[rancid] rancid login etc. for palo alto and silver peak

Hughes, Doug Douglas.Hughes at DEShawResearch.com
Wed Oct 31 18:35:20 UTC 2012 

I've unified this with the main so that the only real difference is in the commandtable to easily switch back and forth. It meant having to change the prompt regex to include # in configure mode, and some structural changes to panlogin and panrancid that should fix another person who had a problem recently. By default PaloAlto will do special word-based command interpretation, which means that the panlogin output, by default, looks like something strange for this command: "set cli  pager off"
$prompt> set^M$prompt> set cli^M$prompt> set cli pager^M$prompt> set cli pager off^M

So, I needed to add in the command "set cli scripting-mode on" very early. Also for the configure mode transition, I had to modify prompt after collecting from both panlogin and panrancid. The > became [>#]. Also, it meant I had to modify ShowConfig to recognize the 2 very different syntaxes.

Panrancid.set is the 'set' format variation. Panrancid is the xml format one. The only difference is in the command table, but you do need the new panlogin to be able to handle the command stepping, and the new panrancid to recognize the prompt correctly.



From: Peter Jackson [mailto:peterjackson1610 at gmail.com]
Sent: Monday, October 29, 2012 9:43 PM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] rancid login etc. for palo alto and silver peak

Doug, I have setup your panrancid and panlogin and they are working fine.

However, I just found that you can show the PA config in 'set' format (set cli config-output-format set) and I like that better than the defaul xml format.  I would like to back up the configs this way but you have to go into configure mode in order to show the config in set format.

I have tried to modify panlogin but I don't know expect well enough.  I was actually trying to borrow the enable section from clogin because panlogin doesn't have a provision for enable mode and while it's not really enable mode that we're getting into, the prompts are the same, > and #.

Any ideas?

On Wed, Sep 12, 2012 at 11:53 AM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
Yes, it's for the anti-virus and botnet stuff.  If you don't want those diffs, you can comment that part out in the palorancid file.

I thought it might be useful. I might disable it myself.

From: Peter Jackson [mailto:peterjackson1610 at gmail.com<mailto:peterjackson1610 at gmail.com>]
Sent: Wednesday, September 12, 2012 6:02 AM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] rancid login etc. for palo alto and silver peak

Doug, thanks for posting this.  I have set this up for one of our PAs but we get the following diffs every so often - not every other RANCID run, but at least a few times a week.

Have you seen anything like this?

  #RANCID-CONTENT-TYPE: paloalto
  #
+ exit
+ admin at pa101> show
+ admin at pa101> show config
+ admin at pa101> show config running

  config {
    shared {
      ssl-decrypt {


  #RANCID-CONTENT-TYPE: paloalto
  #
- exit
- admin at pa101> show
- admin at pa101> show config
- admin at pa101> show config running

  config {
    shared {
      ssl-decrypt {
On Tue, Aug 14, 2012 at 10:23 AM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
A few people have requested this, so I'm attaching the few hours of work I put into making the rancid login/auth/archive for SilverPeak and for PaloAlto devices. Both of these use ssh for authentication, but I didn't setup or test RSA key auth in either case. The SilverPeak has been tested with 'enable' mode. By default they ship with no enable password. (Apologies for the Windows style attachments.) Both have been copied from another script and modified, so there's probably quite a bit of cruft in there that doesn't need to be, but I  cleaned up the worst of it. I'm sure there are a lot of gratuitous regular expressions that could still be eliminated.


Here's what you need in rancid-fe:

%vendortable = (
...
   'silverpeak'        => 'silverrancid',
    'paloalto'          => 'panrancid',
...

You can figure our .cloginrc yourself, just don't forget the enable password for the silverpeak, if you have any. ;)



_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20121031/eab8737a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: panlogin
Type: application/octet-stream
Size: 18111 bytes
Desc: panlogin
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20121031/eab8737a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: panrancid
Type: application/octet-stream
Size: 8271 bytes
Desc: panrancid
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20121031/eab8737a/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: panrancid.set
Type: application/octet-stream
Size: 8404 bytes
Desc: panrancid.set
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20121031/eab8737a/attachment-0002.obj>

More information about the Rancid-discuss mailing list