Good Morning. Is there an easy way to clear out all configuration settings on a new Palo without having to go through the CLI to clear each item individually, or doing the same in the GUI? It is time-consuming to have to go in and delete the default Vwire, zones, and everything else that comes with a new appliance. Better yet, is it possible to order a new appliance without any configuration at all? We have appliances shipped directly to our remote locations and we build the configs in Panorama. However, pushing the configs always fails if we don't clear all of the factory settings first. To be honest, I really don't see any value in having any configuration whatsoever preinstalled on a new appliance.
You could remove all the config on the gui/cli and save the config. On the next one you ship out to site you just load in the config with items removed.
I will say though, the bootstrapping feature is available for situations like yours, do take a look:
hope this helps,
Will the bootstrap method delete the preconfigured items? We can't push our new to a new device from Panorama until they have been deleted from the device itself. I have not yet tried pushing a config from an appliance that has had everything already removed, but we are looking to eliminate as much extra work as necessary.
Any idea why Palo is insistent on sending these devices out with an initial configuration? I can understand delivering a preconfigured unit for a demo or PoC trial, but not for a purchased production unit. I'd also really like to be able to delete the two default policies, which serve no purpose in a production environment.
It's mostly industry standard at this point to have a bare bones configuration on the device to aid in setup and configuration for those new to the platform. The thought process goes that someone that is setting up the device for the first time may not be comfortable on the cli so they need to provide access to the GUI without needing any intitial config being done in the CLI interface.
Bootstrap is meant exactly for these types of situations where you can essentially pre-build the device to be able to reach Panorama, and then use Panorama to actually get it into the proper groups and push the config that they actually require in that location.
I'm curious how preconfiguring Vwire interfaces and zones helps with an initial setup, not to mention security policies that I would be willing to bet the vast majority of companies put at the bottom of the rule set below their Cleanup (explicit deny) rule.
it puts 1/1 and 1/2 into a vwire group. so if you were a soho, you could plug your router into 1/1 and your trusted switch into 1/2.
I worked through the bootstrap process yesterday without success. I'm still troubleshooting to see if I can isolate the issue. I posted another discussion on it this morning. In short, the process of preparing the USB is failing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!