Device > Setup > Operations

You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama. If you’re using a Panorama virtual appliance, you can also use the settings on this page to configure Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode.
You must Commit Changes you make in the candidate configuration to activate those changes, at which point they become part of the running configuration. As a best practice, periodically Save Candidate Configurations.
You can use Secure Copy (SCP) commands from the CLI TechDocs_logo_cropped.png to export configuration files, logs, reports, and other files to an SCP server and import the files to another firewall or Panorama. However, because the log database is too large for an export or import to be practical on the following models, they do not support exporting or importing the entire log database: PA-7000 Series firewalls (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama releases).
Function
Description
Configuration Management
Revert to last saved config
Restores the default snapshot (.snapshot.xml) of the candidate configuration (the snapshot that you create or overwrite when you select ConfigSave Changes at the top right of the web interface).
Revert to running config
Restores the current running configuration. This operation undoes all the changes that all administrators made to the candidate configuration since the last commit. To revert only the changes of specific administrators, see Revert Changes.
Save named configuration snapshot
Creates a candidate configuration snapshot that does not overwrite the default snapshot (.snapshot.xml). Enter a Name for the snapshot or select an existing named snapshot to overwrite.
Save candidate config
Creates or overwrites the default snapshot of the candidate configuration (.snapshot.xml) with the current candidate configuration. This is the same action as when you select ConfigSave Changes at the top right of the web interface. To save only the changes of specific administrators, see Save Candidate Configurations.
Load named configuration snapshot (firewall)
or
Load named Panorama configuration snapshot
Overwrites the current candidate configuration with one of the following:
  • Custom-named candidate configuration snapshot (instead of the default snapshot).
  • Custom-named running configuration that you imported.
  • Current running configuration.
The configuration must reside on the firewall or Panorama onto which you are loading it.
Select the Name of the configuration and enter the Decryption Key, which is the master key of the firewall or Panorama (see Device > Master Key and Diagnostics). The master key is required to decrypt all the passwords and private keys within the configuration. If you are loading an imported configuration, you must enter the master key of the firewall or Panorama from which you imported. After the load operation finishes, the master key of the firewall or Panorama onto which you loaded the configuration re-encrypts the passwords and private keys.
Load configuration version (firewall)
or
Load Panorama configuration version
Overwrites the current candidate configuration with a previous version of the running configuration that is stored on the firewall or Panorama.
Select the Name of the configuration and enter the Decryption Key, which is the master key of the firewall or Panorama (see Device > Master Key and Diagnostics). The master key is required to decrypt all the passwords and private keys within the configuration. After the load operation finishes, the master key re-encrypts the passwords and private keys.
Export named configuration snapshot
Exports the current running configuration, a candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the specified name. You can save the snapshot in any network location.
Export configuration version
Exports a Version of the running configuration as an XML file.
Export Panorama and devices config bundle
(Panorama only)
Generates and exports the latest versions of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to an SCP or FTP server, see Panorama > Device Deployment.
Export or push device config bundle
(Panorama only)
Prompts you to select a firewall and perform one of the following actions on the firewall configuration stored on Panorama:
  • Push & Commit the configuration to the firewall. This action cleans the firewall (removes any local configuration from it) and pushes the firewall configuration stored on Panorama. After you import a firewall configuration, use this option to clean that firewall so you can manage it using Panorama.
  • Export the configuration to the firewall without loading it. To load the configuration, you must access the firewall CLI and run the configuration mode command load device-state. This command cleans the firewall in the same way as the Push & Commit option.
These options are available only for firewalls running PAN-OS 6.0.4 and later releases.
Export device state
(Firewall only)
Exports the firewall state information as a bundle. In addition to the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect™ portal, the bundle also includes certificate information, a list of satellites that the portal manages, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.
Important: You must manually run the firewall state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis because satellite certificates often change.
To create the firewall state file from the CLI, from configuration mode run save device state. The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the firewall state file is scp export device-state (you can also use tftp export device-state).
For information on using the XML API, refer to the PAN-OS and Panorama XML API Usage Guide TechDocs_logo_cropped.png .
Import named config snapshot
Imports a running or candidate configuration from any network location. Click Browse and select the configuration file to be imported.
Import device state
(Firewall only)
Imports the state information bundle that you exported from a firewall using the Export device state option. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the bundle also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the information on the replacement by importing the state bundle.
Import Device Configuration to Panorama
(Panorama only)
Imports a firewall configuration into Panorama. Panorama automatically creates a template to contain the network and device configurations. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. The device groups will be one level below the Shared location in the hierarchy, though you can reassign them to a different parent device group after finishing the import (see Panorama > VMware NSX).
The content versions on Panorama (for example, Applications and Threats database) must be the same as or higher than the versions on the firewall from which you will import a configuration.
Configure the following import options:
  • Device—Select the firewall from which Panorama will import the configurations. The drop-down includes only firewalls that are connected to Panorama and are not assigned to any device group or template. You can select only an entire firewall, not an individual vsys.
  • Template Name—Enter a name for the template that will contain the imported device and network settings. For a multi-vsys firewall, the field is blank. For other firewalls, the default value is the firewall name. You cannot use the name of an existing template.
