Mailing List Archive

Palo Alto (Panorama) configuration
Hi All,

Another question, just added a new PaloAlto to rancid (3.9) but not much
configurations being backup (not even interfaces addresses)
Anything need to be changed/added to backup the entire configuration ?

1.1.1.1;palo-alto;up

Thanks
Re: Palo Alto (Panorama) configuration [ In reply to ]
Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> Hi All,
>
> Another question, just added a new PaloAlto to rancid (3.9) but not much
> configurations being backup (not even interfaces addresses)
> Anything need to be changed/added to backup the entire configuration ?
>
> 1.1.1.1;palo-alto;up

Please use the built-in type for PAN: paloalto. if that is still lacking,
please be more specific about what commands are missing. it collects

show system info;show chassis inventory;show config running

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Palo Alto (Panorama) configuration [ In reply to ]
Hi John,

Thanks for your reply and apology for the typo on the paloalto type.
(1.1.1.1;paloalto;up)
Below are the sample config for one of the firewall configs (removed all
the ip addresses).
Basically there are heaps more configs (routing, policy, NAT, virtual
router and etc...) i can see from the Panorama.
Not sure its similar to F5 tweak that we need to add the partition to grab
the full configs.

Rgds

On Thu, Jul 11, 2019 at 7:42 AM john heasley <heas@shrubbery.net> wrote:

> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> > Hi All,
> >
> > Another question, just added a new PaloAlto to rancid (3.9) but not much
> > configurations being backup (not even interfaces addresses)
> > Anything need to be changed/added to backup the entire configuration ?
> >
> > 1.1.1.1;palo-alto;up
>
> Please use the built-in type for PAN: paloalto. if that is still lacking,
> please be more specific about what commands are missing. it collects
>
> show system info;show chassis inventory;show config running
>
Re: Palo Alto (Panorama) configuration [ In reply to ]
i tried to grab the configs from the panorama and it's what i wanted :-)
apology, im pretty new to the paloalto and panorama device/setup.

thanks and glad i can backup the palo/panorama configs without any tweaking.

On Thu, Jul 11, 2019 at 9:23 AM annie lee <lsy.annie@gmail.com> wrote:

> Hi John,
>
> Thanks for your reply and apology for the typo on the paloalto type.
> (1.1.1.1;paloalto;up)
> Below are the sample config for one of the firewall configs (removed all
> the ip addresses).
> Basically there are heaps more configs (routing, policy, NAT, virtual
> router and etc...) i can see from the Panorama.
> Not sure its similar to F5 tweak that we need to add the partition to grab
> the full configs.
>
> Rgds
>
> On Thu, Jul 11, 2019 at 7:42 AM john heasley <heas@shrubbery.net> wrote:
>
>> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
>> > Hi All,
>> >
>> > Another question, just added a new PaloAlto to rancid (3.9) but not much
>> > configurations being backup (not even interfaces addresses)
>> > Anything need to be changed/added to backup the entire configuration ?
>> >
>> > 1.1.1.1;palo-alto;up
>>
>> Please use the built-in type for PAN: paloalto. if that is still lacking,
>> please be more specific about what commands are missing. it collects
>>
>> show system info;show chassis inventory;show config running
>>
>
Re: Palo Alto (Panorama) configuration [ In reply to ]
I have run into the issues seen below, as we migrated to a fully-managed Panorama ecosystem in recent months. The output of the “show configuration running” (or whatever it is) is more limited on the managed device because (I believe) what is being shown is only the locally-managed configuration. I haven’t looked yet to see if there is a workaround.

--Chris


Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of annie lee <lsy.annie@gmail.com>
Date: Wednesday, July 10, 2019 at 6:02 PM
To: john heasley <heas@shrubbery.net>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

i tried to grab the configs from the panorama and it's what i wanted :-)
apology, im pretty new to the paloalto and panorama device/setup.

thanks and glad i can backup the palo/panorama configs without any tweaking.

On Thu, Jul 11, 2019 at 9:23 AM annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>> wrote:
Hi John,

Thanks for your reply and apology for the typo on the paloalto type. (1.1.1.1;paloalto;up)
Below are the sample config for one of the firewall configs (removed all the ip addresses).
Basically there are heaps more configs (routing, policy, NAT, virtual router and etc...) i can see from the Panorama.
Not sure its similar to F5 tweak that we need to add the partition to grab the full configs.

Rgds

On Thu, Jul 11, 2019 at 7:42 AM john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>> wrote:
Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> Hi All,
>
> Another question, just added a new PaloAlto to rancid (3.9) but not much
> configurations being backup (not even interfaces addresses)
> Anything need to be changed/added to backup the entire configuration ?
>
> 1.1.1.1;palo-alto;up

Please use the built-in type for PAN: paloalto. if that is still lacking,
please be more specific about what commands are missing. it collects

show system info;show chassis inventory;show config running
Re: Palo Alto (Panorama) configuration [ In reply to ]
You can use "show config merged" to see the local device's config merged with the templates from Panorama.

On Thu, Jul 11, 2019 at 02:19:00PM +0000, Gauthier, Chris wrote:
> I have run into the issues seen below, as we migrated to a fully-managed Panorama ecosystem in recent months. The output of the “show configuration running” (or whatever it is) is more limited on the managed device because (I believe) what is being shown is only the locally-managed configuration. I haven’t looked yet to see if there is a workaround.
>
> --Chris
>
>
> Chris Gauthier Senior Network Engineer | Comscore
> t +1 (503) 331-2704 |
> cgauthier@comscore.com
> comscore.com
> ???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of annie lee <lsy.annie@gmail.com>
> Date: Wednesday, July 10, 2019 at 6:02 PM
> To: john heasley <heas@shrubbery.net>
> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Palo Alto (Panorama) configuration
>
> i tried to grab the configs from the panorama and it's what i wanted :-)
> apology, im pretty new to the paloalto and panorama device/setup.
>
> thanks and glad i can backup the palo/panorama configs without any tweaking.
>
> On Thu, Jul 11, 2019 at 9:23 AM annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>> wrote:
> Hi John,
>
> Thanks for your reply and apology for the typo on the paloalto type. (1.1.1.1;paloalto;up)
> Below are the sample config for one of the firewall configs (removed all the ip addresses).
> Basically there are heaps more configs (routing, policy, NAT, virtual router and etc...) i can see from the Panorama.
> Not sure its similar to F5 tweak that we need to add the partition to grab the full configs.
>
> Rgds
>
> On Thu, Jul 11, 2019 at 7:42 AM john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>> wrote:
> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> > Hi All,
> >
> > Another question, just added a new PaloAlto to rancid (3.9) but not much
> > configurations being backup (not even interfaces addresses)
> > Anything need to be changed/added to backup the entire configuration ?
> >
> > 1.1.1.1;palo-alto;up
>
> Please use the built-in type for PAN: paloalto. if that is still lacking,
> please be more specific about what commands are missing. it collects
>
> show system info;show chassis inventory;show config running
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Palo Alto (Panorama) configuration [ In reply to ]
Thu, Jul 11, 2019 at 02:19:00PM +0000, Gauthier, Chris:
> I have run into the issues seen below, as we migrated to a fully-managed Panorama ecosystem in recent months. The output of the “show configuration running” (or whatever it is) is more limited on the managed device because (I believe) what is being shown is only the locally-managed configuration. I haven’t looked yet to see if there is a workaround.
>
> --Chris

I have no experience with these. If more commands are necessary, lmk.

> Chris Gauthier Senior Network Engineer | Comscore
> t +1 (503) 331-2704 |
> cgauthier@comscore.com
> comscore.com
> ???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of annie lee <lsy.annie@gmail.com>
> Date: Wednesday, July 10, 2019 at 6:02 PM
> To: john heasley <heas@shrubbery.net>
> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Palo Alto (Panorama) configuration
>
> i tried to grab the configs from the panorama and it's what i wanted :-)
> apology, im pretty new to the paloalto and panorama device/setup.
>
> thanks and glad i can backup the palo/panorama configs without any tweaking.
>
> On Thu, Jul 11, 2019 at 9:23 AM annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>> wrote:
> Hi John,
>
> Thanks for your reply and apology for the typo on the paloalto type. (1.1.1.1;paloalto;up)
> Below are the sample config for one of the firewall configs (removed all the ip addresses).
> Basically there are heaps more configs (routing, policy, NAT, virtual router and etc...) i can see from the Panorama.
> Not sure its similar to F5 tweak that we need to add the partition to grab the full configs.
>
> Rgds
>
> On Thu, Jul 11, 2019 at 7:42 AM john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>> wrote:
> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> > Hi All,
> >
> > Another question, just added a new PaloAlto to rancid (3.9) but not much
> > configurations being backup (not even interfaces addresses)
> > Anything need to be changed/added to backup the entire configuration ?
> >
> > 1.1.1.1;palo-alto;up
>
> Please use the built-in type for PAN: paloalto. if that is still lacking,
> please be more specific about what commands are missing. it collects
>
> show system info;show chassis inventory;show config running

