The PaloAlto firewall configuration management has powerful functions to manage configuration, but at the same time it can be very confusing if you are used to other firewalls vendors. So, let me explain the concept of configuration management, and how to set it up in the right way in order to be effective to make a full use of it.
I would like to share my experience with you. Let’s start with configuration management; on a Palo Alto firewall, there is a dedicated Management plane and Data plane.
If you login to PaloAlto, the GUI and changes to the configuration, all of these changes are done to a “Candidate Configuration”, and this configuration resides in a memory on the management plane. When you “Commit”, you will activate the changes and install it on the data plane and with this it will go into “running configuration”.
When you do “Commit”, automatically as a part of the “Commit” process, the Firewall will also store up to 100 configurations by default, and that is what we call a configuration version.
With this you can always revert back to an older configuration, in case something is not working. You can load the configuration version into the “Candidate Config” and once you are happy then you can “Commit” to activate this configuration.
You can also revert back from “Running Config”. This will take the latest running config and override the candidate config (Put the running config into candidate config).
In addition to this, there are two more data stores for configuration: “Named config” and “Saved config”.
Named config: We can save the configuration under a specific name. Also from this config, we can load into the candidate config and then activate the configuration by doing Commit“.
Saved config: This config store often causes some confusion. If you make changes to the candidate config, the changes will reside in the RAM/ memory on the management plane. This means that if the power is down; this configuration is lost. To overcome this challenge, we have the “saved config”; you simply do save, and this will save the latest “candidate config” into the “save config” store and you can also do a revert back to a test “candidate config” from “Saved config”.