  • Device Group Name Prefix (multi-vsys firewalls only)—Optionally, add a character string as a prefix for each device group name.
  • Device Group Name—For a multi-vsys firewall, each device group has a vsys name by default. For a other firewalls, the default value is the firewall name. You can edit the default names but cannot use the name of an existing device group.
  • Import devices' shared objects into Panorama's shared context—This option is selected by default, which means Panorama imports objects that belong to Shared in the firewall to Shared in Panorama.
    Panorama regards all objects as shared on a firewall without multiple virtual systems. If you clear this option, Panorama copies shared firewall objects into device groups instead of Shared. This setting has the following exceptions:
    • If a shared firewall object has the same name and value as an existing shared Panorama object, the import excludes that firewall object.
    • If the name or value of the shared firewall object differs from the shared Panorama object, Panorama imports the firewall object into each device group.
    • If a configuration imported into a template references a shared firewall object, Panorama imports that object into Shared regardless of whether you select this option.
    • If a shared firewall object references a configuration imported into a template, Panorama imports the object into a device group regardless of whether you select this option.
  • Rule Import Location—Select whether Panorama will import policies as pre-rules or post-rules. Regardless of your selection, Panorama imports default security rules (intrazone-default and interzone-default) into the post-rulebase.
    If Panorama has a rule with the same name as a firewall rule that you import, Panorama displays both rules. However, rule names must be unique: delete one of the rules before performing a commit on Panorama or else the commit will fail.
Device Operations
Reboot
To restart the firewall or Panorama, click Reboot Device. The firewall or Panorama logs you out, reloads the software (PAN-OS or Panorama) and active configuration, closes and logs existing sessions, and creates a System log entry that shows the name of the administrator who initiated the shutdown. Any configuration changes that were not saved or committed are lost (see Device > Setup > Operations).
If the web interface is not available, use the operational CLI command:
request restart system.
Shutdown
To perform a graceful shutdown of the firewall or Panorama, click Shutdown Device or Shutdown Panorama and then click Yes on the confirmation prompt. Any configuration changes that have not been saved or committed are lost. All administrators will be logged off and the following processes will occur:
  • All login sessions will be logged off.
  • Interfaces will be disabled.
  • All system processes will be stopped.
  • Existing sessions will be closed and logged.
  • System Logs will be created that will show the administrator name who initiated the shutdown. If this log entry cannot be written, a warning will appear and the system will not shutdown.
  • Disk drives will be cleanly unmounted and the firewall or Panorama will powered off.
You need to unplug the power source and plug it back in before you can power on the firewall or Panorama.
If the web interface is not available, use the following CLI command:
> request shutdown system
Restart Dataplane
To restart the data functions of the firewall without rebooting, click Restart Dataplane. This option is not available on Panorama, PA-200, PA-220, PA-800 Series, or VM-Series firewalls.
If the web interface is not available, use the following CLI command:
> request restart dataplane.
On a PA-7000 Series firewalls, each NPC has a dataplane so you can restart the NPC to perform this operation by running the
> request chassis restart slot 
command
Miscellaneous
Custom Logos
Use this option to customize any of the following:
Click icon_custom_logo_upload.png to upload an image file, icon_preview.png to preview an image, or icon_custom_logo_delete.png to remove a previously-uploaded image.
To return to the default logo, remove your entry and Commit.
For the Login Screen and Main UI options, clicking icon_preview.png displays the image as it will appear. If necessary, the firewall crops the image to fit. For PDF reports, the firewall automatically resizes the images to fit without cropping. In all cases, the preview displays the recommended image dimensions.
The maximum image size for any logo is 128KB. The supported file types are png, gif, and jpg. The firewall does not support image files that are interlaced or that contain alpha channels; such files interfere with PDF report generation. You might need to contact the illustrator who created an image to remove alpha channels or make sure the graphics software you are using does not save files with the alpha channel feature.
For information on generating PDF reports, see Monitor > PDF Reports > Manage PDF Summary.
SNMP Setup
Storage Partition Setup (Panorama only)
AWS CloudWatch Setup
Enable CloudWatch Monitoring
Select this option to enable the VM-Series firewall in AWS to connect to AWS CloudWatch (disabled by default). When enabled, the firewall publishes custom PAN-OS metrics on health status and utilization to CloudWatch. You can then monitor the metric of your choice in CloudWatch or create auto scaling policies to trigger alarms and take an action when the monitored metric reaches a specified threshold value.
This option is available only for the VM-Series firewall on AWS deployed using an IAM role with the correct permissions.
When you disable this option, the firewall does not publish metrics to CloudWatch or trigger any CloudWatch alarms or auto scaling group actions you defined.
CloudWatch Namespace
Enter a name to aggregate metrics published by all the firewalls that use this namespace. For example, create a namespace for all firewalls that secure an internet-facing application. Firewalls in the same namespace can belong to an auto scaling group across multiple Availability Zones within an AWS region.
The name must be a string with 1 to 255 characters and cannot begin with AWS/ (reserved for AWS services).
Update Interval (min)
The frequency (in minutes) at which the firewall publishes metrics to CloudWatch (range is 1 to 60; default is 5). For details on the metrics, refer to the VM-Series Deployment Guide.

Related Documentation