This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Backups and configurations locally

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Backups and configurations locally

afalfaro
L2 Linker

‎06-07-2024 10:14 AM

Best regard

Equipment

I have 2 specific doubts that I would like the community to clarify for me.

1. I have a device managed by Panorama, due to an incident that occurred, local configurations were made on the device, and several interfaces and policies were configured. As all the administration is being carried out in the panorama and when the management is recovered again from the panorama, the existing template is totally different from the config that is in Palo Alto, the following questions arise: How to make the configuration that was done locally synchronize with the panorama? What is the best way to carry out this process? Is it necessary to remove the panorama device and add it again? If the device is removed from Panorama, it will bring me to the existing configuration in the template. When carrying out this process, is the configuration that I made locally not deleted?

 

2. The second scenario I have is the following: I have 5 teams managed by Panorama. All 5 teams have a totally different DG and Template. I made a correct configuration on 1 computer and on the other computer I made a wrong configuration (due to human error or it was not required). I applied all the changes in a single commit and push. Realizing that I made a mistake, I would like to restore the previous configuration on the computer on which the configuration was unsuccessful, but not on the computer on which the configuration was successful. The question is: How should this backup restoration process be carried out solely and exclusively on the computer on which the configuration was incorrect? Should it be done locally on the computer? (Taking into account that if I export the config from the computer I only get a few xml lines) (I assume there were many configurations and I don't remember all of them, therefore I want to load a backup). I have tried to carry out this process by loading version in panorama, but doing so would also eliminate the device whose configuration was correct and in summary>manage>backups for a strange reason an extremely old version appears, which would not help me either.

I look forward to your questions, suggestions and/or answers.

0 Likes Likes
1 REPLY 1

SutareMayur
L6 Presenter

‎08-20-2024 01:31 AM

Hi @afalfaro 

 

Below are my inputs to your questions.

 

  1. When you make configuration changes on the local firewall which is Panorama managed, basically you override the Panorama pushed configuration and tell firewall to use local configuration done on the firewall. Yes, this process is followed in most of issues or situations where you need to make changes and somehow it is not possible to push changes from Panorama. On the local firewall, you can identify the configurations whether it is locally pushed or Panorama pushed based on the colors.

    Solid Green color means it is Panorama pushed. And Orange overlay green gear icon on it means Panorama configuration was override and pushed locally.

Refer this article to know more about it.

 

Now if your issue is fixed and you want everything to be running smoothly from Panorama. Then you can replicate all the changes on the Panorama template stacks as that of local firewall.

Once you have all the desired configuration available on the Panorama, you need to push a configuration with FORCE TEMPLATE VALUES checked. This commit will override all the local settings/configuration This includes locally configured objects as well as objects pushed from Panorama that were locally overwritten. If an object is locally configured on the firewall, but is not configured in a template or template stack, then it remains unchanged on the firewall and is not deleted. The setting is disabled by default and must be enabled (checked) on each push from Panorama to managed firewalls.

SutareMayur_0-1724142493653.png

 

NOTE- You need to make sure all the desired configuration is done on the Panorama first before pushing it to the local firewalls.


2. For your 2nd question, the way to handle it is reverting configuration based on the administrator. You can revert changes by selecting specific user/admin who made wrong changes.

         So, only those specific changes will be reverted.

 

        Kindly refer this article to get more information.

 

Revert Firewall Configuration Changes (paloaltonetworks.com)



Hope it helps!

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes
  • 677 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks