Mailing List Archive

Restore a Palo Alto Firewall from a Rancid bacup
Hi

Has anyone used a backup from Rancid to restore a Palo Alto Firewall?

If so how have you done it? (I have the backup but it does not appear to be in the correct format)

I have searched the discussion but cannot seem to find the answer. Any help would be appreciated.

Regards

Stu






----------------------------
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient of this e-mail (even if the e-mail address above is yours), (i) you may not use, copy or retransmit it, (ii) please delete this message and (iii) please notify the sender immediately. Any disclosure, copying, or distribution of this message or the taking of any action based on it, is strictly prohibited.
----------------------------
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Thu, Jul 04, 2019 at 08:23:51AM +0000, STUART WALTON:
> Hi
>
> Has anyone used a backup from Rancid to restore a Palo Alto Firewall?
>
> If so how have you done it? (I have the backup but it does not appear to be in the correct format)
>
> I have searched the discussion but cannot seem to find the answer. Any help would be appreciated.

I do not know much of anything about PAN devices. However, be aware that,
depending upon your rancid configuration, passwords may be removed. Also,
see the FAQ S1 Q5 for another caveat that may apply to PAN.

Also, include the error you received when attempting to load the config.
It might provide clue to someone with more experience with PAN.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations.

--Chris


?
Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
Date: Friday, July 5, 2019 at 10:43 AM
To: STUART WALTON <STUART.WALTON@QVC.COM>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Thu, Jul 04, 2019 at 08:23:51AM +0000, STUART WALTON:
> Hi
>
> Has anyone used a backup from Rancid to restore a Palo Alto Firewall?
>
> If so how have you done it? (I have the backup but it does not appear to be in the correct format)
>
> I have searched the discussion but cannot seem to find the answer. Any help would be appreciated.

I do not know much of anything about PAN devices. However, be aware that,
depending upon your rancid configuration, passwords may be removed. Also,
see the FAQ S1 Q5 for another caveat that may apply to PAN.

Also, include the error you received when attempting to load the config.
It might provide clue to someone with more experience with PAN.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,qrWANWlQYaUeaaoEGf6I-WmqahOFpLboIOsZz7b3yKfSUzpY5cUajZzVEWvA4kobgPxxfRU1MaUB91_9kWsr_BYI8TlZE-d1DrWcD7WIFEmJsZMiU0LMHAkW&typo=1
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Fri, Jul 12, 2019 at 06:15:39PM +0000, Gauthier, Chris:
> Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations.
>

so, store both in rancid. what is the cmd to retrieve the xml format?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
It’s not XML, it’s JSUN if I understand where you’re going with this.

From exec mode
Set cli config-output-format default

Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field.

Thanks


> On Jul 12, 2019, at 2:20 PM, john heasley <heas@shrubbery.net> wrote:
>
> Fri, Jul 12, 2019 at 06:15:39PM +0000, Gauthier, Chris:
>> Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations.
>>
>
> so, store both in rancid. what is the cmd to retrieve the xml format?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Exported config files are in XML format. Here is a link to the documentation. Nowhere in their documentation does it reference using JSON as the format for import/export.

Also, Palo Alto has a "scheduled export" facility, especially if you are using Panorama. We use RANCiD to track the changes more than anything, but use the utility to auto-export configs.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html

--Chris



?
Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Scott Granados <scott.granados@gmail.com>
Date: Friday, July 12, 2019 at 11:44 AM
To: john heasley <heas@shrubbery.net>
Cc: "Gauthier, Chris" <cgauthier@comscore.com>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

It’s not XML, it’s JSUN if I understand where you’re going with this.

From exec mode
Set cli config-output-format default

Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field.

Thanks


> On Jul 12, 2019, at 2:20 PM, john heasley <heas@shrubbery.net> wrote:
>
> Fri, Jul 12, 2019 at 06:15:39PM +0000, Gauthier, Chris:
>> Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations.
>>
>
> so, store both in rancid. what is the cmd to retrieve the xml format?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
On 7/12/19 14:15 , Gauthier, Chris wrote:
> Rancid configs for PAN can NOT be used to restore the config, unless you
> cut and paste the configuration. This is because the native config files
> are stored in XML format and that is the format the Palo Alto utilities
> expect when performing restorations.

Having recently needed to deal with a bunch of PAs, I ran into that same
issue and ended up writing a tool (https://github.com/ermuller/bracematch)
to simplify the process.

