Device > Setup > Operations
You can perform the following tasks to manage the running
and candidate configurations of the firewall and Panorama™. If you’re
using a Panorama virtual appliance, you can also use the settings
on this page to configure Log
Storage Partitions for a Panorama Virtual Appliance in Legacy Mode.
You must Commit
Changes you make in the candidate configuration to activate
those changes at which point they become part of the running configuration.
As a best practice, periodically Save
Candidate Configurations.
You can use Secure Copy (SCP) commands from the CLI
to export configuration files,
logs, reports, and other files to an SCP server and import the files
to another firewall or Panorama M-Series or virtual appliance. However,
because the log database is too large for an export or import to
be practical, the following models do not support export or import
of the entire log database: PA-7000 Series firewalls (all PAN-OS®
releases), Panorama virtual appliances running Panorama 6.0 or later releases,
and Panorama M-Series appliances (all Panorama releases).
to export configuration files,
logs, reports, and other files to an SCP server and import the files
to another firewall or Panorama M-Series or virtual appliance. However,
because the log database is too large for an export or import to
be practical, the following models do not support export or import
of the entire log database: PA-7000 Series firewalls (all PAN-OS®
releases), Panorama virtual appliances running Panorama 6.0 or later releases,
and Panorama M-Series appliances (all Panorama releases).Function | Description |
|---|---|
Configuration Management | |
Revert to last saved configuration | Restores the default snapshot (.snapshot.xml)
of the candidate configuration (the snapshot that you create or
overwrite when you select at the top right
of the web interface). |
Revert to running config | Restores the current running configuration.
This operation undoes all changes that every administrator made
to the candidate configuration since the last commit. To revert
only the changes of specific administrators, see Revert
Changes. |
Save named configuration snapshot | Creates a candidate configuration snapshot
that does not overwrite the default snapshot (.snapshot.xml). Enter
a Name for the snapshot or select an existing
named snapshot to overwrite. |
Save candidate config | Creates or overwrites the default snapshot
of the candidate configuration (.snapshot.xml) with the current
candidate configuration. This is the same action as when you select at
the top right of the web interface. To save only the changes of
specific administrators, see Save
Candidate Configurations. |
Load named configuration snapshot ( firewall )or Load
named Panorama configuration snapshot | Overwrites the current candidate configuration
with one of the following:
The configuration
must reside on the firewall or Panorama onto which you are loading
it. Select the Name of the configuration
and enter the Decryption Key , which is the
master key of the firewall or Panorama (see Device
> Master Key and Diagnostics). The master key is required
to decrypt all the passwords and private keys within the configuration.
If you are loading an imported configuration, you must enter the
master key of the firewall or Panorama from which you imported.
After the load operation finishes, the master key of the firewall
or Panorama onto which you loaded the configuration re-encrypts
the passwords and private keys. |
Load configuration version ( firewall )or Load
Panorama configuration version | Overwrites the current candidate configuration
with a previous version of the running configuration that is stored
on the firewall or Panorama. Select the Name of
the configuration and enter the Decryption Key , which
is the master key of the firewall or Panorama (see Device
> Master Key and Diagnostics). The master key is required
to decrypt all the passwords and private keys within the configuration.
After the load operation finishes, the master key re-encrypts the
passwords and private keys. |
Export named configuration snapshot | Exports the current running configuration,
a candidate configuration snapshot, or a previously imported configuration
(candidate or running). The firewall exports the configuration as
an XML file with the specified name. You can save the snapshot in
any network location. |
Export configuration version | Exports a Version of
the running configuration as an XML file. |
Export Panorama and devices config bundle ( Panorama
only ) | Generates and exports the latest versions
of the Panorama running configuration backup and of each managed
firewall. To automate the process of creating and exporting the
configuration bundle daily to an SCP or FTP server, see Panorama
> Device Deployment. |
Export or push device config bundle ( Panorama
only ) | Prompts you to select a firewall and perform
one of the following actions on the firewall configuration stored
on Panorama:
These options are available only for firewalls
running PAN-OS 6.0.4 and later releases. |
Export device state ( Firewall
only ) | Exports the firewall state information as
a bundle. In addition to the running configuration, the state information
includes device group and template settings pushed from Panorama.
If the firewall is a GlobalProtect™ portal, the bundle also includes
certificate information, a list of satellites that the portal manages,
and satellite authentication information. If you replace a firewall
or portal, you can restore the exported information on the replacement
by importing the state bundle. You
must manually run the firewall state export or create a scheduled XML
API script to export the file to a remote server. This should be
done on a regular basis because satellite certificates often change. To
create the firewall state file from the CLI, from configuration
mode, run the save device state command.
The file will be named device_state_cfg.tgz and
is stored in /opt/pancfg/mgmt/device-state .
The operational command to export the firewall state file is scp export device-state (you
can also use tftp export device-state ).For
information on using the XML API, refer to the PAN-OS and Panorama XML API Usage Guide
. |
Import named config snapshot | Imports a running or candidate configuration
from any network location. Click Browse and
select the configuration file to be imported. |
Import device state ( Firewall
only ) | Imports the state information bundle you
exported from a firewall when you chose to Export device
state . Besides the running configuration, the state
information includes device group and template settings pushed from
Panorama. If the firewall is a GlobalProtect portal, the bundle
also includes certificate information, a list of satellites, and
satellite authentication information. If you replace a firewall
or portal, you can restore the information on the replacement by
importing the state bundle. |
Import Device Configuration to Panorama ( Panorama
only ) | Imports a firewall configuration into Panorama.