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Palo Alto (Panorama) configuration [ In reply to ]
Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Palo Alto (Panorama) configuration [ In reply to ]
Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris

?
Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra@wpi.edu>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
Re: Palo Alto (Panorama) configuration [ In reply to ]
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not.


Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of "Gauthier, Chris" <cgauthier@comscore.com>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley <heas@shrubbery.net>, "Anderson, Charles R" <cra@wpi.edu>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris
Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra@wpi.edu>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
Re: Palo Alto (Panorama) configuration [ In reply to ]
Thats good to know on the new cli (show config merged will grab everything
from the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com>
wrote:

> Just validated the ‘show config merged’ command works with any PA
> firewall, managed by Panorama or not.
>
>
> Chris? Gauthier Senior Network Engineer | Comscore
> t +1 *(503) 331-2704* <(503)%20331-2704> |
> *cgauthier@comscore.com* <cgauthier@comscore.com>
> *comscore.com* <http://www.comscore.com/>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf
> of "Gauthier, Chris" <cgauthier@comscore.com>
> *Date: *Thursday, July 11, 2019 at 11:16 AM
> *To: *john heasley <heas@shrubbery.net>, "Anderson, Charles R" <
> cra@wpi.edu>
> *Cc: *"rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Yes, the command "show config merged" gives the locally-managed config
> output AND the configuration that is pushed out by Panorama. I'll make a
> custom device type and see how this works in my environment. If it works,
> I'll post the results here. I will also test with a non-Panorama-managed
> system.
>
> --Chris
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> -----Original Message-----
> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of
> john heasley <heas@shrubbery.net>
> Date: Thursday, July 11, 2019 at 8:17 AM
> To: "Anderson, Charles R" <cra@wpi.edu>
> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Palo Alto (Panorama) configuration
>
> Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> > You can use "show config merged" to see the local device's config merged
> with the templates from Panorama.
>
> Does this work with "non-managed" (better term?) configs? And, was this
> command introduced recently?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
>
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
Re: Palo Alto (Panorama) configuration [ In reply to ]
I’m working through that right now.


Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" <cgauthier@comscore.com>
Cc: john heasley <heas@shrubbery.net>, "Anderson, Charles R" <cra@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris
Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
Re: Palo Alto (Panorama) configuration [ In reply to ]
Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier@comscore.com>
wrote:

> I’m working through that right now.
>
>
> Chris? Gauthier Senior Network Engineer | Comscore
> t +1 *(503) 331-2704* <(503)%20331-2704> |
> *cgauthier@comscore.com* <cgauthier@comscore.com>
> *comscore.com* <http://www.comscore.com/>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *annie lee <lsy.annie@gmail.com>
> *Date: *Thursday, July 11, 2019 at 2:43 PM
> *To: *"Gauthier, Chris" <cgauthier@comscore.com>
> *Cc: *john heasley <heas@shrubbery.net>, "Anderson, Charles R" <
> cra@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net
> >
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Thats good to know on the new cli (show config merged will grab everything
> from the firewall and panorama).
>
> How do we add the cli and diff to rancid ??
>
>
>
> On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com>
> wrote:
>
> Just validated the ‘show config merged’ command works with any PA
> firewall, managed by Panorama or not.
>
>
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf
> of "Gauthier, Chris" <cgauthier@comscore.com>
> *Date: *Thursday, July 11, 2019 at 11:16 AM
> *To: *john heasley <heas@shrubbery.net>, "Anderson, Charles R" <
> cra@wpi.edu>
> *Cc: *"rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Yes, the command "show config merged" gives the locally-managed config
> output AND the configuration that is pushed out by Panorama. I'll make a
> custom device type and see how this works in my environment. If it works,
> I'll post the results here. I will also test with a non-Panorama-managed
> system.
>
> --Chris
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> -----Original Message-----
> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of
> john heasley <heas@shrubbery.net>
> Date: Thursday, July 11, 2019 at 8:17 AM
> To: "Anderson, Charles R" <cra@wpi.edu>
> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Palo Alto (Panorama) configuration
>
> Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> > You can use "show config merged" to see the local device's config merged
> with the templates from Panorama.
>
> Does this work with "non-managed" (better term?) configs? And, was this
> command introduced recently?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
>
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
>
>
Re: Palo Alto (Panorama) configuration [ In reply to ]
I’m getting some interesting results in my testing.