RE the other question about Panorama vs device configs, if you're backing
up your Panorama configuration (which has been fine via Rancid in my
experience) as well as the base config on the device, you don't need to
backup the merged configuration. And you probably shouldn't pull the
merged config, for restore purposes, as anything other than the local
device configuration will come from the Panorama templates once the device
is replaced. Of course, the merged config might still be convenient to
save to easily see the complete policy set active on a given box.

-e

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
We haven’t bothered with Panorama much because unlike the firewalls themselves the Panorama interface is very poor with screen readers and other accessibility technologies used.

In AWS we do a lot of exporting of configs and use S3 to bootstrap the virtual appliances so there may be a difference in what I’m working with. We can edit the configs in S3 and they an be automatically imported or grabbed on boot. On the hardware though I thought it was selectable. I’ll review the link you sent, thank you.

Just queried my PA and the choices I have to export or import configs are JSUN, XML, SET or Default which looks like JSUN to me so not sure why that’s duplicated. I am just setting the CLI variable I assume you’re using a different mechanism that’s different.

Thanks


If you’re connecting via SSH and pulling the config I don’t see why you couldn’t set it to what ever format you wanted and then push with the correct flag set at the head of the request.



> On Jul 12, 2019, at 2:56 PM, Gauthier, Chris <cgauthier@comscore.com> wrote:
>
> Exported config files are in XML format. Here is a link to the documentation. Nowhere in their documentation does it reference using JSON as the format for import/export.
>
> Also, Palo Alto has a "scheduled export" facility, especially if you are using Panorama. We use RANCiD to track the changes more than anything, but use the utility to auto-export configs.
>
> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html
>
> --Chris
>
>
>
> ?
> Chris? Gauthier Senior Network Engineer | Comscore
> t +1 (503) 331-2704 <tel:(503)%20331-2704> |
> cgauthier@comscore.com <mailto:cgauthier@comscore.com>
> comscore.com <http://www.comscore.com/>
> ???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
> -----Original Message-----
> From: Scott Granados <scott.granados@gmail.com>
> Date: Friday, July 12, 2019 at 11:44 AM
> To: john heasley <heas@shrubbery.net>
> Cc: "Gauthier, Chris" <cgauthier@comscore.com>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
>
> It’s not XML, it’s JSUN if I understand where you’re going with this.
>
> From exec mode
> Set cli config-output-format default
>
> Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field.
>
> Thanks
>
>
> > On Jul 12, 2019, at 2:20 PM, john heasley <heas@shrubbery.net> wrote:
> >
> > Fri, Jul 12, 2019 at 06:15:39PM +0000, Gauthier, Chris:
> >> Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations.
> >>
> >
> > so, store both in rancid. what is the cmd to retrieve the xml format?
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss@shrubbery.net
> > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1
>
>
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Yes, you can export the different formats, but the restore expects XML, in my experience. Also, for those using Panorama, Erik’s advice to rely on Panorama is sound. Been there, done that, don’t want to restore again, but it worked!

--Chris



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Scott Granados <scott.granados@gmail.com>
Date: Friday, July 12, 2019 at 12:23 PM
To: "Gauthier, Chris" <cgauthier@comscore.com>
Cc: john heasley <heas@shrubbery.net>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

We haven’t bothered with Panorama much because unlike the firewalls themselves the Panorama interface is very poor with screen readers and other accessibility technologies used.

In AWS we do a lot of exporting of configs and use S3 to bootstrap the virtual appliances so there may be a difference in what I’m working with. We can edit the configs in S3 and they an be automatically imported or grabbed on boot. On the hardware though I thought it was selectable. I’ll review the link you sent, thank you.

Just queried my PA and the choices I have to export or import configs are JSUN, XML, SET or Default which looks like JSUN to me so not sure why that’s duplicated. I am just setting the CLI variable I assume you’re using a different mechanism that’s different.

Thanks


If you’re connecting via SSH and pulling the config I don’t see why you couldn’t set it to what ever format you wanted and then push with the correct flag set at the head of the request.




On Jul 12, 2019, at 2:56 PM, Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:

Exported config files are in XML format. Here is a link to the documentation. Nowhere in their documentation does it reference using JSON as the format for import/export.

