Save and Export Firewall Configurations

Saving a backup of the candidate configuration to persistent storage on the firewall enables you to later revert to that backup (see Revert Firewall Configuration Changes). This is useful for preserving changes that would otherwise be lost if a system event or administrator action causes the firewall to reboot. After rebooting, PAN-OS automatically reverts to the current version of the running configuration, which the firewall stores in a file named running-config.xml. Saving backups is also useful if you want to revert to a firewall configuration that is earlier than the current running configuration. The firewall does not automatically save the candidate configuration to persistent storage. You must manually save the candidate configuration as a default snapshot file (.snapshot.xml) or as a custom-named snapshot file. The firewall stores the snapshot file locally but you can export it to an external host.
You don’t have to save a configuration backup to revert the changes made since the last commit or reboot; just select
Config
Revert Changes
(see Revert Firewall Configuration Changes).
When you edit a setting and click
OK
, the firewall updates the candidate configuration but does not save a backup snapshot.
Additionally, saving changes does not activate them. To activate changes, perform a commit (see Commit, Validate, and Preview Firewall Configuration Changes).
Palo Alto Networks recommends that you back up any important configuration to a host external to the firewall.
  1. Save a local backup snapshot of the candidate configuration if it contains changes that you want to preserve in the event the firewall reboots.
    These are changes you are not ready to commit—for example, changes you cannot finish in the current login session.
    To overwrite the default snapshot file (.snapshot.xml) with all the changes that all administrators made, perform one of the following steps:
    • Select
      Device
      Setup
      Operations
      and
      Save candidate configuration
      .
    • Log in to the firewall with an administrative account that is assigned the Superuser role or an Admin Role profile with the
      Save For Other Admins
      privilege enabled. Then select
      Config
      Save Changes
      at the top of the web interface, select
      Save All Changes
      and
      Save
      .
    To create a snapshot that includes all the changes that all administrators made but without overwriting the default snapshot file:
    1. Select
      Device
      Setup
      Operations
      and
      Save named configuration snapshot
      .
    2. Specify the
      Name
      of a new or existing configuration file.
    3. Click
      OK
      and
      Close
      .
    To save only specific changes to the candidate configuration without overwriting any part of the default snapshot file:
    1. Log in to the firewall with an administrative account that has the role privileges required to save the desired changes.
    2. Select
      Config
      Save Changes
      at the top of the web interface.
    3. Select
      Save Changes Made By
      .
    4. To filter the Save Scope by administrator, click
      <administrator-name>
      , select the administrators, and click
      OK
      .
    5. To filter the Save Scope by location, clear any locations that you want to exclude. The locations can be specific virtual systems, shared policies and objects, or shared device and network settings.
    6. Click
      Save
      , specify the
      Name
      of a new or existing configuration file, and click
      OK
      .
  2. Export a candidate configuration, a running configuration, or the firewall state information to a host external to the firewall.
    Select
    Device
    Setup
    Operations
    and click an export option:
    • Export named configuration snapshot
      —Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the
      Name
      you specify.
    • Export configuration version
      —Select a
      Version
      of the running configuration to export as an XML file. The firewall creates a version whenever you commit configuration changes.
    • Export device state
      —Export the firewall state information as a bundle. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.

Related Documentation