Rancid Version: 3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s.

For reference: Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com;paloalto;up;PA-5050 ha pair
pa-2.example.com;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to:
pa-1.example.com;panw;up;PA-5050 ha pair
pa-2.example.com;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices were added.

- pa-1.example.com;paloalto;up;PA-5050
- pa-2.example.com;panw;paloalto;up;PA-5050
+ pa-1.example.com;panw;up;PA-5050
+ pa-2.example.com;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output?

What might I try next?

--Chris



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com>
Date: Thursday, July 11, 2019 at 4:00 PM
To: "Gauthier, Chris" <cgauthier@comscore.com>
Cc: john heasley <heas@shrubbery.net>, "Anderson, Charles R" <cra@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
I’m working through that right now.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Cc: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris
Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
Re: Palo Alto (Panorama) configuration [ In reply to ]
So, if you look at my posting below, I made a rather dumb copy/paste error in my ‘panw’ definition. The first line should read:

panw;script;rancid -t paloalto

not:
panw;script;rancid -t paloalto


Thanks to Heasley for pointing that out! I would have not seen that for a while. Having changed the line as shown above, the ‘show config merged’ now works great on Panorama-managed and non-managed PA devices.

--Chris

Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of "Gauthier, Chris" <cgauthier@comscore.com>
Date: Friday, July 12, 2019 at 9:24 AM
To: annie lee <lsy.annie@gmail.com>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

I’m getting some interesting results in my testing.

Rancid Version: 3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s.

For reference: Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com;paloalto;up;PA-5050 ha pair
pa-2.example.com;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to:
pa-1.example.com;panw;up;PA-5050 ha pair
pa-2.example.com;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices were added.

- pa-1.example.com;paloalto;up;PA-5050
- pa-2.example.com;panw;paloalto;up;PA-5050
+ pa-1.example.com;panw;up;PA-5050
+ pa-2.example.com;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output?

What might I try next?

--Chris


Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com>
Date: Thursday, July 11, 2019 at 4:00 PM
To: "Gauthier, Chris" <cgauthier@comscore.com>
Cc: john heasley <heas@shrubbery.net>, "Anderson, Charles R" <cra@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
I’m working through that right now.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Cc: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris
Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
Re: Palo Alto (Panorama) configuration [ In reply to ]
Hi Chris,

I've made similar chnages on v3.9 but not getting the new 'merged' config
based on yours.
Below are the panw code i added :

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowInventory;show chassis inventory
panw;command;panos::ShowConfig;show config merged

Unfortunately still didnt captured the panorama configs.

On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris <cgauthier@comscore.com>
wrote:

