unique Object ID (OID) and the individual fields are defined as a variable binding (varbind) list. Click SNMP Setup and specify the following settings to allow SNMP GET requests from your SNMP manager.
Field Description
Physical Location Specify the physical location of the firewall. When a log or trap is generated, this information allows you to identify (in an SNMP manager) the firewall that generated the notification.
Contact Enter the name or email address of the person responsible for maintaining the firewall. This setting is reported in the standard system information MIB.
Use Specific Trap Definitions This option is selected by default, which means the firewall uses a unique OID for each SNMP trap based on the event type. If you clear this option, every trap will have the same OID.
Version Select the SNMP version— V2c (default) or V3. Your selection controls the remaining fields that the dialog displays.
For SNMP V2c
SNMP Community String Enter the community string, which identifies an SNMP community of SNMP managers and monitored devices and also serves as a password to authenticate the community members to each other when they exchange SNMP get (statistics request) and trap messages. The string can have up to 127 characters, accepts all characters, and is case-sensitive. As a best practice, don’t use the default community string public. Because SNMP messages contain community strings in clear text, consider the security requirements of your network when defining community membership (administrator access).
For SNMP V3
Name / View You can assign a group of one or more views to the user of an SNMP manager to control which MIB objects (statistics) the user can get from the firewall. Each view is a paired OID and bitwise mask—the OID specifies a MIB and the mask (in hexadecimal format) specifies which objects are accessible within (include matching) or outside (exclude matching) that MIB. For example, if the OID is 1.3.6.1, the matching Option is set to include and the Mask is 0xf0, then the objects that the user requests must have OIDs that match the first four nodes (f = 1111) of 1.3.6.1. The objects don’t need to match the remaining nodes. In this example, 1.3.6.1.2 matches the mask and 1.4.6.1.2 doesn’t. For each group of views, click Add, enter a Name for the group, and then configure the following for each view you Add to the group: View —Specify a name for the view. The name can have up to 31 characters that are alphanumeric, periods, underscores, or hyphens. OID —Specify the OID of the MIB. Option —Select the matching logic to apply to the MIB. Mask —Specify the mask in hexadecimal format. To provide access to all management information, use the top-level OID 1.3.6.1, set the Mask to 0xf0, and set the matching Option to include.
Users SNMP user accounts provide authentication, privacy, and access control when firewalls forward traps and SNMP managers get firewall statistics. For each user, click Add and configure the following settings: Users —Specify a username to identify the SNMP user account. The username you configure on the firewall must match the username configured on the SNMP manager. The username can have up to 31 characters. View —Assign a group of views to the user. Auth Password —Specify the authentication password of the user. The firewall uses the password to authenticate to the SNMP manager when forwarding traps and responding to statistics requests. The firewall uses Secure Hash Algorithm (SHA-1 160) to encrypt the password. The password must be 8-256 characters and all characters are allowed. Priv Password —Specify the privacy password of the user. The firewall uses the password and Advanced Encryption Standard (AES-128) to encrypt SNMP traps and responses to statistics requests. The password must be 8-256 characters and all characters are allowed.

Related Documentation