PAN-OS: Panorama Configuration Backups

PCNSE Objective Focus (Domain 4 - 18%)

4.3 Manage firewall configurations within Panorama

Introduction: Importance of Backups

Regularly backing up the configuration of your Panorama management server is a critical operational task. Panorama holds the centralized policies, objects, templates, and device management settings for your entire fleet of managed firewalls. Losing the Panorama configuration without a backup could be catastrophic, requiring extensive effort to rebuild policies and configurations.

Configuration backups provide a safety net, enabling you to:

Types of Configuration Backups / Snapshots

Panorama manages configurations in layers, and backups reflect this:

For recovering the Panorama management server itself, you primarily work with Running Configuration Snapshots taken on Panorama.

Methods for Creating Panorama Backups

  1. Manual Backup (Export Configuration):

    • Location: Panorama > Setup > Operations > Save/Load section (or similar path depending on version).
    • Action:
      • Click `Save named configuration snapshot` to save the current *candidate* config with a custom name on Panorama's local disk.
      • Click `Save configuration snapshot` to save the current *running* config with a timestamped name on Panorama's local disk.
      • Click `Export named configuration snapshot` to select a previously saved snapshot (running or candidate) and download it as an XML file to your local computer.
      • Click `Export configuration version` to select a specific committed version (by sequence number) and download it.
    • Pros: Simple, direct control, allows storing backups off-box.
    • Cons: Relies on administrator remembering to perform backups, backups stored locally on admin workstation might not be centrally managed or secured.
  2. Scheduled Configuration Export (Recommended):

    • Location: Panorama > Scheduled Config Export
    • Action: Configure scheduled tasks to automatically export Panorama's running configuration snapshot to a remote server.
    • Key Settings:
      • Name: Name for the schedule.
      • Location: Select the target Device Group (usually `shared` or a specific DG if configuration segmentation is used, though typically backups cover the whole Panorama config).
      • Protocol: SCP or FTP . (SCP is preferred for security).
      • Server Address: IP or FQDN of the remote SCP/FTP server.
      • Port: Server port (e.g., 22 for SCP).
      • Path: Directory path on the remote server where backups should be stored.
      • Username/Password or Key: Credentials for accessing the remote server.
      • Schedule: Define recurrence (e.g., Daily, Weekly) and time.
    • Pros: Automated and reliable , ensures regular backups are taken, stores backups off-box on a secure server. This is the recommended method for production environments.
    • Cons: Requires setting up a secure external SCP/FTP server and managing credentials.
  3. Tech Support File:

    • Location: Panorama > Support
    • Action: Generate and download a Tech Support File (TSF).
    • Content: Includes the running configuration, logs, system state, and diagnostic information.
    • Use Case: Primarily for troubleshooting with Palo Alto Networks support, but the configuration *is* contained within it.
    • Pros: Contains extensive diagnostic data along with config.
    • Cons: Very large file size, not intended as a primary backup method, restoring *only* the config from a TSF is less straightforward than using a configuration snapshot.

Best Practices for Panorama Backups

Caveats and Gotchas

PCNSE Exam Focus

For the PCNSE exam, understand:

Panorama Configuration Backups Quiz

1. What is the primary reason for regularly backing up the Panorama configuration?

Panorama backups are essential for disaster recovery, allowing restoration of the central management configuration in case of failures or irreversible configuration mistakes.

2. Which type of Panorama configuration snapshot captures the currently active configuration being used by the Panorama server?

Saving the 'configuration snapshot' (without specifying 'named') or exporting the current running config captures the state actively used by Panorama. Named snapshots capture the candidate config.

3. What is the recommended best practice method for ensuring regular Panorama configuration backups are taken and stored securely?

Scheduled exports provide automation, reliability, and off-box storage, making it the most robust method for regular production backups compared to manual processes or local-only snapshots. SCP is preferred over FTP for security.

4. Where in the Panorama GUI do you configure scheduled, automatic backups of the Panorama configuration to an external server?

The dedicated section for configuring scheduled exports of the Panorama configuration itself is found under the main Panorama tab: `Panorama > Scheduled Config Export`.

5. Which protocol is generally preferred for Scheduled Configuration Exports due to better security?

SCP (Secure Copy Protocol), which runs over SSH, encrypts both the authentication credentials and the data transfer, making it significantly more secure than FTP for transferring sensitive configuration files.

6. What is generally NOT included in a Panorama configuration snapshot backup?

Configuration snapshots back up the Panorama *configuration* (Policies, Objects, Templates, Device/Panorama Settings). They do *not* back up operational data like logs stored on Panorama's disks. Log backup requires separate log forwarding or export strategies.

7. Why is it important to test restoring Panorama backups periodically?

A backup is only useful if it can be successfully restored. Periodic testing validates the backup file integrity and ensures administrators are familiar with the restore procedure under controlled conditions.

8. Restoring a Panorama configuration snapshot is generally only supported onto a Panorama instance running:

Due to potential configuration schema changes between versions, restoring a snapshot is typically only fully supported onto the exact same PAN-OS version it was created on. Restoring to a newer version might work but might require validation, while restoring to an older version is generally not supported.

9. Which action saves the current *candidate* configuration on Panorama with a custom name, without pushing to firewalls?

'Save named configuration snapshot' specifically saves the current *candidate* configuration (work-in-progress) locally on Panorama under a name you provide. 'Save configuration snapshot' saves the *running* config with a timestamp.

10. What is a potential risk of relying only on configuration snapshots saved locally on the Panorama appliance/VM?

Storing backups only on the device they originated from is risky. A catastrophic failure of the Panorama appliance or VM storage would result in the loss of both the running configuration and all local snapshots. Off-box backups are essential.

References