Save and Export Firewall Configurations – Palo Alto Firewalls

Posted on by Summa Lai

Saving a backup of the candidate configuration to persistent storage on the firewall enables you to later revert to that backup (see Revert Firewall Configuration Changes). This is useful for preserving changes that would otherwise be lost if a system event or administrator action causes the firewall to reboot. After rebooting, PAN-OS automatically reverts to the current version of the running configuration, which the firewall stores in a file named running-config.xml. Saving backups is also useful if you want to revert to a firewall configuration that is earlier than the current running configuration. The firewall does not automatically save the candidate configuration to persistent storage. You must manually save the candidate configuration as a default snapshot file (.snapshot.xml) or as a custom-named snapshot file. The firewall stores the snapshot file locally but you can export it to an external host.You don’t have to save a configuration backup to revert the changes made since the last commit or reboot; just select ConfigRevert Changes (see Revert Firewall Configuration Changes).When you edit a setting and click OK, the firewall updates the candidate configuration but does not save a backup snapshot.Additionally, saving changes does not activate them. To activate changes, perform a commit (see Commit, Validate, and Preview Firewall Configuration Changes).Palo Alto Networks recommends that you back up any important configuration to a host external to the firewall.

  2. Save a local backup snapshot of the candidate configuration if it contains changes that you want to preserve in the event the firewall reboots.These are changes you are not ready to commit—for example, changes you cannot finish in the current login session.To overwrite the default snapshot file (.snapshot.xml) with all the changes that all administrators made, perform one of the following steps:
    • Select DeviceSetupOperations and Save candidate configuration.
    • Log in to the firewall with an administrative account that is assigned the Superuser role or an Admin Role profile with the Save For Other Admins privilege enabled. Then select ConfigSave Changes at the top of the web interface, select Save All Changes and Save.To create a snapshot that includes all the changes that all administrators made but without overwriting the default snapshot file:
    1. Select DeviceSetupOperations and Save named configuration snapshot.
    2. Specify the Name of a new or existing configuration file.
    3. Click OK and Close.To save only specific changes to the candidate configuration without overwriting any part of the default snapshot file:
    1. Log in to the firewall with an administrative account that has the role privileges required to save the desired changes.
    2. Select ConfigSave Changes at the top of the web interface.
    3. Select Save Changes Made By.
    4. To filter the Save Scope by administrator, click <administrator-name>, select the administrators, and click OK.
    5. To filter the Save Scope by location, clear any locations that you want to exclude. The locations can be specific virtual systems, shared policies and objects, or shared device and network settings.
    6. Click Save, specify the Name of a new or existing configuration file, and click OK.
  3. Export a candidate configuration, a running configuration, or the firewall state information to a host external to the firewall.Select DeviceSetupOperations and click an export option:
    • Export named configuration snapshot—Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the Name you specify.
    • Export configuration version—Select a Version of the running configuration to export as an XML file. The firewall creates a version whenever you commit configuration changes.
    • Export device state—Export the firewall state information as a bundle. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.

Ref: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations