==
» » » Palo Alto Notes 2

Palo Alto Notes 2

,

 

 

 

 

Backing up and Restoring Configurations

The Palo Alto Networks operating system provides the Admin with the following options:

ValidateValidate candidate configuration
RevertRevert to last saved configuration
Revert to running configuration
SaveSave named configuration snapshot
Save candidate configuration
LoadLoad named configuration snapshot
Load configuration version
ExportExport named configuration snapshot
Export configuration version
Export device state
ImportImport named configuration snapshot
Import device state

 

Validate—Validate candidate configuration


Checks the candidate configuration for errors. PaloAlto OS allows the Admin to validate saved but not committed configuration files. The validation process examines the config file for possible errors and conflicts. It will provide the Admin with the output. This is a useful function that can help avoid configuration mistakes or loading the wrong configuration file.


Revert


If you make a mistake in the configuration, the operating system allows you to quickly revert to the last saved config or the running config. There is a difference between the last saved config and the running config. These two options could be called 'one click' restores. They do not allow you so select which file to restore. Both options restore the config from two different sources:

  • Revert to last saved config restores the config from .snapshot.xml file
  • Revert to running config restores the config from running-config.xml file

Revert to last saved config


Revert option restores the last saved candidate configuration from the local drive. The current candidate configuration is overwritten. An error occurs if the candidate configuration has not been saved. This is a quick restore very useful when working on 'hot' boxes.

The first prompt asks if you want to continue with the restore.

2016-09-20_14-33-41.jpg

The second message informs you which file has been restored.

2016-09-20_14-35-23.jpg

Please keep in mind that the Palo Alto device generates snapshots of running configs and saves them on its hard drive. The new versions of the running config are generated every time you make a change or click Commit. This is a very nice function which allows the admin to quickly revert the configuration in case of unintended changes.

Revert to running config

Restores the last running configuration from running-config.xml. The current running configuration is overridden. This option shows a difference between a snapshot taken when making the changes and the saved and committed running configuration.

The first prompt asks if you want to continue with the restore.

4.png

The second message informs you which file has been restored.

5.png


Saving configuration files


There are two ways to save configuration files

  • Save named configuration snapshot
  • Save candidate config

What is the difference and why there are two options?



Save named configuration snapshot option saves the candidate configuration to a file. Saving of the configuration file does not override running config. This function is very useful when creating a backup file or a test configuration file which could be downloaded for a further modification or testing in the lab environment. You can either enter a file name or select an existing file to be overwritten. Note that the current active configuration file (running-config.xml) cannot be overwritten.

Save candidate config
Saves the candidate configuration in flash memory (same as clicking Save at the top of the page).

Load named configuration snapshot
Loads a candidate configuration from the active configuration (running-config.xml) or from a previously imported or saved configuration. Select the configuration file to be loaded. The current candidate configuration is overwritten.

Load configuration version
Loads a specified version of the configuration.


Export named configuration snapshot
Exports the active configuration (running-config.xml) or a previously saved or imported configuration. Select the configuration file to be exported. You can open the file and/or save it in any network location.

Export configuration version
Exports a specified version of the configuration.

Export Panorama and devices config bundle (Panorama only)
Manually generates and exports the latest versions of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to an SCP or FTP server, see “Scheduling Configuration Exports."

Export device state (firewall only)
This feature is used to export the configuration and dynamic information from a firewall that is configured as a GlobalProtect Portal with the large scale VPN feature enabled. If the Portal experiences a failure, the export file can be imported to restore the Portal’s configuration and dynamic information.

The export contains a list of all satellite devices managed by the Portal, the running configuration at the time of the export, and all certificate information (Root CA, Server, and Satellite certificates).

Important: You must manually run the device state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis since satellite certificates may change often.

To create the device state file from the CLI, from configuration mode run save device state.
The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the device state file is scp export device-state (you can also use tftp export device-state).
For information on using the XML API, see the XML API Usage Guide.

Import named config snapshot
Imports a configuration file from any network location. Click Browse and select the configuration file to be imported.

Import device state (firewall only)
Import the device state information that was exported using the Export device state option. This includes the current running config, Panorama templates, and shared policies. If the device is a Global Protect Portal, the export includes the Certificate Authority (CA) information and the list of satellite devices and their authentication information.
 What is the difference between Candidate configuration & Running Configuration in Palo Alto Firewalls?
Palo Alto Networks Firewalls comes with following config types
  • Candidate Configuration
  • Running Configuration
When ever some one creates a new policy or changes the configuration settings of an existing Security Policy or any other parameters like zone, Virtual router etc. in the Palo Alto firewall and click OK as shown below, the Candidate Configuration is either created or updated and this type of configuration is known as Candidate Configuration.
Screen Shot 2015-09-12 at 12.47.17 PM
However when Commit tab at the top right corner of Web UI of the Palo Alto Firewall is clicked the Candidate Configuration is applied to the running configuration of the Palo Alto firewall. And the applied configuration is called running configuration.
Screen Shot 2015-09-12 at 1.15.19 PM
Also by using “commit” cli command in the configuration mode on can apply candidate configuration to the running configuration.
admin@PA-500# commit
Palo Alto console configuration
Candidate Configuration never becomes active unless it’s saved to the Running Configuration so it’s always recommended to click commit whenever someone creates or modify the configuration in the Pal0 Alto Networks Firewall
Admin

Pro Teknologi dibuat pada 22 Februari 2017. Blog ini adalah harapan saya agar dapat membagi manfaat kepada orang lain,berupa tips-tips Seputar Blog,Internet,Komputer,dan Info-Info Menarik lainnya.

0 Response to "Palo Alto Notes 2"

Post a Comment

Subscribe to: Post Comments (Atom)