Backing Up and Restoring Configurations

Backing Up and Restoring Configurations

Created On 09/25/18 18:55 PM - Last Modified 04/21/20 00:20 AM


Learn how to restore a config from backup, the difference between Save and Commit and the various actions under Device > Setup > Operations > Configuration Management on the Palo Alto Networks next-generation firewall.






Difference between Save and Commit


There is big difference between saved changes to the configuration file and committed changes to the file.

Palo Alto Networks allows the Admin to make changes and save them for future use. However, if the Admin commits the changes to the configuration file, the changes overwrite the running configuration and become immediately active.


Therefore, we advise you to save and backup the running configuration before making any changes to the configuration file. It's easy to make serious mistakes, and without good backup, it can be difficult to reverse the changes and revert to the previous configuration.



Backing up and Restoring Configurations

The Palo Alto Networks operating system provides the Admin with the following options:


ValidateValidate candidate configuration
RevertRevert to last saved configuration
 Revert to running configuration
SaveSave named configuration snapshot
 Save candidate configuration
LoadLoad named configuration snapshot
 Load configuration version
ExportExport named configuration snapshot
 Export configuration version
 Export device state
ImportImport named configuration snapshot
 Import device state



ValidateValidate candidate configuration


Checks the candidate configuration for errors. PaloAlto OS allows the Admin to validate saved but not committed configuration files. The validation process examines the config file for possible errors and conflicts. It will provide the Admin with the output. This is a useful function that can help avoid configuration mistakes or loading the wrong configuration file.





If you make a mistake in the configuration, the operating system allows you to quickly revert to the last saved config or the running config. There is a difference between the last saved config and the running config. These two options could be called 'one click' restores. They do not allow you so select which file to restore. Both options restore the config from two different sources:


  • Revert to last saved config restores the config from .snapshot.xml file
  • Revert to running config restores the config from running-config.xml file


Revert to last saved config


Revert option restores the last saved candidate configuration from the local drive. The current candidate configuration is overwritten. An error occurs if the candidate configuration has not been saved. This is a quick restore very useful when working on 'hot' boxes.


The first prompt asks if you want to continue with the restore.



The second message informs you which file has been restored.




Please keep in mind that the Palo Alto device generates snapshots of running configs and saves them on its hard drive. The new versions of the running config are generated every time you make a change or click Commit. This is a very nice function which allows the admin to quickly revert the configuration in case of unintended changes.


Revert to running config


Restores the last running configuration from running-config.xml. The current running configuration is overridden. This option shows a difference between a snapshot taken when making the changes and the saved and committed running configuration. 


The first prompt asks if you want to continue with the restore.




The second message informs you which file has been restored.





Saving configuration files


There are two ways to save configuration files


  • Save named configuration snapshot
  • Save candidate config


What is the difference and why there are two options?




Save named configuration snapshot option saves the candidate configuration to a file. Saving of the configuration file does not override running config. This function is very useful when creating a backup file or a test configuration file which could be downloaded for a further modification or testing in the lab environment. You can either enter a file name or select an existing file to be overwritten. Note that the current active configuration file (running-config.xml) cannot be overwritten.


Save candidate config

Saves the candidate configuration in flash memory (same as clicking Save at the top of the page).


Load named configuration snapshot

Loads a candidate configuration from the active configuration (running-config.xml) or from a previously imported or saved configuration. Select the configuration file to be loaded. The current candidate configuration is overwritten.


Load configuration version

Loads a specified version of the configuration.



Export named configuration snapshot

Exports the active configuration (running-config.xml) or a previously saved or imported configuration. Select the configuration file to be exported. You can open the file and/or save it in any network location.


Export configuration version

Exports a specified version of the configuration.


Export Panorama and devices config bundle (Panorama only)

Manually generates and exports the latest versions of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to an SCP or FTP server, see “Scheduling Configuration Exports."


Export device state (firewall only)

This feature is used to export the configuration and dynamic information from a firewall that is configured as a GlobalProtect Portal with the large scale VPN feature enabled. If the Portal experiences a failure, the export file can be imported to restore the Portal’s configuration and dynamic information.


The export contains a list of all satellite devices managed by the Portal, the running configuration at the time of the export, and all certificate information (Root CA, Server, and Satellite certificates).


Important: You must manually run the device state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis since satellite certificates may change often.


To create the device state file from the CLI, from configuration mode run save device state.

The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the device state file is scp export device-state (you can also use tftp export device-state).

For information on using the XML API, see the XML API Usage Guide.


Import named config snapshot

Imports a configuration file from any network location. Click Browse and select the configuration file to be imported.


Import device state (firewall only)

Import the device state information that was exported using the Export device state option. This includes the current running config, Panorama templates, and shared policies. If the device is a Global Protect Portal, the export includes the Certificate Authority (CA) information and the list of satellite devices and their authentication information.

  • Print
  • Copy Link

Choose Language