[rancid] Restore a Palo Alto Firewall from a Rancid bacup

john heasley heas at shrubbery.net
Fri Jul 19 20:32:40 UTC 2019


Mon, Jul 15, 2019 at 10:30:42PM +0000, Gauthier, Chris:
> The only way in CLI to do a "show run" type of output in XML format is to execute the following commands.  This holds true for both Panorama and Pan-OS (not managed by Panorama):
> 
> User at Palo-Alto-FW> set cli config-output-format xml
> User at Palo-Alto-FW> configure
> Entering configuration mode
> [edit]
> User at Palo-Alto-FW# show
> <response status="success" code="19">
>   <result total-count="1" count="1">
>     <device-group>
> ****Truncated to hide my config****
> 
> --Chris

I am confused; please help me understand so that we wrap-up this issue.

There are two configs, the normal one in show config run, and one that
comes from panorama config (if in use) that is visible on the "panorama
clients" (my term) with show config merged.

the panorama (master) offers a cli, just like a panorama client, where
the panorama configuration can be viewed with 'show config run'.

these configs can be dumped as xml or text.  only xml can be loaded.

Do i have all of this correct?  I did not glean much useful info from the
palo alto website.

thanks

> -----Original Message-----
> From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of john heasley <heas at shrubbery.net>
> Date: Monday, July 15, 2019 at 3:00 PM
> To: Erik Muller <erikm at buh.org>
> Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
> 
> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> > On 7/12/19 14:15 , Gauthier, Chris wrote:
> > > Rancid configs for PAN can NOT be used to restore the config, unless you
> > > cut and paste the configuration. This is because the native config files
> > > are stored in XML format and that is the format the Palo Alto utilities
> > > expect when performing restorations.
> >
> > Having recently needed to deal with a bunch of PAs, I ran into that same
> > issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> > to simplify the process.
> >
> > RE the other question about Panorama vs device configs, if you're backing
> > up your Panorama configuration (which has been fine via Rancid in my
> 
> How are you backing the Panorama configuration?  is that just another
> rancid 'paloalto' target?
> 
> > experience) as well as the base config on the device, you don't need to
> > backup the merged configuration.  And you probably shouldn't pull the
> > merged config, for restore purposes, as anything other than the local
> > device configuration will come from the Panorama templates once the device
> > is replaced.  Of course, the merged config might still be convenient to
> > save to easily see the complete policy set active on a given box.
> >
> > -e



More information about the Rancid-discuss mailing list