If for any reason the device state cannot be generated and exported out of the firewall, the device states of these firewalls can be generated and exported from the managing Panorama.
Any Panorama.
Any PAN-OS.
Save the device state from Panorama CLI using the command
save device-state device <serial number>
. The serial number at the end is the serial number of managed firewall. Note that you need to be in configure mode to run this command.
Example: Of the three managed devices, device state of serial number 0011000001 is generated on Panorama.
admin@panorama> configure admin@panorama# save device-state device <tab> 0011000001 0011000001 0011000002 0011000002 0011000003 0011000003 admin@panorama#save device-state device 0011000001 Device state device_state_cfg.tgz created successfully
Export the device state from Panorama using scp command using
scp export device-state device <serial number>
Example below: Replace the destination (pantac@<scpserverip>:/home/) to match your environment.
admin@panorama> scp export device-state device 0011000001 to pantac@<scpserverip>:/home/ <snip> pantac@<scpserverip>'s password: device_state_cfg.tgz
NOTE: There is no option on the Panorama web interface to export the generated device-state (CLI-based Exports Only).
If the firewall's web interface is available through Panorama context switching, the device state can be collected from the firewall's Device > Setup > Operations .