Configuration of a Palo Alto Networks firewall is kept in one of two configuration stores. The PCNSA requires you know how the firewall maintains configuration such as saving, reverting, and loading.
There are two configuration stores you should be aware of:
- Candidate configuration
- Running configuration
You can make changes to the firewall configuration using either the web GUI or CLI.
Navigate to Device > Setup > Operations > Configuration Management to view these operations.

Candidate Configuration
Any changes to the configuration are done on the candidate configuration. It is not directly applied to the firewall until you commit the changes.
The Candidate Configuration will live in the control-plane memory. A commit will activate those changes and place them in the Running Configuration.
There is a distinction between saving and committing your configuration. Saving a configuration, in the Palo Alto Networks world, will save your changes to the Candidate Configuration. They are not active. They are not installed or implemented.
A saved Candidate Configuration is kept in persistent storage. It is a snapshot. If you were to make changes and reboot the firewall, those changes will no longer be there because it lived in memory.
Committing a change is the act of installing the changes stored in the Candidate Configuration into Running Configuration.
Running Configuration
The Running Configuration is kept on a file named running-config.xml. This file is the active configuration used by the firewall during operation. It is persistent with a reboot.
The data-plane memory is where the Running Configuration lives.
Configuration changes are activated from the Candidate Configuration during the Commit process.
It is possible to save snapshots of the Running Configuration. A different Running Configuration can be loaded to overwrite the current running-config.xml file.
Configuration Operations
There are various operations that can be performed on the Candidate Configuration and Running Configuration. They are:
- Save
- Load
- Import
- Export
- Revert
Know the differences between each one and when it should be used.
Save
A Save operation will create a snapshot of the Candidate Configuration. There is a default snapshot file named snapshot.xml. It is possible to created a named configuration snapshot that does not overwrite this file.
One possible scenario that comes to mind is creating a backup of the configuration with a date and time or special name such as “backup-before-firewall-rule-purge-5-26-2022.xml”. Or it could be used to save the Candidate Configuration to export and import into another firewall.

If you’d like to save the Candidate Configuration, to the snapshot.xml file then click on Save candidate configuration.
Load
If you’re smart, you’ll backup your configurations to a file and store them safely. There might come a time where you need to load that configuration file to the firewall. Or you’re loading a template configuration to the firewall.
The Load operation comes in handy for loading a named configuration snapshot file or a configuration version.
When loading a configuration snapshot, you will select the file from the dropdown list.

Loading a configuration version allows you to go back into a previous configuration version.
It is useful for loading a previous configuration that worked to revert any changes you might have just committed. The dropdown will specify the date and time of the configuration snapshot.

Export
The Export function allows you to save a configuration to a file kept off of the firewall. You can export a named configuration to an xml file and use it on another similar firewall model.

Export Versioned Configuration is similar to the above except you’re selecting a specific version of configuration to save off of the firewall.
Import
The exact opposite of Export 🙂 In this operation you will be taking a saved configuration file and importing it into the firewall. You will be prompted to select the file from your computer. The file will be stored on the firewall but the configuration is not activated. You must load the configuration afterwards.
Revert
Hopefully, you won’t need to use this operation. You can quickly go back to the last saved configuration or running configuration.
Revert to last saved config will load the snapshot.xml file
Revert to running config restores the configuration from the running-config.xml file
Be cautious with this operation because once you click Yes it will perform the operation. One click to revert.

It’s my preference to avoid using Revert and opt to use one of the other operations above.
Leave a Reply