Palo Alto Networks Knowledgebase: How to Copy Configurations Between Firewalls

How to Copy Configurations Between Firewalls

12927
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

This document explains on how to transfer URL filtering objects from one Palo Alto Networks firewall to another. Copying configurations between any two firewalls may be done in the following two ways. The same process may be applied for transferring other configurations like Anti-virus profiles, security policies and more.

 

Note: This document is recommended for copying simple and independent entities like security profiles, security policies, NAT policies etc only. However, these methods become complicated with complex issues like IPSec tunneling, SSL-VPN, GlobalProtect, User-ID due to interdependence of various entities. Also, the commands for Method-2 may vary based on the type of configurations to be copied.

 

Method 1

Copying part of the configuration from firewall "A" and adding it to firewall "B"

  1. Generate config file for firewall A.
    • From the GUI, navigate to: Device > Setup > Operations > Save named configuration snapshot. For example, give it a name: Config_FWA.
  2. Save the configuration on the computer.
    • From the GUI, navigate to: Device > Setup > Operations > Export named configuration snapshot.
  3. Choose file Config_FWA to save it on PC.
  4. Similarly generate a config file for firewall B and name it Config_FWB.
  5. Open Config_FWA in a text editor.
  6. Locate the section of code that needs to be transferred and copy it. For example, to copy a URL filtering object named "BlockWikipidia_TEST", copy the content starting from <entry name="BlockWikipidia_TEST"> to </entry>.

    Firewall Configuration

  7. Open Config_FWB in the text editor and paste it in its respective location. For example, in our case it should be placed immediately after <Profiles><URL-filtering> as shown below:

    FW2.jpg

  8. Save the changes to Config_FWB
  9. Import the Config_FWB to firewall B
    • From the GUI, navigate to: Device > Setup > Operations > Import named configuration snapshot.
    • Choose file Config_FWB
    • Click OK.
  10. Load the configuration onto the firewall.
    • From the GUI, navigate to: Device > Setup > Operations > Load named configuration snapshot.
    • Choose file Config_FWB
    • Click OK.
  11. Warnings regarding invalid references might occur. For example, if the "BlockWikipidia_TEST" contains some custom url categories configured, they will not be transferred to firewall B unless the same custom URL categories are configured in firewall B too. In such cases, it will show as invalid reference.
  12. Commit the changes on firewall B.

 

The appended configuration should now show up on firewall B as well.


Method 2

By using the following CLI commands, this method generates a set of CLI commands that define the configurations of firewall A, which can be copied and pasted in firewall B's CLI.

  1. Initially, change the settings for CLI window to log the session and also set the lines of scrollback to a bigger value like 10,000.
  2. Use the following command to set the CLI output format to display "set" commands in configuration mode:
    • >set cli config-output-format set
  3. Set paging to off using the command:
    • >set cli pager off
  4. Enter configure mode:
    • >configure
  5. Edit the profiles in configure mode: #edit profiles url-filtering <name> (For this example it should be: #edit profiles url-filtering BlockWikipidia_TEST)
  6. Use the show command to display all the URL filtering profile commands:
    • #show
  7. Copy the above commands that are displayed either from CLI or from the log file of CLI.
  8. In the CLI for firewall "B", enter the configure mode and right click at the cursor which will paste all the copied content.

    Note: Make sure that everything was copy/pasted to the other firewall.

  9. Commit the changes on firewall B.

 

The appended configuration should now show up on firewall B as well.

 

Related documents:

How to Load Partial Configurations

How to Load Partial Config for Application Groups

 

owner: dreputi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEOCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language