Hello friends, good evening. I am new to administering Panorama and therefore firewalls through the Panorama console and I have some doubts, mainly with backups, which I hope you can help and support me.
Understanding that example I have a firewall managed from Panorama M-200, the firewalls have part of their configuration managed through Devices-Groups and Template-Stack, the firewalls maintain some local settings such as some policies, some interface settings and at the MGT interface, among other settings.
That is to say, there is a mix, that is my doubt, for example if I take a backup directly in the Palo Alto firewalls the configuration and take a snapshot, the running config includes only the local configurations, not the configurations injected from Panorama. If a TechSupport is executed in this same firewall and I see the Merged config, there I see all the configuration (this file is not clean, nor sanitized to be used as restore).
According to what was mentioned in the previous paragraph, I understand that Panorama saves, in the Managed Devices/Summary section, backups of the changes that are made in the Palo Alto, and from what I have read, including the settings that are changed and configured locally. Where can these backups be obtained, that is, those XML? With the option "Export Panorama and devices config bundle" I understand that I make a backup of the configuration of both Panorama and the Palo Alto firewalls. Do these Backups from "Export Panorama and devices config bundle" include a full-backup of the Palo Alto firewall configuration? that is to say both the local configurations and those injected from Panorama ? Could this be considered a full backup? If so, in case of any failure, that full backup, if so, that full backup can be used to restore the complete configuration to a firewall thinking in a scenario of loss due to hardware error and that it does not have access to Panorama . If the Merged backup of a techsupport is used, it generates problems, since it is a file that is not sanitized or clean.
I hope you can help me with the above.
Thank you very much for your time, help and support.
Best regards
Correct, but I don't like to rely on manual backups :)
There is a "scheduled backup" option in the Panorama menu on the left, that exports the panorama + local config On that note I'd recommend making all config from panorama, there's really no need for any local config :) A standalone device has no issues at all For a cluster I usually do this: 2 template stacks 1 shared template with all the config 2 "personalized" templates (1 per firewall) that holds the unique configs like mgmt IP, hostname and HA config