Sat, Jul 20, 2019 at 12:29:19AM +0200, Erik Muller: > On 7/19/19 22:32 , john heasley wrote: > > Mon, Jul 15, 2019 at 10:30:42PM +0000, Gauthier, Chris: > >> The only way in CLI to do a "show run" type of output in XML format is to > >> execute the following commands. This holds true for both Panorama and > >> Pan-OS (not managed by Panorama): > >> > >> User@Palo-Alto-FW> set cli config-output-format xml > >> User@Palo-Alto-FW> configure > >> Entering configuration mode > >> [edit] > >> User@Palo-Alto-FW# show > >> <response status="success" code="19"> > >> <result total-count="1" count="1"> > >> <device-group> > >> ****Truncated to hide my config**** > >> > >> --Chris > > > > I am confused; please help me understand so that we wrap-up this issue. > > > > There are two configs, the normal one in show config run, and one that > > comes from panorama config (if in use) that is visible on the "panorama > > clients" (my term) with show config merged. > > Correct. Each PANOS device that's managed via Panorama has a local > persistent configuration that includes device-specific things like local > management address, HA-pair, user accounts... > Panorama stores in it's config a bunch of rulesets and templates that can > be applied to the managed devices; when it pushes those to a managed device > they're merged at runtime into that device's live config, but not part of > that box's actual local config. > > > the panorama (master) offers a cli, just like a panorama client, where > > the panorama configuration can be viewed with 'show config run'. > > > > these configs can be dumped as xml or text. only xml can be loaded. > > > > Do i have all of this correct? I did not glean much useful info from the > > palo alto website. > > all correct, TTBOMK. > -e >
Super; thanks. Is it sensible to collect all three? ie: the xml of the base, the base, and the merged. > > > >> -----Original Message----- > >> From: Rancid-discuss <rancid-discuss-boun...@shrubbery.net> on behalf of > >> john heasley <h...@shrubbery.net> > >> Date: Monday, July 15, 2019 at 3:00 PM > >> To: Erik Muller <er...@buh.org> > >> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net> > >> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup > >> > >> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: > >>> On 7/12/19 14:15 , Gauthier, Chris wrote: > >>>> Rancid configs for PAN can NOT be used to restore the config, unless you > >>>> cut and paste the configuration. This is because the native config files > >>>> are stored in XML format and that is the format the Palo Alto utilities > >>>> expect when performing restorations. > >>> > >>> Having recently needed to deal with a bunch of PAs, I ran into that same > >>> issue and ended up writing a tool (https://github.com/ermuller/bracematch) > >>> to simplify the process. > >>> > >>> RE the other question about Panorama vs device configs, if you're backing > >>> up your Panorama configuration (which has been fine via Rancid in my > >> > >> How are you backing the Panorama configuration? is that just another > >> rancid 'paloalto' target? > >> > >>> experience) as well as the base config on the device, you don't need to > >>> backup the merged configuration. And you probably shouldn't pull the > >>> merged config, for restore purposes, as anything other than the local > >>> device configuration will come from the Panorama templates once the device > >>> is replaced. Of course, the merged config might still be convenient to > >>> save to easily see the complete policy set active on a given box. > >>> > >>> -e > > _______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss