Partial Device State Generation for Firewalls

When you use Panorama to generate a partial device state, it replicates the configuration of the managed firewalls with a few exceptions for Large Scale VPN (LSVPN) setups. You create the partial device state by combining two facets of the firewall configuration:
  • Centralized configuration that Panorama manages—Panorama maintains a snapshot of the shared policy rules and templates that it pushes to firewalls.
  • Local configuration on the firewall—When you commit a configuration change on a firewall, it sends a copy of its local configuration file to Panorama. Panorama stores this file and uses it to compile the partial device state bundle.
    In an LSVPN setup, the partial device state bundle that you generate on Panorama is not the same as the version that you export from a firewall (by selecting
    and clicking
    Export device state
    ). If you manually ran the device state export or scheduled an XML API script to export the file to a remote server, you can use the exported device state in your firewall replacement workflow.
    If you did not export the device state, the device state that you generate in the replacement workflow will not include the dynamic configuration information, such as the certificate details and registered firewalls, that is required to restore the complete configuration of a firewall functioning as an LSVPN portal. See Before Starting RMA Firewall Replacement for more information.
Panorama does not store the device state; you generate it on request using the CLI commands listed in Restore the Firewall Configuration after Replacement.

Related Documentation