> So, if you look at my posting below, I made a rather dumb copy/paste error
> in my ‘panw’ definition. The first line should read:
>
>
>
> panw;script;rancid -t paloalto
>
>
>
> not:
>
> panw;script;rancid -t paloalto
>
>
>
>
>
> Thanks to Heasley for pointing that out! I would have not seen that for a
> while. Having changed the line as shown above, the ‘show config merged’
> now works great on Panorama-managed and non-managed PA devices.
>
>
>
> --Chris
> Chris? Gauthier Senior Network Engineer | Comscore
> t +1 *(503) 331-2704* <(503)%20331-2704> |
> *cgauthier@comscore.com* <cgauthier@comscore.com>
> *comscore.com* <http://www.comscore.com/>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf
> of "Gauthier, Chris" <cgauthier@comscore.com>
> *Date: *Friday, July 12, 2019 at 9:24 AM
> *To: *annie lee <lsy.annie@gmail.com>
> *Cc: *"rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> I’m getting some interesting results in my testing.
>
>
>
> Rancid Version: 3.7
>
>
>
> I have a pair of PA-5050’s managed by Panorama that have been only getting
> the ‘show config running’ output (the limited output). I made a new device
> type in etc/rancid.types.conf:
>
>
>
> panw;script;rancid -t paloalto
>
> panw;login;panlogin
>
> panw;module;panos
>
> panw;inloop;panos::inloop
>
> panw;command;rancid::RunCommand;set cli scripting-mode on
>
> panw;command;rancid::RunCommand;set cli pager off
>
> panw;command;panos::ShowInfo;show system info
>
> panw;command;panos::ShowConfig;show config merged
>
>
>
> This works well for my test unit (PA-220, unmanaged), but I am having
> problems with the PA-5050’s.
>
>
>
> For reference: Here is the device type of “paloalto” in
> etc/rancid.types.base:
>
> paloalto;script;rancid -t paloalto
>
> paloalto;login;panlogin
>
> paloalto;module;panos
>
> paloalto;inloop;panos::inloop
>
> paloalto;command;rancid::RunCommand;set cli scripting-mode on
>
> paloalto;command;rancid::RunCommand;set cli pager off
>
> paloalto;command;panos::ShowInfo;show system info
>
> paloalto;command;panos::ShowConfig;show config running
>
>
>
> With the PA-5050’s, started with the following lines in router.db:
>
> pa-1.example.com;paloalto;up;PA-5050 ha pair
>
> pa-2.example.com;paloalto;up;PA-5050 ha pair
>
>
>
> They’ve been getting the limited output because of the show config running
> command and that they’re managed by Panorama. I altered the router.db file
> to:
>
> pa-1.example.com;panw;up;PA-5050 ha pair
>
> pa-2.example.com;panw;up;PA-5050 ha pair
>
>
>
> I got the email that said the original devices were deleted and the new
> devices were added.
>
>
>
> - pa-1.example.com;paloalto;up;PA-5050
>
> - pa-2.example.com;panw;paloalto;up;PA-5050
>
> + pa-1.example.com;panw;up;PA-5050
>
> + pa-2.example.com;panw;panw;up;PA-5050
>
>
>
> I checked the config files after running rancid again a couple times and
> the config was unchanged. The output captured doesn’t seem to have
> changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw
> pa-1.example.com’ and reviewing the output. It captured everything
> cleanly, as far as I can tell. No errors. It’s like the diff is not
> catching the difference in output?
>
>
>
> What might I try next?
>
>
>
> --Chris
>
>
>
>
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *annie lee <lsy.annie@gmail.com>
> *Date: *Thursday, July 11, 2019 at 4:00 PM
> *To: *"Gauthier, Chris" <cgauthier@comscore.com>
> *Cc: *john heasley <heas@shrubbery.net>, "Anderson, Charles R" <
> cra@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net
> >
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Hi Chris,
>
>
>
> Thats very kind of you to spend time doing that and thanks for that.
>
>
>
> Rgds
>
>
>
> On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier@comscore.com>
> wrote:
>
> I’m working through that right now.
>
>
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *annie lee <lsy.annie@gmail.com>
> *Date: *Thursday, July 11, 2019 at 2:43 PM
> *To: *"Gauthier, Chris" <cgauthier@comscore.com>
> *Cc: *john heasley <heas@shrubbery.net>, "Anderson, Charles R" <
> cra@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net
> >
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Thats good to know on the new cli (show config merged will grab everything
> from the firewall and panorama).
>
> How do we add the cli and diff to rancid ??
>
>
>
> On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com>
> wrote:
>
> Just validated the ‘show config merged’ command works with any PA
> firewall, managed by Panorama or not.
>
>
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf
> of "Gauthier, Chris" <cgauthier@comscore.com>
> *Date: *Thursday, July 11, 2019 at 11:16 AM
> *To: *john heasley <heas@shrubbery.net>, "Anderson, Charles R" <
> cra@wpi.edu>
> *Cc: *"rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Yes, the command "show config merged" gives the locally-managed config
> output AND the configuration that is pushed out by Panorama. I'll make a
> custom device type and see how this works in my environment. If it works,
> I'll post the results here. I will also test with a non-Panorama-managed
> system.
>
> --Chris
>
> *Chris**?*
>
> *Gauthier*
>
> Senior Network Engineer
>
> |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
> |
>
> *cgauthier@comscore.com* <cgauthier@comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ???This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> -----Original Message-----
> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of
> john heasley <heas@shrubbery.net>
> Date: Thursday, July 11, 2019 at 8:17 AM
> To: "Anderson, Charles R" <cra@wpi.edu>
> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Palo Alto (Panorama) configuration
>
> Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> > You can use "show config merged" to see the local device's config merged
> with the templates from Panorama.
>
> Does this work with "non-managed" (better term?) configs? And, was this
> command introduced recently?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
>
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
>
>
Re: Palo Alto (Panorama) configuration [ In reply to ]
So, once again, cut and paste bit me…. My sincere apologies.

