The base configuration is the PanOS XML configuration file you intend to merge your migrated configuration into.
The reason there is no default base configuration installed is due to the assumption that there can be a number of different options where your migrated configuration will be merged into. Some examples are described below.
The base configuration can come from many sources depending on your migration target:
1) New migration base configuration, with no Panorama in the configuration path. The base configuration in this case is most likely the XML configuration from the hardware of VM firewall you intend to merge the migrated configurations into. You do not have to perform a factory default of the configuration. For new deployments its recommended to first stage the firewall (HW or VM) by installing the licenses for the subscriptions then updating the app/threat/url/wildfire/globalprotect databases prior to generating a base configuration. One can walk through the configuration to remove any unwanted configurations, but it is common to add additional configs such as mgmt IP, DNS, NTP and other settings in the configurations prior to saving a configuration snapshot then using it as your base confioguration.
2) New migration, no panorama, but the migrated configurations will be merged into an existing firewall. The target here was to collapse multiple firewalls into a single Palo Alto firewall. This migration is commonly performed in phases (migrate and deploy FW config #1, then schedule the migration and deployment of FW config #2, ...). The base configuration used in this case will be the running configuration exported from the firewall that is in production.
3) New migration, Panorama will be used to manage the security policies and objects but not the networking (i.e. no Panorama templates). This configuration will have 2 base configurations. Base config #1 will be your Panorama configuration, the migrated security policies and objects (Address/services - associated groups) and other supporting configs (tags, log forwarding and threat profiles - from Iron skillet or existing from Panorama) will be merged into the appropriate Panorama device group. As the networking configuration will be managed on the firewall config locally, base config #2 will be from the firewall which can use the steps from #1 or #2 above.
4) New migration, Panorama will manage security policies and objects and networking. For this case your base configuration will be your Panorama configuration and the migrated configurations will be merged into the appropriate Panorama device-group or template.
There are some example of the needs and use cases behind the use of the base-config. Hope this helps, and more documentation is coming up for Expedition.
... View more
