Palo Alto Networks Knowledgebase: How to Save an Entire Configuration for Import into Another Palo Alto Networks Device

How to Save an Entire Configuration for Import into Another Palo Alto Networks Device

50877
Created On 02/07/19 23:58 PM - Last Updated 02/07/19 23:58 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Overview

Importing an entire configuration into another Palo Alto Networks device may result of a device failure, replacement, or migration. The device configuration and security policy can be successfully exported and imported between devices as long as the following criteria are met:

  1. Identical hardware model (PA-500 to PA-500, PA-5020 to PA-5020, and so on.)
    • Importing configurations between non-matching hardware versions is not currently supported.
  2. Identical major PAN-OS version (4.1.x to 4.1.x, 5.0.x to 5.0.x and 6.0.x)
    • To import the configuration, upgrade the device to the same PAN-OS version prior to import.

Prerequisites

  1. Retrieve the licenses.
  2. After ensuring that the replacement is running the same PAN-OS version as the firewall that it is replacing download and install matching dynamic library updates, especially the Application and Threat database.

Steps

    1. Save a Named Configuration Snapshot.
      1. From the GUI, go to Device > Setup > Operations and select "Save named configuration snapshot."
        SaveNamedConfiguration.jpg
      2. Alternatively, from the CLI, run the following commands:
        > configure
        # save config to 2014-09-22_CurrentConfig.xml
        # exit
        >

    2. Export a Named Configuration Snapshot.
      1. From the GUI, go to Device > Setup > Operations and select "Export named configuration snapshot":
        ExportNamedConfiguration.jpg
      2. From the CLI:
        > scp export configuration [tab for command help]
        For example,
        > scp export configuration from 2014-09-22_CurrentConfig.xml to username@scpserver/PanConfigs

        Note: A single '/' specified after the username@scpserver denotes a path that begins in that user's home directory. Using '//' means a path that starts at the root of the file system.

    3. In the case of replacing a unit, first transfer the licenses from the serial number of the replaced unit to the serial number of the new unit on the Palo Alto Networks support portal.
    4. First, configure the Management Interface with the IP address specified in the config to be imported. Make sure the Management Interface can route to the internet.
    5. Retrieve the licenses.
    6. After ensuring that the replacement is running the same PAN-OS version as the firewall that it is replacing, also download and install matching dynamic library updates, especially the Application and Threat database.
    7. Import an existing device configuration.
      1. From the GUI, go to Device > Setup > Operations and click "Import named configuration snapshot":
        ImportNamedConfiguration.jpg
      2. This can also be done from the CLI:
        For example:
        > scp import configuration username@scpserver/PanConfigs/2014-09-22_CurrentConfig.xml

    8. Load an imported configuration
      1. From the GUI, go to  Device > Setup > Operations and click "Load named configuration snapshot":
        LoadNameConfiguration.jpg
        When the configuration has been selected, click OK and commit the configuration.
      2. This can also be done from the CLI, for example:
        > configure
        # load config from 2014-09-22_CurrentConfig.xml
        # commit
        # exit
        >

See Also

For more information about backup configuration options, see the Administrator's Guide for the PAN-OS version being used: Documentation.

owner: jjosephs



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaOCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language