<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><div>The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):<br /><br />User@Palo-Alto-FW> set cli config-output-format xml<br />User@Palo-Alto-FW> configure<br />Entering configuration mode<br />[edit]<br />User@Palo-Alto-FW# show<br /><response status="success" code="19"><br /> <result total-count="1" count="1"><br /> <device-group><br />****Truncated to hide my config****<br /><br />--Chris<br /><br /><br /><br /><div style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:10px 0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#E43D30;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Arial;font-weight:700;">Chris<span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;"></span> </td><td align="left" style="vertical-align:top;font-family:Arial;font-weight:700;">Gauthier</td><td align="left" style="vertical-align:top;color:#444444;font-family:Arial;"> Senior Network Engineer</td><td align="left" style="vertical-align:top;font-family:Arial;"> | </td><td align="left" style="vertical-align:top;color:#444444;font-family:Arial;">Comscore<br /></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:3px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#444444;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Arial;">t +1 <a href="tel:(503)%20331-2704" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#444444;"><strong style="font-weight:400;">(503) 331-2704</strong></a></td><td align="left" style="vertical-align:top;color:#E43D30;font-family:Arial;"> | <br /></td><td align="left" style="vertical-align:top;font-family:Arial;"><a href="mailto:cgauthier@comscore.com" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#444444;"><strong style="font-weight:400;">cgauthier@comscore.com</strong></a></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:2px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#444444;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Arial;"><a href="http://www.comscore.com/" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#0563C1;"><strong style="font-weight:400;">comscore.com</strong></a></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:10px 0 2px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:normal;color:#444444;font-size:10.67px;font-family:Arial;font-weight:400;font-style:normal;text-align:justify;width:500px;"><tr style="font-size:10.67px;"><td style="font-family:Arial;">This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></div>-----Original Message-----<br />From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net><br />Date: Monday, July 15, 2019 at 3:00 PM<br />To: Erik Muller <erikm@buh.org><br />Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net><br />Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup<br /><br />Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:<br />> On 7/12/19 14:15 , Gauthier, Chris wrote:<br />> > Rancid configs for PAN can NOT be used to restore the config, unless you <br />> > cut and paste the configuration. This is because the native config files <br />> > are stored in XML format and that is the format the Palo Alto utilities <br />> > expect when performing restorations.<br />> <br />> Having recently needed to deal with a bunch of PAs, I ran into that same <br />> issue and ended up writing a tool (https://github.com/ermuller/bracematch) <br />> to simplify the process.<br />> <br />> RE the other question about Panorama vs device configs, if you're backing <br />> up your Panorama configuration (which has been fine via Rancid in my <br /><br />How are you backing the Panorama configuration? is that just another<br />rancid 'paloalto' target?<br /><br />> experience) as well as the base config on the device, you don't need to <br />> backup the merged configuration. And you probably shouldn't pull the <br />> merged config, for restore purposes, as anything other than the local <br />> device configuration will come from the Panorama templates once the device <br />> is replaced. Of course, the merged config might still be convenient to <br />> save to easily see the complete policy set active on a given box.<br />> <br />> -e<br />> <br />> _______________________________________________<br />> Rancid-discuss mailing list<br />> Rancid-discuss@shrubbery.net<br />> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,hdku7bLUQv7d0MAZOo8JrRXyca7FQEKjBwWLzlp0SJrUL-sb15koHXRbLiFA-stZLGQTyAvtcN8gShdbJ7Kpb47cHU_aXg5ZJBdwGDVSJSgIWDsF&typo=1<br /><br />_______________________________________________<br />Rancid-discuss mailing list<br />Rancid-discuss@shrubbery.net<br />https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,bcAQYO-5xrzHw_0wfIv6Q3dm9-YAo8bMXWeVwZUulp3epd9ZkICII1QaJ_OJNdOV1XBK8gk0mx4wElmLp_3tZbcNWaLh8Q-9CLt0HJWGahly9knQqA,,&typo=1<br /><br /></div></body></html>