Panorama automatically creates a template to contain the network
and device configurations. For each virtual system (vsys)
on the firewall, Panorama automatically creates a device group to
contain the policy and object configurations. The device groups
will be one level below the Shared location in the hierarchy, though
you can reassign them to a different parent device group after finishing
the import (see Panorama
> VMware NSX). The content versions
on Panorama (for example, Applications and Threats database) must
be the same as or higher than the versions on the firewall from
which you will import a configuration. Configure the following
import options:
|
Device Operations | |
Reboot | To restart the firewall or Panorama, Reboot
Device . The firewall or Panorama logs you out, reloads
the software (PAN-OS or Panorama) and the active configuration,
closes and logs existing sessions, and creates a System log entry
that shows the name of the administrator who initiated the shutdown.
Any configuration changes that were not saved or committed are lost
(see Device
> Setup > Operations).If the web
interface is not available, use the following operational CLI command: request restart system |
Shutdown | To perform a graceful shutdown of the firewall
or Panorama, Shutdown Device or Shutdown
Panorama and then click Yes when prompted.
Any configuration changes that are not saved or committed are lost.
All administrators will be logged off and the following processes
will occur:
You must unplug the power
source and plug it back in before you can power back on the firewall
or Panorama. If the web interface is not available,
use the following CLI command: request shutdown system |
Restart Dataplane | Restart Dataplane to
restart the data functions of the firewall without rebooting. This
option is not available on Panorama or PA-200, PA-220, PA-800 Series,
or VM-Series firewalls.If the web interface
is not available, use the following CLI command: request restart dataplane request chassis restart slot . |
Miscellaneous | |
Custom Logos | Use Custom Logos to
customize any of the following:
Upload ( <image>
) an image file
to preview
it or delete (
) a previously-uploaded
image.To return to the default logo, remove your entry and Commit .For
the Login Screen and Main UI ,
you can display (
) the
image as it will appear; if necessary, the firewall crops the image
to fit. For PDF reports, the firewall automatically resizes the
images to fit without cropping. In all cases, the preview displays
the recommended image dimensions.The maximum image size for
any logo is 128KB. The supported file types are png and jpg. The
firewall does not support image files that are interlaced, images
that contain alpha channels, and gif file types because such files
interfere with PDF report generation. You might need to contact
the illustrator who created an image to remove alpha channels or
make sure the graphics software you are using does not save files
with the alpha channel feature. For information on generating
PDF reports, see Monitor
> PDF Reports > Manage PDF Summary. |
SNMP Setup | |
Storage Partition Setup ( Panorama only ) | |
AWS CloudWatch Setup | |
Enable CloudWatch Monitoring | Select this option to enable the VM-Series firewall on AWS to connect to
AWS CloudWatch (disabled by default). When enabled, the firewall publishes
custom PAN-OS® metrics on health status and utilization to CloudWatch.
You can then monitor the metric of your choice in CloudWatch or
create autoscaling policies to trigger alarms and take an action
when the monitored metric reaches a specified threshold value. This
option is available only for the VM-Series firewall on AWS deployed
using an IAM role with the correct permissions. When you disable
this option, the firewall does not publish metrics to CloudWatch
or trigger any CloudWatch alarms or auto scaling group actions you
defined. |
CloudWatch Namespace | Enter a name to aggregate metrics published
by all the firewalls that use this namespace. For example, create
a namespace for all firewalls that secure an internet-facing application.
Firewalls in the same namespace can belong to an auto scaling group
across multiple Availability Zones within an AWS region. The
name must be a string with 1 to 255 characters and cannot begin with AWS/ (reserved
for AWS services). |
Update Interval (min) | The frequency (in minutes)
at which the firewall publishes metrics to CloudWatch (range is
1 to 60; default is 5). For details on the metrics, refer to the VM-Series Deployment Guide. |
Azure Application
Insights Setup | |
Enable Application Insights | Select this option to enable
the VM-Series firewall on Azure to connect to
Azure Application Insights (disabled by default). When enabled,
the firewall publishes custom PAN-OS metrics on health status and resource
utilization to Application Insights. You can then monitor the metric
of your choice or create autoscaling policies to trigger alarms and
take an action when the monitored metric reaches a specified threshold
value. |
Azure Instrumentation Key | From the Azure portal, copy and
paste the instrumentation key for the Application Insights instance
that will receive the firewall metrics. This key is required to
link the Application Insights instance and the firewalls that send
data to it. |
Update Interval (min) | The frequency (in minutes)
at which the firewall publishes metrics to Application Insights
(range is 1 to 60; default is 5). For details on the metrics, refer
to the VM-Series Deployment Guide. |
Google Cloud Stackdriver
Monitoring Setup | |
Publish PAN-OS metrics to Stackdriver | Select to enable the VM-Series firewall on Google Cloud Platform to connect
to Google Cloud Stackdriver (disabled by default). When enabled,
the firewall publishes custom PAN-OS metrics on health status and
resource utilization to Google Cloud Stackdriver. You can then monitor
the metrics on the Stackdriver Monitoring Console or create alerting
policies and notifications when a monitored metric reaches a specified
threshold value. To publish metrics, you must have
a Google Stackdriver account and Stackdriver Monitoring must be
enabled for the Google Cloud project in which you have deployed
the firewall. |
Update Interval (min) | The frequency (in minutes) at which the
firewall publishes metrics to Google Cloud Stackdriver (range is
1 to 60; default is 5). For details on the metrics, refer to the VM-Series Deployment Guide. |
