[rancid] Restore a Palo Alto Firewall from a Rancid bacup

Erik Muller erikm at buh.org
Fri Jul 19 21:47:14 UTC 2019

On 7/16/19 0:00 , john heasley wrote:
> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
>> On 7/12/19 14:15 , Gauthier, Chris wrote:
>>> Rancid configs for PAN can NOT be used to restore the config, unless you
>>> cut and paste the configuration. This is because the native config files
>>> are stored in XML format and that is the format the Palo Alto utilities
>>> expect when performing restorations.
>> Having recently needed to deal with a bunch of PAs, I ran into that same
>> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
>> to simplify the process.
>> RE the other question about Panorama vs device configs, if you're backing
>> up your Panorama configuration (which has been fine via Rancid in my
> How are you backing the Panorama configuration?  is that just another
> rancid 'paloalto' target?

Exactly, the Panorama instance just looks like another PANOS device, with 
the same basic CLI.  All the configuration rules and templates that are 
deployed to the managed devices are stored as just a normal part of the 
Panorama box's standard config, so from a rancid perspective it's just 
another normal paloalto box, and Just Works (AFAICT - I've not checked it 
closely, but it appears to be complete).

>> experience) as well as the base config on the device, you don't need to
>> backup the merged configuration.  And you probably shouldn't pull the
>> merged config, for restore purposes, as anything other than the local
>> device configuration will come from the Panorama templates once the device
>> is replaced.  Of course, the merged config might still be convenient to
>> save to easily see the complete policy set active on a given box.
>> -e

More information about the Rancid-discuss mailing list