Intro

Been working with Palo Alto firewalls quite a bit and have found that the best way to backup and archive configuration files is through the CLI. This way, it can be just a another simple text file along with the rest of the network gear (routers, switches, etc).

Here’s how to do that.

Prep Work

Disable Paging

First thing you want to do is disable paging. This will dump the entire config at once without having to spacebar through it.

> set cli pager off

Depending on your setup, these configs can get quite large and it can take several minutes just to get to the end of the config, especially if you console in.

Change Config Output Format

By default, the configuration is dumped in JSON format. While this may be useful for coding and other automated tasks, it isn’t quite readable for day-to-day administration.

The preferred format is set notation. This is the notation used when entering configuration in the CLI on the firewall. It can be configured for output with the following:

> set cli output-config-format set

Display Config

The last step is to display the configuration. To do this, you must enter configuration mode:

> configure

admin@PA-FW> configure 
Entering configuration mode
[edit]                                                                          
admin@PA-FW# 

Then simply issue a show command:

# show

admin@PA-FW# show
set deviceconfig system type dhcp-client send-hostname yes
set deviceconfig system type dhcp-client send-client-id no
set deviceconfig system type dhcp-client accept-dhcp-hostname no
set deviceconfig system type dhcp-client accept-dhcp-domain no
...snip...

I have found it is very useful to clear the screen and scrollback before issuing this command to simplify the process of transposing this into a text file.

Further Reading

There are tons of resources out there for Palo Alto firewall management, but here are some useful links for administration.