Scribd
Upload
99 views9 pages

101.1 101-Backup and Restore

The document discusses configuration management processes in Palo Alto firewalls. It explains that in Palo Alto firewalls, all configuration changes are made to the candidate configuration which resides in memory. The candidate configuration only becomes active when committed, overwriting the running configuration which resides in a separate memory space. It also describes ways to back up configurations through saving, loading, exporting and importing files, and methods for restoring or reverting configurations.

Uploaded by

Ayan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views9 pages

101.1 101-Backup and Restore

The document discusses configuration management processes in Palo Alto firewalls. It explains that in Palo Alto firewalls, all configuration changes are made to the candidate configuration which resides in memory. The candidate configuration only becomes active when committed, overwriting the running configuration which resides in a separate memory space. It also describes ways to back up configurations through saving, loading, exporting and importing files, and methods for restoring or reverting configurations.

Uploaded by

Ayan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Backup and Restore:

o Startup-Config is persistent copy of configuration file, which is kept normally in NVRAM.


o This file is kept in NVRAM & contents of "Startup-Config" file are retained after reboot.
o Running-Config is device configuration currently in use & stored in RAM on the device.
o In case of, if a Cisco device loses power, all the Running-Config commands will be lost.
o Palo Alto Firewall use opposite process, persistent configuration called Running Config.
o When you change something, nothing will happen, this is called a Candidate Config.
o When run a Commit, Now the Candidate Config became the permanent Running Config.

Candidate Configuration:
o When make any changes to configuration of existing parameters like Policy, Zone etc.
o In PA Firewall & click OK, the Candidate Configuration is either created or updated.
o In PA Firewall this type of configuration is known or called Candidate Configuration.
o Candidate Configuration is resides in the memory on the PA Management Plane.
o All configuration changes in the PA Firewall are done to a candidate configuration.
o Candidate Configuration resides in memory on the control plane of PA Firewall.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Running Configuration:
o When Commit tab at the top right corner of Web UI of the PA Firewall is clicked.
o Or when typing commit CLI command in the configuration mode of the PA Firewall.
o The Candidate Configuration is applied to the Running Configuration of PA Firewall.
o In Palo Alto Network Firewall this applied configuration is called Running Configuration.
o Running Configuration is resides in the memory on the Palo Alto Firewall Data Plane.

Save:
o Saving a config change is basically saving the xml configuration to file.
o Saving a config does not apply the changes into the current config file.
o Saving changes to candidate configuration doesn’t activate those changes.

Commit:
o Commit is basically save and apply the changes to Palo Alto Network Firewall.
o Commits changes to configuration file, changes overwrite running configuration.
o Commits changes to configuration overwrite running configuration & become active.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Revert:
o If you make a mistake in the Palo Alto Networks Firewall configuration.
o PAN-OS allows to quickly revert to last saved config or the running config.
o There is a difference between the last saved config & the running config.
o These two options could be called 'One Click' restores configuration.
o Both options do not allow you to select which file to restore from.
o Both options do restore the config from two different sources.
o Revert to last saved config restores the config from snapshot.xml file.
o Revert to running config restores the config from running-config.xml file.

Revert to Last Saved Config:


o This option restores last saved candidate configuration from local drive.
o This option restores the default snapshot of Candidate Configuration.
o This option restores the default snapshot named snapshot.xml.
o The current candidate configuration is overwritten by new config.
o An error occurs if the candidate configuration has not been saved.
o This is a quick restore very useful when working on 'hot' boxes.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


The first prompt asks if you want to continue with the restore.

The second message informs you which file has been restored.

Revert to Running Config:


o Restores the last running configuration from running-config.xml.
o The current running configuration is overridden.
o This option shows difference between snapshot taken when changes.
o and the saved and committed running configuration.

The first prompt asks if you want to continue with the restore.

The second message informs you which file has been restored.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Saving Configuration Files:
o In PA Firewall there are two ways to save configuration files.
o Save named configuration snapshot and Save candidate config.
o Save named configuration snapshot option saves candidate configuration to file.
o Saving of the configuration file does not override running config.
o This function is very useful when creating a backup file or a test configuration file.
o Which could be downloaded for further modification or testing in lab environment.
o You can either enter a file name or select an existing file to be overwritten.

Save Candidate Config:


o Save candidate config, Saves the candidate configuration in flash memory.
o Creates or overwrites default snapshot of candidate configuration (. snapshot.xml).
o Save candidate config creates or overwrites with current candidate configuration.

Load Named Configuration Snapshot:


o Loads a candidate configuration from the active configuration (running-config.xml)
o Or loads from a previously Palo Alto Firewall imported or saved configuration.
o Select the configuration file to be loaded to the Palo Alto Firewall configuration.
o The current candidate configuration of Palo Alto Firewall is overwritten.

Load Configuration Version:


o Loads a specified version of the configuration file from Palo Alto Firewall.
o Overwrites the current candidate configuration with a previous version.

Export Named Configuration Snapshot:


o Exports the active configuration (running-config.xml).
o Or exports previously saved configuration.
o Select the configuration file to be exported.
o You can open the file and/or save it in any network location.

Export Configuration Version:


o Exports a specified version of the configuration.

Export Device State:


o This feature in Firewall is used to export configuration and dynamic information.
o Export GlobalProtect Portal with the large-scale VPN feature enabled configuration.
o If Portal experiences a failure, the export file can be imported to restore the Portal.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Import Named Config Snapshot:
o Imports a configuration file from any network location.
o Click Browse and select the configuration file to be imported.

Import Device State:


o Import device state information that was exported using the Export device state option.
o This includes the current running config, Panorama templates, and shared policies.
o If the device is a Global Protect Portal, the export includes the Certificate Authority info.
o Also, the list of satellite devices and their authentication information.

Configuration Audit:
o Go to Device > Config Audit to see the differences between the configuration files.
o This page displays configurations side by side in separate panes & highlights differences.
o It show line by line using the colors to indicate Additions, Modifications, or Deletions.
o It show and indicate Additions (Green) color , Modifications (Yellow), or Deletions (Red).

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Verify Running Configuration:
o In WebGUI, if Commit button in the top-right corner in Palo Alto firewall is greyed out.
o Then all settings you see are committed and used as part of the running configuration.
o This means in Palo Alto Firewall the Candidate Configuration == Running Configuration.
o If in PA firewall the Commit button is active, then there are some non-applied settings.

Preview Non-Committed Changes:


o Candidate Configuration == Running Configuration + Not-Committed Changes.
o To see those changes, press the Commit and then Preview the Changes button.
o Enable the Pop-Up Windows in your browser to see the configuration difference.
o In Palo Alto Firewall as the Preview Changes opens a new browser window.
o From Command Line Interface run command to see difference show config diff.

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717
9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

You might also like