[rancid] Restore a Palo Alto Firewall from a Rancid bacup
Erik Muller
erikm at buh.org
Fri Jul 19 21:47:14 UTC 2019
On 7/16/19 0:00 , john heasley wrote:
> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
>> On 7/12/19 14:15 , Gauthier, Chris wrote:
>>> Rancid configs for PAN can NOT be used to restore the config, unless you
>>> cut and paste the configuration. This is because the native config files
>>> are stored in XML format and that is the format the Palo Alto utilities
>>> expect when performing restorations.
>>
>> Having recently needed to deal with a bunch of PAs, I ran into that same
>> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
>> to simplify the process.
>>
>> RE the other question about Panorama vs device configs, if you're backing
>> up your Panorama configuration (which has been fine via Rancid in my
>
> How are you backing the Panorama configuration? is that just another
> rancid 'paloalto' target?
Exactly, the Panorama instance just looks like another PANOS device, with
the same basic CLI. All the configuration rules and templates that are
deployed to the managed devices are stored as just a normal part of the
Panorama box's standard config, so from a rancid perspective it's just
another normal paloalto box, and Just Works (AFAICT - I've not checked it
closely, but it appears to be complete).
-e
>> experience) as well as the base config on the device, you don't need to
>> backup the merged configuration. And you probably shouldn't pull the
>> merged config, for restore purposes, as anything other than the local
>> device configuration will come from the Panorama templates once the device
>> is replaced. Of course, the merged config might still be convenient to
>> save to easily see the complete policy set active on a given box.
>>
>> -e
>>
>>
More information about the Rancid-discuss
mailing list