Device > Setup > Operations
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > Setup > Operations
You can perform the following tasks to manage the running
and candidate configurations of the firewall and Panorama™. If you’re
using a Panorama virtual appliance, you can also use the settings
on this page to configure Log
Storage Partitions for a Panorama Virtual Appliance in Legacy Mode.
You must Commit
Changes you make in the candidate configuration to activate
those changes at which point they become part of the running configuration.
As a best practice, periodically Save
Candidate Configurations.
You can use Secure Copy (SCP) commands from the CLI
to export configuration files,
logs, reports, and other files to an SCP server and import the files
to another firewall or Panorama M-Series or virtual appliance. However,
because the log database is too large for an export or import to
be practical, the following models do not support export or import
of the entire log database: PA-7000 Series firewalls (all PAN-OS®
releases), Panorama virtual appliances running Panorama 6.0 or later releases,
and Panorama M-Series appliances (all Panorama releases).
Function | Description |
---|---|
Configuration Management | |
Revert to last saved configuration | Restores the default snapshot (.snapshot.xml)
of the candidate configuration (the snapshot that you create or
overwrite when you select ConfigSave Changes at the top right
of the web interface). (Panorama only) Select
Device Groups & Templates to select specific device
groups, templates, or template stacks configurations to revert.
Device Group and Template Admins can only select the device groups,
templates, or template stacks designated in their assigned access
domain. |
Revert to running config | Restores the current running configuration.
This operation undoes all changes that every administrator made
to the candidate configuration since the last commit. To revert
only the changes of specific administrators, see Revert
Changes. (Panorama only) Select
Device Groups & Templates to select specific device
groups, templates, or template stacks configurations to revert.
Device Group and Template Admins can only select the device groups,
templates, or template stacks designated in their assigned access
domain. |
Save named configuration snapshot | Creates a candidate configuration snapshot
that does not overwrite the default snapshot (.snapshot.xml). Enter
a Name for the snapshot or select an existing
named snapshot to overwrite. (Panorama only) Select
Device Groups & Templates to select specific device
groups, templates, or template stacks configurations to save. Device
Group and Template Admins can only select the device groups, templates,
or template stacks designated in their assigned access domain. |
Save candidate config | Creates or overwrites the default snapshot
of the candidate configuration (.snapshot.xml) with the current
candidate configuration. This is the same action as when you select ConfigSave Changes at
the top right of the web interface. To save only the changes of
specific administrators, see Save
Candidate Configurations. (Panorama only) Select
Device Groups & Templates to select specific device
groups, templates, or template stacks configurations to save. Device
Group and Template Admins can only select the device groups, templates,
or template stacks designated in their assigned access domain. |
Load named configuration snapshot (firewall) or Load
named Panorama configuration snapshot | Overwrites the current candidate configuration
with one of the following:
The configuration
must reside on the firewall or Panorama onto which you are loading
it. Select the Name of the configuration
and enter the Decryption Key, which is the
master key of the firewall or Panorama (see Device
> Master Key and Diagnostics). The master key is required
to decrypt all the passwords and private keys within the configuration.
If you are loading an imported configuration, you must enter the
master key of the firewall or Panorama from which you imported.
After the load operation finishes, the master key of the firewall
or Panorama onto which you loaded the configuration re-encrypts
the passwords and private keys. To generate new UUIDs for
all rules in the configuration (for example, if you are loading
a configuration from another firewall but you want to maintain unique
rules when you load that configuration), the superuser must Regenerate
Rule UUIDs for selected named configuration to generate
new UUIDs for all rules. (Panorama only) Specify
object, policy, device group, or template configurations to partially
load configurations from the named configuration by selecting from
the following:
|
Load configuration version (firewall) or Load
Panorama configuration version | Overwrites the current candidate configuration
with a previous version of the running configuration that is stored
on the firewall or Panorama. Select the Name of
the configuration and enter the Decryption Key, which
is the master key of the firewall or Panorama (see Device
> Master Key and Diagnostics). The master key is required
to decrypt all the passwords and private keys within the configuration.
After the load operation finishes, the master key re-encrypts the
passwords and private keys. (Panorama only) Specify
object, policy, device group or template configurations to partially
load configurations from the named configuration by selecting:
|
Export named configuration snapshot | Exports the current running configuration,
a candidate configuration snapshot, or a previously imported configuration
(candidate or running). The firewall exports the configuration as
an XML file with the specified name. You can save the snapshot in
any network location. (Panorama only) Select
Device Groups & Templates to select specific device
groups, templates, or template stacks configurations to export.
