Device > Setup > Operations
You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama. If you’re using a Panorama virtual appliance, you can also use the settings on this page to configure Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode.
You must Commit Changes you make in the candidate configuration to activate those changes, at which point they become part of the running configuration. As a best practice, periodically Save Candidate Configurations.
You can use Secure Copy (SCP) commands from the CLI to export configuration files, logs, reports, and other files to an SCP server and import the files to another firewall or Panorama. However, because the log database is too large for an export or import to be practical on the following models, they do not support exporting or importing the entire log database: PA-7000 Series firewalls (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama releases).
Revert to last saved config
Restores the default snapshot (.snapshot.xml) of the candidate configuration (the snapshot that you create or overwrite when you select ConfigSave Changes at the top right of the web interface).
Revert to running config
Restores the current running configuration. This operation undoes all the changes that all administrators made to the candidate configuration since the last commit. To revert only the changes of specific administrators, see Revert Changes.
Save named configuration snapshot
Creates a candidate configuration snapshot that does not overwrite the default snapshot (.snapshot.xml). Enter a Name for the snapshot or select an existing named snapshot to overwrite.
Save candidate config
Creates or overwrites the default snapshot of the candidate configuration (.snapshot.xml) with the current candidate configuration. This is the same action as when you select ConfigSave Changes at the top right of the web interface. To save only the changes of specific administrators, see Save Candidate Configurations.
Load named configuration snapshot (firewall)
Load named Panorama configuration snapshot
Overwrites the current candidate configuration with one of the following:
The configuration must reside on the firewall or Panorama onto which you are loading it.
Select the Name of the configuration and enter the Decryption Key, which is the master key of the firewall or Panorama (see Device > Master Key and Diagnostics). The master key is required to decrypt all the passwords and private keys within the configuration. If you are loading an imported configuration, you must enter the master key of the firewall or Panorama from which you imported. After the load operation finishes, the master key of the firewall or Panorama onto which you loaded the configuration re-encrypts the passwords and private keys.
Load configuration version (firewall)
Load Panorama configuration version
Overwrites the current candidate configuration with a previous version of the running configuration that is stored on the firewall or Panorama.
Select the Name of the configuration and enter the Decryption Key, which is the master key of the firewall or Panorama (see Device > Master Key and Diagnostics). The master key is required to decrypt all the passwords and private keys within the configuration. After the load operation finishes, the master key re-encrypts the passwords and private keys.
Export named configuration snapshot
Exports the current running configuration, a candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the specified name. You can save the snapshot in any network location.
Export configuration version
Exports a Version of the running configuration as an XML file.
Export Panorama and devices config bundle
Generates and exports the latest versions of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to an SCP or FTP server, see Panorama > Device Deployment.
Export or push device config bundle
Prompts you to select a firewall and perform one of the following actions on the firewall configuration stored on Panorama:
These options are available only for firewalls running PAN-OS 6.0.4 and later releases.
Export device state
Exports the firewall state information as a bundle. In addition to the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect™ portal, the bundle also includes certificate information, a list of satellites that the portal manages, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.
Important: You must manually run the firewall state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis because satellite certificates often change.
To create the firewall state file from the CLI, from configuration mode run save device state. The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the firewall state file is scp export device-state (you can also use tftp export device-state).
For information on using the XML API, refer to the PAN-OS and Panorama XML API Usage Guide .
Import named config snapshot
Imports a running or candidate configuration from any network location. Click Browse and select the configuration file to be imported.
Import device state
Imports the state information bundle that you exported from a firewall using the Export device state option. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the bundle also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the information on the replacement by importing the state bundle.
Import Device Configuration to Panorama
Imports a firewall configuration into Panorama. Panorama automatically creates a template to contain the network and device configurations. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. The device groups will be one level below the Shared location in the hierarchy, though you can reassign them to a different parent device group after finishing the import (see Panorama > VMware NSX).
The content versions on Panorama (for example, Applications and Threats database) must be the same as or higher than the versions on the firewall from which you will import a configuration.
Configure the following import options:
To restart the firewall or Panorama, click Reboot Device. The firewall or Panorama logs you out, reloads the software (PAN-OS or Panorama) and active configuration, closes and logs existing sessions, and creates a System log entry that shows the name of the administrator who initiated the shutdown. Any configuration changes that were not saved or committed are lost (see Device > Setup > Operations).