Change the first line to read:

panw;script;rancid -t panw



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com>
Date: Friday, July 12, 2019 at 3:35 PM
To: "Gauthier, Chris" <cgauthier@comscore.com>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

I've made similar chnages on v3.9 but not getting the new 'merged' config based on yours.
Below are the panw code i added :

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowInventory;show chassis inventory
panw;command;panos::ShowConfig;show config merged
Unfortunately still didnt captured the panorama configs.

On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
So, if you look at my posting below, I made a rather dumb copy/paste error in my ‘panw’ definition. The first line should read:

panw;script;rancid -t paloalto

not:
panw;script;rancid -t paloalto


Thanks to Heasley for pointing that out! I would have not seen that for a while. Having changed the line as shown above, the ‘show config merged’ now works great on Panorama-managed and non-managed PA devices.

--Chris
Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Date: Friday, July 12, 2019 at 9:24 AM
To: annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

I’m getting some interesting results in my testing.

Rancid Version: 3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s.

For reference: Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com<http://pa-1.example.com>;paloalto;up;PA-5050 ha pair
pa-2.example.com<http://pa-2.example.com>;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to:
pa-1.example.com<http://pa-1.example.com>;panw;up;PA-5050 ha pair
pa-2.example.com<http://pa-2.example.com>;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices were added.

- pa-1.example.com<http://pa-1.example.com>;paloalto;up;PA-5050
- pa-2.example.com<http://pa-2.example.com>;panw;paloalto;up;PA-5050
+ pa-1.example.com<http://pa-1.example.com>;panw;up;PA-5050
+ pa-2.example.com<http://pa-2.example.com>;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com<http://pa-1.example.com>’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output?

What might I try next?

--Chris


Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>>
Date: Thursday, July 11, 2019 at 4:00 PM
To: "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Cc: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
I’m working through that right now.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: annie lee <lsy.annie@gmail.com<mailto:lsy.annie@gmail.com>>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Cc: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not.

Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of "Gauthier, Chris" <cgauthier@comscore.com<mailto:cgauthier@comscore.com>>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>, "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system.

--Chris
Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>
Date: Thursday, July 11, 2019 at 8:17 AM
To: "Anderson, Charles R" <cra@wpi.edu<mailto:cra@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> You can use "show config merged" to see the local device's config merged with the templates from Panorama.

Does this work with "non-managed" (better term?) configs? And, was this
command introduced recently?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
Re: Palo Alto (Panorama) configuration [ In reply to ]
Hello Matsu,

Thank you for your answer.

I have not tried panlogin with multiple commands, but I think it should work the way you describe it. My main point was that when I run /usr/local/rancid/bin/rancid-run to have the config-differ based on the output delivered by these new palo alto commands. Out-of-the-box Rancid accomplishes that for 'show system info' and 'show config running' only.

Have a great day!

Best regards,


Andreia-Elena Abagiu

andreia-elena.abagiu@apa.at
www.apa-it.at
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss