4

PAN-OS Configuration Management – PCNSA

 2 years ago
source link: https://rowelldionicio.com/pan-os-configuration-management-pcnsa/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

PAN-OS Configuration Management – PCNSA

May 30, 2022 By Rowell Leave a Comment

Configuration of a Palo Alto Networks firewall is kept in one of two configuration stores. The PCNSA requires you know how the firewall maintains configuration such as saving, reverting, and loading.

Watch this video on YouTube

There are two configuration stores you should be aware of:

  • Candidate configuration
  • Running configuration

You can make changes to the firewall configuration using either the web GUI or CLI.

Navigate to Device > Setup > Operations > Configuration Management to view these operations.

pan-os-configuration-management.png?resize=882%2C464&ssl=1

Location of Configuration Management on PAN-OS

Candidate Configuration

Any changes to the configuration are done on the candidate configuration. It is not directly applied to the firewall until you commit the changes.

The Candidate Configuration will live in the control-plane memory. A commit will activate those changes and place them in the Running Configuration.

There is a distinction between saving and committing your configuration. Saving a configuration, in the Palo Alto Networks world, will save your changes to the Candidate Configuration. They are not active. They are not installed or implemented.

A saved Candidate Configuration is kept in persistent storage. It is a snapshot. If you were to make changes and reboot the firewall, those changes will no longer be there because it lived in memory.

Committing a change is the act of installing the changes stored in the Candidate Configuration into Running Configuration.

Running Configuration

The Running Configuration is kept on a file named running-config.xml. This file is the active configuration used by the firewall during operation. It is persistent with a reboot.

The data-plane memory is where the Running Configuration lives.

Configuration changes are activated from the Candidate Configuration during the Commit process.

It is possible to save snapshots of the Running Configuration. A different Running Configuration can be loaded to overwrite the current running-config.xml file.

Configuration Operations

There are various operations that can be performed on the Candidate Configuration and Running Configuration. They are:

  • Import
  • Export
  • Revert

Know the differences between each one and when it should be used.

A Save operation will create a snapshot of the Candidate Configuration. There is a default snapshot file named snapshot.xml. It is possible to created a named configuration snapshot that does not overwrite this file.

One possible scenario that comes to mind is creating a backup of the configuration with a date and time or special name such as “backup-before-firewall-rule-purge-5-26-2022.xml”. Or it could be used to save the Candidate Configuration to export and import into another firewall.

saved-named-configuration.png?resize=1024%2C459&ssl=1

Saving a Named Configuration in PAN-OS

If you’d like to save the Candidate Configuration, to the snapshot.xml file then click on Save candidate configuration.

If you’re smart, you’ll backup your configurations to a file and store them safely. There might come a time where you need to load that configuration file to the firewall. Or you’re loading a template configuration to the firewall.

The Load operation comes in handy for loading a named configuration snapshot file or a configuration version.

When loading a configuration snapshot, you will select the file from the dropdown list.

load-named-configuration.png?resize=766%2C241&ssl=1

Loading a Named Configuration in PAN-OS

Loading a configuration version allows you to go back into a previous configuration version.

It is useful for loading a previous configuration that worked to revert any changes you might have just committed. The dropdown will specify the date and time of the configuration snapshot.

load-versioned-configuration-1.png?resize=762%2C396&ssl=1

Loading a Versioned Configuration

Export

The Export function allows you to save a configuration to a file kept off of the firewall. You can export a named configuration to an xml file and use it on another similar firewall model.

export-named-configuration.png?resize=767%2C281&ssl=1

Export a Named Configuration in PAN-OS

Export Versioned Configuration is similar to the above except you’re selecting a specific version of configuration to save off of the firewall.

Import

The exact opposite of Export 🙂 In this operation you will be taking a saved configuration file and importing it into the firewall. You will be prompted to select the file from your computer. The file will be stored on the firewall but the configuration is not activated. You must load the configuration afterwards.

Revert

Hopefully, you won’t need to use this operation. You can quickly go back to the last saved configuration or running configuration.

Revert to last saved config will load the snapshot.xml file

Revert to running config restores the configuration from the running-config.xml file

Be cautious with this operation because once you click Yes it will perform the operation. One click to revert.

revert-configuration.png?resize=421%2C175&ssl=1
Revert configuration

It’s my preference to avoid using Revert and opt to use one of the other operations above.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK