How to Retrieve the Palo Alto Networks Firewall Configuration in Maintenance Mode

Overview

In the event the Palo Alto Networks firewall is trapped in maintenance mode and a backup of the current configuration has not been saved, the configuration can be exported from the maintenance mode menu. The option to export the configuration in maintenance mode was introduced in PAN-OS 5.0.

This document describes the steps to export (by scp or tftp) the Tech Support File that contains the running configuration file of the Palo Alto Networks firewall.

Note: Prepare an SCP or TFTP server that is accessible from the Management Port (MGT) of the Palo Alto Networks firewall on the network.

Steps

1. Set up a connection (using Console cable) to the console port of the Palo Alto Networks firewall.
2. From maintenance mode, select " Log Files" and press Enter.
   
3. Select "Copy logs to an external location" and press Enter.
   
4. Enter required fields for the transfer: Server, Path, User, Password. In the following example, "scp" is checked as the transfer method.
   
5. Select "Submit" after entering the information and press Enter. The log copy status is displayed. The process may take a minute or two, depending on the size of the.tar.gz file.
   
6. A "copy success" message appears if all information was entered correctly and access to the SCP server was successful.
   

After a successful export, you may find the maint_logs.tar.gz (Tech Support File) file on the SCP server in the directory path specified. The running configuration of the firewall will be in: mgmt\saved-configs\running-config.xml. The firewall can be reset to factory default settings.