• ./tmp/cli/techsupport_hostname_date_time.txt - Lots of output from lots of commands
• ./tmp/cli/logs/* - half a dozen files with cmd output and history
• ./var/log/appweb/* - web server log files
• ./var/log/* loads of log files
• ./opt/pancfg/mgmt/ - configuration files
• ./opt/pancfg/mgmt/saved-configs/ - this is where you can find running-config.xml

To get a configuration out of a tech support file, unzip the file and go to \opt\pancfg\mgmt\saved-configs and open running-config.xml To get system info tmp\cli

If you break access from a remote site to Panorama by putting a “deny all” in pre-rules, you can’t override the rule to fix the issue.

I used to disable/copy Panorama rules to make the config local, fix the issue, reconnected and force a push from Panorama.

I’ve just found out that you can on the firewall,

1. export the device state file from the firewall.
2. open the zip file
3. copy sp-config.xml from device_state_cfg.tar\sp\vsys1\sp-config.xml to anther folder (e.g. Desktop)
4. edit it to remove the bad rule
5. copy the file back in to the zip file
6. save it
7. import device state to firewall
8. commit to firewall

Much simpler than disconnecting from Panorama, fixing and reconnecting.

Alternatively PAN-OS 9.1+ has a feature where the firewall checks connectivity to Panorama after a commit and rolls back if the commit breaks Panorama access.