If the web interface is not available, use the operational CLI command:
request restart system.
To perform a graceful shutdown of the firewall or Panorama, click Shutdown Device or Shutdown Panorama and then click Yes on the confirmation prompt. Any configuration changes that have not been saved or committed are lost. All administrators will be logged off and the following processes will occur:
You need to unplug the power source and plug it back in before you can power on the firewall or Panorama.
If the web interface is not available, use the following CLI command:
> request shutdown system
To restart the data functions of the firewall without rebooting, click Restart Dataplane. This option is not available on Panorama, PA-200, PA-220, PA-800 Series, or VM-Series firewalls.
If the web interface is not available, use the following CLI command:
> request restart dataplane.On a PA-7000 Series firewalls, each NPC has a dataplane so you can restart the NPC to perform this operation by running the
> request chassis restart slotcommand
Use this option to customize any of the following:
Click to upload an image file, to preview an image, or to remove a previously-uploaded image.
To return to the default logo, remove your entry and Commit.
For the Login Screen and Main UI options, clicking displays the image as it will appear. If necessary, the firewall crops the image to fit. For PDF reports, the firewall automatically resizes the images to fit without cropping. In all cases, the preview displays the recommended image dimensions.
The maximum image size for any logo is 128KB. The supported file types are png, gif, and jpg. The firewall does not support image files that are interlaced or that contain alpha channels; such files interfere with PDF report generation. You might need to contact the illustrator who created an image to remove alpha channels or make sure the graphics software you are using does not save files with the alpha channel feature.
For information on generating PDF reports, see Monitor > PDF Reports > Manage PDF Summary.
Storage Partition Setup (Panorama only)
AWS CloudWatch Setup
Enable CloudWatch Monitoring
Select this option to enable the VM-Series firewall in AWS to connect to AWS CloudWatch (disabled by default). When enabled, the firewall publishes custom PAN-OS metrics on health status and utilization to CloudWatch. You can then monitor the metric of your choice in CloudWatch or create auto scaling policies to trigger alarms and take an action when the monitored metric reaches a specified threshold value.
This option is available only for the VM-Series firewall on AWS deployed using an IAM role with the correct permissions.
When you disable this option, the firewall does not publish metrics to CloudWatch or trigger any CloudWatch alarms or auto scaling group actions you defined.
Enter a name to aggregate metrics published by all the firewalls that use this namespace. For example, create a namespace for all firewalls that secure an internet-facing application. Firewalls in the same namespace can belong to an auto scaling group across multiple Availability Zones within an AWS region.
The name must be a string with 1 to 255 characters and cannot begin with AWS/ (reserved for AWS services).
Update Interval (min)
The frequency (in minutes) at which the firewall publishes metrics to CloudWatch (range is 1 to 60; default is 5). For details on the metrics, refer to the VM-Series Deployment Guide.
Revert Panorama Configuration Changes
Revert Panorama Configuration Changes Revert operations replace settings in the current candidate configuration with settings from another configuration. Reverting changes is useful when you want ...
Save and Export Firewall Configurations
Save and Export Firewall Configurations Saving a backup of the candidate configuration to persistent storage on the firewall enables you to later revert to that ...
Save and Export Panorama and Firewall Configurations
Save and Export Panorama and Firewall Configurations Saving a backup of the candidate configuration to persistent storage on Panorama enables you to later restore that ...
Revert Firewall Configuration Changes
Revert Firewall Configuration Changes Revert operations replace settings in the current candidate configuration with settings from another configuration. Reverting changes is useful when you want ...
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Migrate from an M-Series Appliance to a Panorama Virtual Appliance
Procedure to migrate from an M-Series appliance to a Panorama virtual appliance on Panorama 8.0 ...
Migrate from a Panorama Virtual Appliance to an M-Series Appliance
Migrate from a Panorama Virtual Appliance to an M-Series Appliance You can migrate the Panorama configuration from a Panorama virtual appliance to an M-Series appliance ...
Migrate from an M-100 Appliance to an M-500 Appliance
Migrate from an M-100 Appliance to an M-500 Appliance You can migrate the Panorama configuration and firewall logs from an M-100 appliance to an M-500 ...
Manage Panorama and Firewall Configuration Backups
Manage Panorama and Firewall Configuration Backups The running configuration on Panorama comprises all the settings that you have committed and that are therefore active. The ...