Intro
Been working with Palo Alto firewalls quite a bit and have found that the best way to backup and archive configuration files is through the CLI. This way, it can be just a another simple text file along with the rest of the network gear (routers, switches, etc).
Here’s how to do that.
Prep Work
Disable Paging
First thing you want to do is disable paging. This will dump the entire config at once without having to spacebar through it.
> set cli pager off
Depending on your setup, these configs can get quite large and it can take several minutes just to get to the end of the config, especially if you console in.
Change Config Output Format
By default, the configuration is dumped in JSON
format. While this may be useful for coding and other automated tasks, it isn’t quite readable for day-to-day administration.
The preferred format is set
notation. This is the notation used when entering configuration in the CLI on the firewall. It can be configured for output with the following:
> set cli output-config-format set
Display Config
The last step is to display the configuration. To do this, you must enter configuration mode:
> configure
admin@PA-FW> configureÂ
Entering configuration mode
[edit] Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
admin@PA-FW#Â
Then simply issue a show
command:
# show
admin@PA-FW# show
set deviceconfig system type dhcp-client send-hostname yes
set deviceconfig system type dhcp-client send-client-id no
set deviceconfig system type dhcp-client accept-dhcp-hostname no
set deviceconfig system type dhcp-client accept-dhcp-domain no
...snip...
I have found it is very useful to clear the screen and scrollback before issuing this command to simplify the process of transposing this into a text file.
Further Reading
There are tons of resources out there for Palo Alto firewall management, but here are some useful links for administration.