Effective configuration management is critical for maintaining the security and performance of your network. Palo Alto Networks firewalls utilize two primary types of configurations: Candidate and Running. Understanding these configurations and how to manage them ensures smooth and secure firewall operations.

Running Configuration

The running configuration is the active configuration used by the firewall to control traffic and operate effectively. It is saved in a file named running-config.xml and stored locally on the firewall. This configuration includes all committed settings and policies that are currently enforced.

If a firewall reboots due to a system event or administrator action, it will revert to the current running configuration automatically.

Candidate Configuration

All configuration changes are initially made to the candidate configuration, which resides in the firewall’s memory (not on the disk!). This configuration is a combination of the running configuration and any pending changes that have not been yet committed.

The candidate configuration can be saved (top-bar Config menu or via Device -> Setup -> Operations) to the persistent storage as a snapshot file (snapshot.xml) or a custom-named file (<filename>.xml) so you can retrieve configuration changes if the firewall goes down or reboots:

Note that, unlike the running configuration, changes in the candidate configuration are not active until they are committed, regardless of whether they are saved or not.

Reverting Changes

Palo Alto Networks NGFW offers a great feature that allows administrators to easily revert configuration changes (restore the previous configuration), ensuring the stability and reliability of the network. The “Revert Changes” function is designed to undo modifications made to the firewall’s candidate configuration, which is particularly useful for reverting multiple settings with a single operation instead of manually reconfiguring each setting. There are a few ways how this feature can be used:

Reverting to Running Configuration – This option restores the firewall to the current running configuration by undoing all changes made to the candidate configuration since the last commit. Note that this option will only work if the changes you have made (saved or not) were NOT committed. To revert to the running configuration, you can use the top-bar Config menu or navigate to Device -> Setup -> Operations and select Revert to running configuration:

The Config menu provides an additional option of reverting changes made by specific users or at specific locations within the firewall’s configuration. This feature is useful for collaborative environments where multiple administrators might be making changes:

Reverting to a Snapshot – If you have previously saved a snapshot of the candidate configuration, you can revert to this snapshot. This snapshot acts as a backup of the candidate configuration at a specific point in time. This ensures that you can restore configurations to a known state from earlier points, safeguarding against unwanted changes:

Restoring Previous Configurations – The firewall can easily fall back to one of the previous versions of the configuration you have saved (Load named configuration snapshot) or to any previous configuration that has been committed (Load configuration version). This is because PAN-OS keeps a record of configuration versions every time changes are committed, which allows administrators to quickly load a specific previous version of the running configuration if necessary. This is particularly useful for maintaining historical configurations and quickly addressing issues that arise from recent changes:

Configuration Backups & Recovery

As you now probably realized, regularly saving backup versions of both the running and candidate configurations is essential since it allows for easy restoration of previous configurations in case of hardware replacements or catastrophic failures. But remember, that the default storage for those files is the firewall itself. That’s why Palo Alto Networks recommends exporting important configurations to an external host:

An additional option we have here is Export device state which includes some additional data, such as device group and template settings, certificate information, and more, which is useful when replacing firewalls or portals.

Adopting the correct configuration management approach aids in maintaining a secure and reliable network infrastructure, ensuring seamless operations and swift recovery from any potential issues. By utilizing features like configuration snapshots and the capability to revert to previous settings, administrators can ensure stability and reduce errors.