Save and Export Panorama and Firewall Configurations
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute User-ID Information to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Configure Basic WildFire Appliance Settings on Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Restore an Expired Device Certificate
- Downgrade from Panorama 9.1
End-of-Life (EoL)
Save and Export Panorama and Firewall Configurations
Saving a backup of the candidate configuration
to persistent storage on Panorama enables you to later restore that
backup (see Revert Panorama Configuration Changes).
Additionally, Panorama allows you to save and export the device
group, template, and template stack configurations that you specify.
This is useful for preserving changes that would otherwise be lost
if a system event or administrator action causes Panorama to reboot.
After rebooting, Panorama automatically reverts to the current version
of the running configuration, which Panorama stores in a file named running-config.xml.
Saving backups is also useful if you want to revert to a Panorama configuration
that is earlier than the current running configuration. Panorama
does not automatically save the candidate configuration to persistent
storage. You must manually save the candidate configuration as a
default snapshot file (.snapshot.xml) or as
a custom-named snapshot file. Panorama stores the snapshot file
locally but you can export it to an external host.
You
don’t have to save a configuration backup to revert the changes
made since the last commit or reboot; just select ConfigRevert Changes (see Revert Panorama Configuration Changes).
Palo
Alto Networks recommends that you back up any important configurations
to an external host.
- Save changes to the candidate configuration.
- To overwrite the default snapshot file (.snapshot.xml)
with all the changes that all administrators made, perform one of
the following steps:
- Select PanoramaSetupOperations and Save candidate Panorama configuration.
- Log in to Panorama with an administrative account that is assigned the Superuser role or an Admin Role profile with the Save For Other Admins privilege enabled. Then select ConfigSave Changes at the top of the web interface, select Save All Changes and Save.
- To overwrite the default snapshot (.snapshot.xml) with changes made by administrators to specific device group, template, or template stack configurations:
- Select PanoramaSetupOperations, Save candidate Panorama configuration, and Select Device Group & Templates.
- Select the specific device groups, templates, or template stacks to revert.
- Click OK to confirm the operation.
- (Optional) Select CommitCommit to Panorama and Commit your changes to overwrite the running configuration with the snapshot.
- To create a snapshot that includes all the changes that all
administrators made but without overwriting the default snapshot
file:
- Select PanoramaSetupOperations and Save named Panorama configuration snapshot.
- Specify the Name of a new or existing configuration file.
- Click OK and Close.
- To save only specific changes to the candidate configuration
without overwriting any part of the default snapshot file:
- Log in to Panorama with an administrative account that has the role privileges required to save the desired changes.
- Select ConfigSave Changes at the top of the web interface.
- Select Save Changes Made By.
- To filter the Save Scope by administrator, click <administrator-name>, select the administrators, and click OK.
- To filter the Save Scope by location, clear any locations that you want to exclude. The locations can be specific device groups, templates, Collector Groups, Log Collectors, shared settings, or the Panorama management server.
- Click Save, specify the Name of a new or existing configuration file, and click OK.
- To save a specific device group, template, or template stack configuration:
- Select PanoramaSetupOperations, Save named Panorama configuration snapshot, and Select Device Group & Templates.
- Select the specific device groups, templates, or template stacks to save.
- Click OK to confirm the operation.
- To overwrite the default snapshot file (.snapshot.xml)
with all the changes that all administrators made, perform one of
the following steps:
- Export a candidate or running configuration to a host
external to Panorama or to a firewall.You can schedule daily exports to an SCP or FTP server (see Schedule Export of Configuration Files) or export configurations on demand. To export on demand, select PanoramaSetupOperations and select one of the following options:
- Export named Panorama configuration snapshot—Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). Panorama exports the configuration as an XML file with the Name you specify. Select Device Group & Templates to specify the device group, template, or template stack configurations to export.
- Export Panorama configuration version—Select a Version of the running configuration to export as an XML file. Select Device Group & Templates to specify the device group, template, or template stack configurations to export as an XML file.
- Export Panorama and devices config bundle—Generate and export the latest version of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to a Secure Copy (SCP) or FTP server, see Schedule Export of Configuration Files.
- Export or push device config bundle—After
you import a firewall configuration into Panorama, Panorama creates
a firewall configuration bundle named <firewall_name>_import.tgz,
in which all local policies and objects are removed. You can then Export
or push device config bundle to perform one of the following
actions:
- Push & Commit the configuration bundle to the firewall to remove any local configuration from it, enabling you to manage the firewall from Panorama.
- Export the configuration to the firewall without loading it. When you are ready to load the configuration, log in to the firewall CLI and run the configuration mode command load device-state. This command cleans the firewall in the same way as the Push & Commit option.
The full procedure to Transition a Firewall to Panorama Management requires additional steps.