How to Export Device State of Managed Firewalls from Panorama
79004
Created On 04/02/19 12:58 PM - Last Modified 08/15/24 19:29 PM
Objective
If for any reason the device state cannot be generated and exported out of the firewall, the device states of these firewalls can be generated and exported from the managing Panorama.
Environment
- Any Panorama.
- Any PAN-OS.
Procedure
- Save the device state from Panorama CLI using the command “save device-state device <serial number>". The serial number at the end is the serial number of managed firewall. Note that you need to be in configure mode to run this command.
Example: Of the three managed devices, device state of serial number 0011000001 is generated on Panorama.
admin@panorama> configure
admin@panorama# save device-state device <tab>
0011000001 0011000001
0011000002 0011000002
0011000003 0011000003
admin@panorama#save device-state device 0011000001
Device state device_state_cfg.tgz created successfully
- Export the device state from Panorama using scp command using “scp export device-state device <serial number>”
Example below: Replace the destination (pantac@<scpserverip>:/home/) to match your environment.
admin@panorama> scp export device-state device 0011000001 to pantac@<scpserverip>:/home/
<snip>
pantac@<scpserverip>'s password:
device_state_cfg.tgz
Additional Information
NOTE: There is no option on the Panorama web interface to export the generated device-state (CLI-based Exports Only).
If the firewall's web interface is available through Panorama context switching, the device state can be collected from the firewall's Device > Setup > Operations.