[rancid] Palo Alto (Panorama) configuration

[Gauthier, Chris]

So, if you look at my posting below, I made a rather dumb copy/paste error in my ‘panw’ definition.  The first line should read:

panw;script;rancid -t paloalto

not:
panw;script;rancid -t paloalto


Thanks to Heasley for pointing that out!  I would have not seen that for a while.  Having changed the line as shown above, the ‘show config merged’ now works great on Panorama-managed and non-managed PA devices.

--Chris

Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 | 
cgauthier at comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of "Gauthier, Chris" <cgauthier at comscore.com>
Date: Friday, July 12, 2019 at 9:24 AM
To: annie lee <lsy.annie at gmail.com>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

I’m getting some interesting results in my testing.

Rancid Version:  3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output).  I made a new device type in etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s.

For reference:  Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com;paloalto;up;PA-5050 ha pair
pa-2.example.com;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama.  I altered the router.db file to:
pa-1.example.com;panw;up;PA-5050 ha pair
pa-2.example.com;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices were added.

- pa-1.example.com;paloalto;up;PA-5050
- pa-2.example.com;panw;paloalto;up;PA-5050
+ pa-1.example.com;panw;up;PA-5050
+ pa-2.example.com;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the config was unchanged.  The output captured doesn’t seem to have changed.  Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and reviewing the output.  It captured everything cleanly, as far as I can tell.  No errors.  It’s like the diff is not catching the difference in output?

What might I try next?

--Chris


Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
 |
cgauthier at comscore.com<mailto:cgauthier at comscore.com>
comscore.com<http://www.comscore.com/>
​​​This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie at gmail.com>
Date: Thursday, July 11, 2019 at 4:00 PM
To: "Gauthier, Chris" <cgauthier at comscore.com>
Cc: john heasley <heas at shrubbery.net>, "Anderson, Charles R" <cra at wpi.edu>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier at comscore.com<mailto:cgauthier at comscore.com>> wrote:
I’m working through that right now.

Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
 |
cgauthier at comscore.com<mailto:cgauthier at comscore.com>
comscore.com<http://www.comscore.com/>
​​​This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie at gmail.com<mailto:lsy.annie at gmail.com>>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" <cgauthier at comscore.com<mailto:cgauthier at comscore.com>>
Cc: john heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>, "Anderson, Charles R" <cra at wpi.edu<mailto:cra at wpi.edu>>, "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier at comscore.com<mailto:cgauthier at comscore.com>> wrote:
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not.

Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
 |
cgauthier at comscore.com<mailto:cgauthier at comscore.com>
comscore.com<http://www.comscore.com/>
​​​This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net<mailto:rancid-discuss-bounces at shrubbery.net>> on behalf of "Gauthier, Chris" <cgauthier at comscore.com<mailto:cgauthier at comscore.com>>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>, "Anderson, Charles R" <cra at wpi.edu<mailto:cra at wpi.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris
Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
 |
cgauthier at comscore.com<mailto:cgauthier at comscore.com>
comscore.com<http://www.comscore.com/>
​​​This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net<mailto:rancid-discuss-bounces at shrubbery.net>> on behalf of john heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra at wpi.edu<mailto:cra at wpi.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20190712/241bdc83/attachment-0001.html>