Save and Export Firewall Configurations
Saving a backup of the candidate configuration to persistent storage on the firewall enables you to later revert to that backup (see Revert Firewall Configuration Changes). This is useful for preserving changes that would otherwise be lost if a system event or administrator action causes the firewall to reboot. After rebooting, PAN-OS automatically reverts to the current version of the running configuration, which the firewall stores in a file named running-config.xml. Saving backups is also useful if you want to revert to a firewall configuration that is earlier than the current running configuration. The firewall does not automatically save the candidate configuration to persistent storage. You must manually save the candidate configuration as a default snapshot file (.snapshot.xml) or as a custom-named snapshot file. The firewall stores the snapshot file locally but you can export it to an external host.
You don’t have to save a configuration backup to revert the changes made since the last commit or reboot; just select
(see Revert Firewall Configuration Changes).
When you edit a setting and click
OK, the firewall updates the candidate configuration but does not save a backup snapshot.
Additionally, saving changes does not activate them. To activate changes, perform a commit (see Commit, Validate, and Preview Firewall Configuration Changes).
Palo Alto Networks recommends that you back up any important configuration to a host external to the firewall.
- Save a local backup snapshot of the candidate configuration if it contains changes that you want to preserve in the event the firewall reboots.These are changes you are not ready to commit—for example, changes you cannot finish in the current login session.To overwrite the default snapshot file (.snapshot.xml) with all the changes that all administrators made, perform one of the following steps:
To create a snapshot that includes all the changes that all administrators made but without overwriting the default snapshot file:
- SelectandDeviceSetupOperationsSave candidate configuration.
- Log in to the firewall with an administrative account that is assigned the Superuser role or an Admin Role profile with theSave For Other Adminsprivilege enabled. Then selectat the top of the web interface, selectConfigSave ChangesSave All ChangesandSave.
To save only specific changes to the candidate configuration without overwriting any part of the default snapshot file:
- SelectandDeviceSetupOperationsSave named configuration snapshot.
- Specify theNameof a new or existing configuration file.
- Log in to the firewall with an administrative account that has the role privileges required to save the desired changes.
- Selectat the top of the web interface.ConfigSave Changes
- SelectSave Changes Made By.
- To filter the Save Scope by administrator, click, select the administrators, and click<administrator-name>OK.
- To filter the Save Scope by location, clear any locations that you want to exclude. The locations can be specific virtual systems, shared policies and objects, or shared device and network settings.
- ClickSave, specify theNameof a new or existing configuration file, and clickOK.
- Export a candidate configuration, a running configuration, or the firewall state information to a host external to the firewall.Selectand click an export option:DeviceSetupOperations
- Export named configuration snapshot—Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with theNameyou specify.
- Export configuration version—Select aVersionof the running configuration to export as an XML file. The firewall creates a version whenever you commit configuration changes.
- Export device state—Export the firewall state information as a bundle. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.