[rancid] Palo Alto XML backups - sort of solved
heasley
heas at shrubbery.net
Wed Sep 8 21:14:31 UTC 2021
Tue, Sep 07, 2021 at 06:28:39PM +0000, Adam Thompson:
> I remember this being discussed several times here - Palo Alto's PANOS only emits JSON-formatted config when you run "show config running", which cannot be used to restore the device from scratch.
>
> You can (at least as of v9.x) convince "show config running" to emit XML, you need the "set cli op-command-xml-output on" command first, then "show config running".
>
> It's not very useful to humans, e.g. email diffs become utterly useless, but it IS usable for restoring a firewall from scratch.
>
> I documented this in slightly deeper detail at https://github.com/ytti/oxidized/issues/440#issuecomment-914517884 on the "other" project, don't feel like re-typing it all.
Hey, Thanks for the note.
This could be done in rancid like this:
diff --git a/etc/rancid.types.base b/etc/rancid.types.base
index 30e90477..a55c61ed 100644
--- a/etc/rancid.types.base
+++ b/etc/rancid.types.base
@@ -777,6 +777,7 @@ paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowInventory;show chassis inventory
+paloalto;command;rancid::RunCommand;set cli op-command-xml-output on
paloalto;command;panos::ShowConfig;show config running
#
redback;script;rrancid
Could also collect both.
That will not maintain the password filtering that is normally done with
the json output, though code could be added to do that.
More information about the Rancid-discuss
mailing list