[rancid] Restore a Palo Alto Firewall from a Rancid bacup

Mon Jul 15 22:30:42 UTC 2019

The only way in CLI to do a "show run" type of output in XML format is to execute the following commands.  This holds true for both Panorama and Pan-OS (not managed by Panorama):

User at Palo-Alto-FW> set cli config-output-format xml
User at Palo-Alto-FW> configure
Entering configuration mode
[edit]
User at Palo-Alto-FW# show
<response status="success" code="19">
  <result total-count="1" count="1">
    <device-group>
****Truncated to hide my config****

--Chris

Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 | 
cgauthier at comscore.com
comscore.com
This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of john heasley <heas at shrubbery.net>
Date: Monday, July 15, 2019 at 3:00 PM
To: Erik Muller <erikm at buh.org>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> On 7/12/19 14:15 , Gauthier, Chris wrote:
> > Rancid configs for PAN can NOT be used to restore the config, unless you 
> > cut and paste the configuration. This is because the native config files 
> > are stored in XML format and that is the format the Palo Alto utilities 
> > expect when performing restorations.
> 
> Having recently needed to deal with a bunch of PAs, I ran into that same 
> issue and ended up writing a tool (https://github.com/ermuller/bracematch) 
> to simplify the process.
> 
> RE the other question about Panorama vs device configs, if you're backing 
> up your Panorama configuration (which has been fine via Rancid in my 

How are you backing the Panorama configuration?  is that just another
rancid 'paloalto' target?

> experience) as well as the base config on the device, you don't need to 
> backup the merged configuration.  And you probably shouldn't pull the 
> merged config, for restore purposes, as anything other than the local 
> device configuration will come from the Panorama templates once the device 
> is replaced.  Of course, the merged config might still be convenient to 
> save to easily see the complete policy set active on a given box.
> 
> -e
> 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,hdku7bLUQv7d0MAZOo8JrRXyca7FQEKjBwWLzlp0SJrUL-sb15koHXRbLiFA-stZLGQTyAvtcN8gShdbJ7Kpb47cHU_aXg5ZJBdwGDVSJSgIWDsF&typo=1

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,bcAQYO-5xrzHw_0wfIv6Q3dm9-YAo8bMXWeVwZUulp3epd9ZkICII1QaJ_OJNdOV1XBK8gk0mx4wElmLp_3tZbcNWaLh8Q-9CLt0HJWGahly9knQqA,,&typo=1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20190715/e73700da/attachment.html>