Device Group and Template Admins can only select the device groups,
templates, or template stacks designated in their assigned access
domain. |
Export configuration version | Exports a Version of
the running configuration as an XML file. (Panorama only) Select
Device Groups & Templates to select specific device
groups, templates, or template stacks configurations to export.
Device Group and Template Admins can only select the device groups,
templates, or template stacks designated in their assigned access
domain. |
Export Panorama and devices config bundle (Panorama
only) | Generates and exports the latest versions
of the Panorama running configuration backup and of each managed
firewall. To automate the process of creating and exporting the
configuration bundle daily to an SCP or FTP server, see Panorama > Scheduled
Config Export. |
Export or push device config bundle (Panorama
only) | Prompts you to select a firewall and perform
one of the following actions on the firewall configuration stored
on Panorama:
|
Export device state (Firewall
only) | Exports the firewall state information as
a bundle. In addition to the running configuration, the state information
includes device group and template settings pushed from Panorama.
If the firewall is a GlobalProtect™ portal, the bundle also includes
certificate information, a list of satellites that the portal manages,
and satellite authentication information. If you replace a firewall
or portal, you can restore the exported information on the replacement
by importing the state bundle. You
must manually run the firewall state export or create a scheduled XML
API script to export the file to a remote server. This should be
done on a regular basis because satellite certificates often change. To
create the firewall state file from the CLI, from configuration
mode, run the save device state command.
The file will be named device_state_cfg.tgz and
is stored in /opt/pancfg/mgmt/device-state.
The operational command to export the firewall state file is scp export device-state (you
can also use tftp export device-state). For
information on using the XML or REST API, refer to the PAN-OS and Panorama API Guide |
Import named config snapshot | Imports a running or candidate configuration
from any network location. Click Browse and
select the configuration file to be imported. |
Import device state (Firewall
only) | Imports the state information bundle you
exported from a firewall when you chose to Export device
state. Besides the running configuration, the state
information includes device group and template settings pushed from
Panorama. If the firewall is a GlobalProtect portal, the bundle
also includes certificate information, a list of satellites, and
satellite authentication information. If you replace a firewall
or portal, you can restore the information on the replacement by
importing the state bundle. |
Import Device Configuration to Panorama (Panorama
only) | Imports a firewall configuration into Panorama.
Panorama automatically creates a template to contain the network
and device configurations. For each virtual system (vsys)
on the firewall, Panorama automatically creates a device group to
contain the policy and object configurations. The device groups
will be one level below the Shared location in the hierarchy, though
you can reassign them to a different parent device group after finishing
the import (see Panorama
> VMware NSX). The content versions
on Panorama (for example, Applications and Threats database) must
be the same as or higher than the versions on the firewall from
which you will import a configuration. Configure the following
import options:
|
Device Operations | |
Reboot | To restart the firewall or Panorama, Reboot
Device. The firewall or Panorama logs you out, reloads
the software (PAN-OS or Panorama) and the active configuration,
closes and logs existing sessions, and creates a System log entry
that shows the name of the administrator who initiated the shutdown.
Any configuration changes that were not saved or committed are lost
(see Device
> Setup > Operations). If the web
interface is not available, use the following operational CLI command: request restart system |
Shutdown | To perform a graceful shutdown of the firewall
or Panorama, Shutdown Device or Shutdown
Panorama and then click Yes when prompted.
Any configuration changes that are not saved or committed are lost.
All administrators will be logged off and the following processes
will occur:
You must unplug the power
source and plug it back in before you can power back on the firewall
or Panorama. If the web interface is not available,
use the following CLI command: request shutdown system |
Restart Dataplane | Restart Dataplane to
restart the data functions of the firewall without rebooting. This
option is not available on Panorama or PA-220, PA-800 Series, or
VM-Series firewalls. If the web interface
is not available, use the following CLI command: request restart dataplanerequest chassis restart slot. |
Miscellaneous | |
Custom Logos | Use Custom Logos to
customize any of the following:
To return to the default logo, remove your entry and Commit. For
the Login Screen and Main UI,
you can display ( The maximum image size for
any logo is 128KB. The supported file types are png and jpg. The
firewall does not support image files that are interlaced, images
that contain alpha channels, and gif file types because such files
interfere with PDF report generation. You might need to contact
the illustrator who created an image to remove alpha channels or
make sure the graphics software you are using does not save files
with the alpha channel feature. For information on generating
PDF reports, see Monitor
> PDF Reports > Manage PDF Summary. |
SNMP Setup | |
Storage Partition Setup (Panorama only) |