[rancid] Restore a Palo Alto Firewall from a Rancid bacup
heas at shrubbery.net
Sat Jul 20 15:09:55 UTC 2019
Sat, Jul 20, 2019 at 12:29:19AM +0200, Erik Muller:
> On 7/19/19 22:32 , john heasley wrote:
> > Mon, Jul 15, 2019 at 10:30:42PM +0000, Gauthier, Chris:
> >> The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):
> >> User at Palo-Alto-FW> set cli config-output-format xml
> >> User at Palo-Alto-FW> configure
> >> Entering configuration mode
> >> 
> >> User at Palo-Alto-FW# show
> >> <response status="success" code="19">
> >> <result total-count="1" count="1">
> >> <device-group>
> >> ****Truncated to hide my config****
> >> --Chris
> > I am confused; please help me understand so that we wrap-up this issue.
> > There are two configs, the normal one in show config run, and one that
> > comes from panorama config (if in use) that is visible on the "panorama
> > clients" (my term) with show config merged.
> Correct. Each PANOS device that's managed via Panorama has a local
> persistent configuration that includes device-specific things like local
> management address, HA-pair, user accounts...
> Panorama stores in it's config a bunch of rulesets and templates that can
> be applied to the managed devices; when it pushes those to a managed device
> they're merged at runtime into that device's live config, but not part of
> that box's actual local config.
> > the panorama (master) offers a cli, just like a panorama client, where
> > the panorama configuration can be viewed with 'show config run'.
> > these configs can be dumped as xml or text. only xml can be loaded.
> > Do i have all of this correct? I did not glean much useful info from the
> > palo alto website.
> all correct, TTBOMK.
Is it sensible to collect all three? ie: the xml of the base, the base,
and the merged.
> >> -----Original Message-----
> >> From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of john heasley <heas at shrubbery.net>
> >> Date: Monday, July 15, 2019 at 3:00 PM
> >> To: Erik Muller <erikm at buh.org>
> >> Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> >> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
> >> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> >>> On 7/12/19 14:15 , Gauthier, Chris wrote:
> >>>> Rancid configs for PAN can NOT be used to restore the config, unless you
> >>>> cut and paste the configuration. This is because the native config files
> >>>> are stored in XML format and that is the format the Palo Alto utilities
> >>>> expect when performing restorations.
> >>> Having recently needed to deal with a bunch of PAs, I ran into that same
> >>> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> >>> to simplify the process.
> >>> RE the other question about Panorama vs device configs, if you're backing
> >>> up your Panorama configuration (which has been fine via Rancid in my
> >> How are you backing the Panorama configuration? is that just another
> >> rancid 'paloalto' target?
> >>> experience) as well as the base config on the device, you don't need to
> >>> backup the merged configuration. And you probably shouldn't pull the
> >>> merged config, for restore purposes, as anything other than the local
> >>> device configuration will come from the Panorama templates once the device
> >>> is replaced. Of course, the merged config might still be convenient to
> >>> save to easily see the complete policy set active on a given box.
> >>> -e
More information about the Rancid-discuss