Config Backups Explained

Reply
Highlighted
L4 Transporter

Config Backups Explained

Is a KB article out there that explains what each type of config export is and what is included? Looking through our Palo Altos I can see these 6 different config exports...

Named Configuration Snapshot

Candidate Configuration

Configuration Version

Device State

(Panorama)Scheduled Config Export

(Panorama)Panorama and Devices Config Bundle

Tags (2)
Highlighted
L3 Networker

Hello Jambulo,

Candidate configuration will overwrite the previously candidate configuration. It is not possible to go to a previously saved candidate version. Named configuration Snapshot will Save the candidate configuration to a file by giving it a name.

Every time save named configuration snapshot is clicked, it will create a new instance of the file and can be exported as a backup for later use using Export named configuration snapshot.

Device State - If the device has shared policies pushed from the Panorama, these policies will not be included on the device running configuration file and will be included in the 'device state' file.

(Panorama)Scheduled Config Export -  you can schedule the export of running configurations from all managed devices in addition to its own running configurations.

Please refer below link to configure schedule configuration export

How to Schedule Configuration Export on Panorama?


Panorama and devices config bundle—This option is used to manually generate and export the latest version of the configuration backup of Panorama and that of each managed device. (exports configurations with password hashes)

Regards,

Jahnavi..

Highlighted
L6 Presenter

Validate candidate config

Checks the candidate configuration for errors.

Revert to last saved config

Restores the last saved candidate configuration from the local drive. The current candidate configuration is overwritten. An error occurs if the candidate configuration has not been saved.

Revert to running config

Restores the last running configuration. The current running configuration is overridden.

Save named configuration snapshot

Saves the candidate configuration to a file. Enter a file name or select an existing file to be overwritten. Note that the current active configuration file (running-config.xml) cannot be overwritten.

Save candidate config

Saves the candidate configuration in flash memory (same as clicking Save at the top of the page).

Load named configuration snapshot

Loads a candidate configuration from the active configuration (running-config.xml) or from a previously imported or saved configuration. Select the configuration file to be loaded. The current candidate configuration is overwritten.

Load configuration version

Loads a specified version of the configuration.

Export named configuration snapshot

Exports the active configuration (running-config.xml) or a previously saved or imported configuration. Select the configuration file to be exported. You can open the file and/or save it in any network location.

Export configuration version

Exports a specified version of the configuration.

Export device state

This feature is used to export the configuration and dynamic information from a firewall that is configured as a GlobalProtect Portal with the large scale VPN feature enabled. If the Portal experiences a failure, the export file can be imported to restore the Portal’s configuration and dynamic information.

The export contains a list of all satellite devices managed by the Portal, the running configuration at the time of the export, and all certificate information (Root CA, Server, and Satellite certificates).

Important: You must manually run the device state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis since satellite certificates may change often.

To create the device state file from the CLI, from configuration mode run save device state.
The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the device state file is scp export device-state (you can also use tftp export device-state).

For information on using the XML API, refer to the document “PAN-OS XML-Based Rest API Usage Guide” at http://www.paloaltonetworks.com/documentation.

Import named config snapshot

Imports a configuration file from any network location.

Import device state

Import the device state information that was exported using the Export device state option. This includes the current running config, Panorama templates, and shared policies. If the device is a Global Protect Portal, the export includes the Certificate Authority (CA) information and the list of satellite devices and their authentication information.

Highlighted
L6 Presenter

Panorama

Scheduled Config Export

Panorama saves a backup of running configurations from all managed devices in addition to its own ru...Scheduled Config Export page to collect the running configurations from all of the managed devices, package them in one gzip file, and schedule the package for daily delivery to an FTP server or by using Secure Copy (SCP) to transfer data securely to a remote host. The files are in XML format with file names that are based on the device serial numbers.


Highlighted
L6 Presenter

Export Panorama and devices config bundle—This option is used to manually generate and export the latest

version of the configuration backup of Panorama and that of each managed device. To automate the process of

creating and exporting the configuration bundle daily to an SCP or FTP server, see Schedule Export of

Configuration Files.

Highlighted
L7 Applicator

Don't know of a kb but if you select the help file right on that page you get a pretty detailed description, see below.

Named Configuration Snapshot-- use these to create ad-hoc backups during routine operations.  For example, right before a major configuration change or upgrade save a named configuration that can be restored if things go wrong.

Candidate Configuration--The working copy of the configuration that will be applied when you hit commit.

Configuration Version- These are the automatically created rollback versions of a configuration created when you hit commit.  They are numbered and date/time stamped.  named configurations are easier to sort out and find if you know you might need to rollback.

Device State-- a bundle of files including certs and templates for a fuller backup.

(Panorama)Scheduled Config Export- Automatic shipping of your configurations to a file share for DR.

(Panorama)Panorama and Devices Config Bundle- larger bundle of all the devices and panorama configure saved our for DR.

Function

Description

Configuration Management

Validate candidate config

Checks the candidate configuration for errors.

Revert to last saved config

Restores the last saved candidate configuration from the local drive. The current candidate configur...

Revert to running config

Restores the last running configuration. The current running configuration is overridden.

Save named configuration snapshot

Saves the candidate configuration to a file. Enter a file name or select an existing file to be over...running-config.xml) cannot be overwritten.

Save candidate config

Saves the candidate configuration in flash memory (same as clicking Save at the top of the page).

Load named configuration snapshot

Loads a candidate configuration from the active configuration (running-config.xml) or from a previously imported or saved configuration. Select the configuration file to be loaded. The current candidate configuration is overwritten.

Load configuration version

Loads a specified version of the configuration.

Export named configuration snapshot

Exports the active configuration (running-config.xml) or a previously saved or imported configuration. Select the configuration file to be exported. You can open the file and/or save it in any network location.

Export configuration version

Exports a specified version of the configuration.

Export device state

This feature is used to export the configuration and dynamic information from a firewall that is con...

The export contains a list of all satellite devices managed by the Portal, the running configuration...

Important: You must manually run the device state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis since satellite certificates may change often.

To create the device state file from the CLI, from configuration mode run save device state.
The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the device state file is scp export device-state (you can also use tftp export device-state).

For information on using the XML API, refer to the document “PAN-OS XML-Based Rest API Usage Guide” at http://www.paloaltonetworks.com/documentation.

Import named config snapshot

Imports a configuration file from any network location. Click Browse and select the configuration file to be imported.

Import device state

Import the device state information that was exported using the Export device state option. This inc...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L6 Presenter

If you ultimately wanted to define a periodic export for configuration backups, check out:

CLI Commands to Export/Import Configuration and Log Files

Re: export config through cli

Highlighted
L3 Networker

I would really like if Panorama had actually the option to schedule an export of device-state bundle, similar to exporting the config bundle.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!