How to Save an Entire Configuration for Import into Another Palo Alto Networks Device
273147
Created On 09/25/18 19:37 PM - Last Modified 11/07/23 02:12 AM
Resolution
Overview
Importing an entire configuration into another Palo Alto Networks device may result of a device failure, replacement, or migration. The device configuration and security policy can be successfully exported and imported between devices as long as the following criteria are met:
- Identical hardware model (PA-500 to PA-500, PA-5020 to PA-5020, and so on.)
- Importing configurations between non-matching hardware versions is not currently supported.
- Identical major PAN-OS version (4.1.x to 4.1.x, 5.0.x to 5.0.x and 6.0.x)
- To import the configuration, upgrade the device to the same PAN-OS version prior to import.
Prerequisites
- Retrieve the licenses.
- After ensuring that the replacement is running the same PAN-OS version as the firewall that it is replacing download and install matching dynamic library updates, especially the Application and Threat database.
Steps
-
- Save a Named Configuration Snapshot.
- From the GUI, go to Device > Setup > Operations and select "Save named configuration snapshot."
- Alternatively, from the CLI, run the following commands:
> configure
# save config to 2014-09-22_CurrentConfig.xml
# exit
>
- From the GUI, go to Device > Setup > Operations and select "Save named configuration snapshot."
- Export a Named Configuration Snapshot.
- From the GUI, go to Device > Setup > Operations and select "Export named configuration snapshot":
- From the CLI:
> scp export configuration [tab for command help]
For example,
> scp export configuration from 2014-09-22_CurrentConfig.xml to username@scpserver/PanConfigs
Note: A single '/' specified after the username@scpserver denotes a path that begins in that user's home directory. Using '//' means a path that starts at the root of the file system.
- From the GUI, go to Device > Setup > Operations and select "Export named configuration snapshot":
- In the case of replacing a unit, first transfer the licenses from the serial number of the replaced unit to the serial number of the new unit on the Palo Alto Networks support portal.
- First, configure the Management Interface with the IP address specified in the config to be imported. Make sure the Management Interface can route to the internet.
- Retrieve the licenses.
- After ensuring that the replacement is running the same PAN-OS version as the firewall that it is replacing, also download and install matching dynamic library updates, especially the Application and Threat database.
- Import an existing device configuration.
- From the GUI, go to Device > Setup > Operations and click "Import named configuration snapshot":
- This can also be done from the CLI:
For example:
> scp import configuration username@scpserver/PanConfigs/2014-09-22_CurrentConfig.xml
- From the GUI, go to Device > Setup > Operations and click "Import named configuration snapshot":
- Load an imported configuration
- Save a Named Configuration Snapshot.
-
-
- From the GUI, go to Device > Setup > Operations and click "Load named configuration snapshot":
When the configuration has been selected, click OK and commit the configuration. - This can also be done from the CLI, for example:
> configure
# load config from 2014-09-22_CurrentConfig.xml
# commit
# exit
>
- From the GUI, go to Device > Setup > Operations and click "Load named configuration snapshot":
-
See Also
For more information about backup configuration options, see the Administrator's Guide for the PAN-OS version being used: Documentation .
owner: jjosephs