Hello friends, good evening. I am new to administering Panorama and therefore firewalls through the Panorama console and I have some doubts, mainly with backups, which I hope you can help and support me.
Understanding that example I have a firewall managed from Panorama M-200, the firewalls have part of their configuration managed through Devices-Groups and Template-Stack, the firewalls maintain some local settings such as some policies, some interface settings and at the MGT interface, among other settings.
That is to say, there is a mix, that is my doubt, for example if I take a backup directly in the Palo Alto firewalls the configuration and take a snapshot, the running config includes only the local configurations, not the configurations injected from Panorama. If a TechSupport is executed in this same firewall and I see the Merged config, there I see all the configuration (this file is not clean, nor sanitized to be used as restore).
According to what was mentioned in the previous paragraph, I understand that Panorama saves, in the Managed Devices/Summary section, backups of the changes that are made in the Palo Alto, and from what I have read, including the settings that are changed and configured locally. Where can these backups be obtained, that is, those XML? With the option "Export Panorama and devices config bundle" I understand that I make a backup of the configuration of both Panorama and the Palo Alto firewalls. Do these Backups from "Export Panorama and devices config bundle" include a full-backup of the Palo Alto firewall configuration? that is to say both the local configurations and those injected from Panorama ? Could this be considered a full backup? If so, in case of any failure, that full backup, if so, that full backup can be used to restore the complete configuration to a firewall thinking in a scenario of loss due to hardware error and that it does not have access to Panorama . If the Merged backup of a techsupport is used, it generates problems, since it is a file that is not sanitized or clean.
I hope you can help me with the above.
Thank you very much for your time, help and support.
Thank you for the post @Metgatz
when it comes to how Panorama is managing configuration backup of managed Firewalls, I would recommend to have a look into below articles:
From my own experience, the configuration backup from Panorama is good enough to restore Firewall after a complete failure.
Approximately 2 month ago, I had a complete failure of PA-5260. This Firewall was managed by Panorama, but also had some portions of configuration managed locally. After RMA device arrived, I used below steps to restore the configuration from Panorama.
1.) Navigate to: Panorama> Managed Devices> Summary> Backups and open latest version.
2.) Copy all configuration to new file and add below line to the top of the document:
then, save the file as xml. Without that line on the top, the configuration will fail to load.
3.) Import, load and commit the configuration to Firewall.
4.) After new Firewall's Serial Number is replaced: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljGCAS push Device Group and Template configuration.
By looking into what is included in the configuration backup from Panorama, it mostly includes local configuration, so it is still necessary to push Device Group and Template stack to get Panorama managed configuration to Firewall and make status in sync.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!