[rancid] login script for PaloAlto PA850

Thu Apr 6 12:11:26 UTC 2023

Just a reminder that the "set" output cannot always be uploaded directly to a PA in a disaster scenario, only the XML can be used for that.  You can try to paste in the "set" output through either the serial port or an SSH session once you have a network, but that is known to not always work 100% on all versions of PAN-OS.  (The commands are not always generated in the correct order, and outright circular dependencies often exist.)

OTOH, good luck having a human read and understand XML or JSON diffs, so you're kind of stuck between a rock and a hard place...

We used to solve this by backing up the same config twice, once in each format.  PITA but it worked.

If you also have and use Palo Alto's Panorama product to manage your firewalls, you may as well disregard everything I've just said, it changes the rules of the game completely anyway.  Its config can be captured via SSH in "set" format like a firewall, which is still useful for human analysis.  (Make sure your timeouts are high, though - my Panorama instance takes about 20min to dump ~0.7M lines in "set" format!)

Source: currently in year 4 of a love-hate, no wait, more like a need-hate, relationship with Panorama.

-Adam

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Rancid-discuss <rancid-discuss-bounces at www.shrubbery.net> on behalf of Chris <chris.weakland at gmail.com>
Sent: Wednesday, April 5, 2023 5:19:43 PM
To: heasley <heas at shrubbery.net>
Cc: rancid-discuss at www.shrubbery.net <rancid-discuss at www.shrubbery.net>
Subject: Re: [rancid] login script for PaloAlto PA850

Just wanted to add for the benefit of all, I like to edit my etc/rancid.types.conf and add a new “type”. Here is what the additional lines look like:

paloaltofw;script;rancid -t paloaltofw

paloaltofw;login;panlogin

paloaltofw;module;panos

paloaltofw;inloop;panos::inloop

paloaltofw;command;panos::ShowInfo;show system info

paloaltofw;command;panos::ShowInventory;show chassis inventory

paloaltofw;command;rancid::RunCommand;set cli config-output-format set

paloaltofw;command;rancid::RunCommand;configure

paloaltofw;command;panos::ShowConfig;show

This gives you a more human readable configuration.

In your router.db you would need to add:

Firewall1.yourdomain.com;paloaltofw;up

Chris

From: heasley<mailto:heas at shrubbery.net>
Sent: Wednesday, April 5, 2023 4:03 PM
To: Chris Weakland<mailto:chris.weakland at gmail.com>
Cc: Anwar Durrani<mailto:durrani.anwar at gmail.com>; rancid-discuss at www.shrubbery.net<mailto:rancid-discuss at www.shrubbery.net>
Subject: Re: [rancid] login script for PaloAlto PA850

Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:

> Palo Alto support has bee. built into Rancid for some time, no need for any

additional scripts.  The device type is:  paloalto

indeed; there is also device type paloaltoxml for the xml config.

> Your router.db looks incorrect, it should be:

>

> Firewall1.yourdomain.com;paloalto;up

to be pedantic, additional fields are simply ignored.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20230406/f6e5e381/attachment.htm>