When you use Panorama to generate a partial device state,
it replicates the configuration of the managed firewalls with a
few exceptions for Large Scale VPN (LSVPN) setups. You create the
partial device state by combining two facets of the firewall configuration:
Centralized configuration that Panorama manages—Panorama
maintains a snapshot of the shared policy rules and templates that
it pushes to firewalls.
Local configuration on the firewall—When you commit a configuration
change on a firewall, it sends a copy of its local configuration
file to Panorama. Panorama stores this file and uses it to compile
the partial device state bundle.
In an LSVPN setup,
the partial device state bundle that you generate on Panorama is
not the same as the version that you export from a firewall (by
). If you manually ran the device state
export or scheduled an XML API script to export the file to a remote
server, you can use the exported device state in your firewall replacement
If you did not export the device state, the device
state that you generate in the replacement workflow will not include
the dynamic configuration information, such as the certificate details
and registered firewalls, that is required to restore the complete
configuration of a firewall functioning as an LSVPN portal. See Before Starting RMA Firewall Replacement for more information.