Also, Palo Alto has a "scheduled export" facility, especially if you are using Panorama. We use RANCiD to track the changes more than anything, but use the utility to auto-export configs.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdocs.paloaltonetworks.com%2fpan-os%2f8-1%2fpan-os-admin%2ffirewall-administration%2fmanage-configuration-backups%2fsave-and-export-firewall-configurations.html&c=E,1,0qhQpOJ3IE1t6MumBQfYeWwWzNiZrVzg8lehAsq9yfYLyBR3HCK63tvfAGhFRKzvMcASnfiojsE3uVNGhsURGTNARWTNMuKI_9o9a0Y9KSrmudi6fw,,&typo=1>

--Chris


Chris?
Gauthier
Senior Network Engineer
|
Comscore
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
comscore.com<http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Scott Granados <scott.granados@gmail.com>
Date: Friday, July 12, 2019 at 11:44 AM
To: john heasley <heas@shrubbery.net>
Cc: "Gauthier, Chris" <cgauthier@comscore.com>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

It’s not XML, it’s JSUN if I understand where you’re going with this.

From exec mode
Set cli config-output-format default

Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field.

Thanks


> On Jul 12, 2019, at 2:20 PM, john heasley <heas@shrubbery.net> wrote:
>
> Fri, Jul 12, 2019 at 06:15:39PM +0000, Gauthier, Chris:
>> Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations.
>>
>
> so, store both in rancid. what is the cmd to retrieve the xml format?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> On 7/12/19 14:15 , Gauthier, Chris wrote:
> > Rancid configs for PAN can NOT be used to restore the config, unless you
> > cut and paste the configuration. This is because the native config files
> > are stored in XML format and that is the format the Palo Alto utilities
> > expect when performing restorations.
>
> Having recently needed to deal with a bunch of PAs, I ran into that same
> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> to simplify the process.
>
> RE the other question about Panorama vs device configs, if you're backing
> up your Panorama configuration (which has been fine via Rancid in my

How are you backing the Panorama configuration? is that just another
rancid 'paloalto' target?

> experience) as well as the base config on the device, you don't need to
> backup the merged configuration. And you probably shouldn't pull the
> merged config, for restore purposes, as anything other than the local
> device configuration will come from the Panorama templates once the device
> is replaced. Of course, the merged config might still be convenient to
> save to easily see the complete policy set active on a given box.
>
> -e
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):

User@Palo-Alto-FW> set cli config-output-format xml
User@Palo-Alto-FW> configure
Entering configuration mode
[edit]
User@Palo-Alto-FW# show
<response status="success" code="19">
<result total-count="1" count="1">
<device-group>
****Truncated to hide my config****

--Chris



?
Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
Date: Monday, July 15, 2019 at 3:00 PM
To: Erik Muller <erikm@buh.org>
Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> On 7/12/19 14:15 , Gauthier, Chris wrote:
> > Rancid configs for PAN can NOT be used to restore the config, unless you
> > cut and paste the configuration. This is because the native config files
> > are stored in XML format and that is the format the Palo Alto utilities
> > expect when performing restorations.
>
> Having recently needed to deal with a bunch of PAs, I ran into that same
> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> to simplify the process.
>
> RE the other question about Panorama vs device configs, if you're backing
> up your Panorama configuration (which has been fine via Rancid in my

How are you backing the Panorama configuration? is that just another
rancid 'paloalto' target?

> experience) as well as the base config on the device, you don't need to
> backup the merged configuration. And you probably shouldn't pull the
> merged config, for restore purposes, as anything other than the local
> device configuration will come from the Panorama templates once the device
> is replaced. Of course, the merged config might still be convenient to
> save to easily see the complete policy set active on a given box.
>
> -e
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,hdku7bLUQv7d0MAZOo8JrRXyca7FQEKjBwWLzlp0SJrUL-sb15koHXRbLiFA-stZLGQTyAvtcN8gShdbJ7Kpb47cHU_aXg5ZJBdwGDVSJSgIWDsF&typo=1

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,bcAQYO-5xrzHw_0wfIv6Q3dm9-YAo8bMXWeVwZUulp3epd9ZkICII1QaJ_OJNdOV1XBK8gk0mx4wElmLp_3tZbcNWaLh8Q-9CLt0HJWGahly9knQqA,,&typo=1
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Mon, Jul 15, 2019 at 10:30:42PM +0000, Gauthier, Chris:
> The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):
>
> User@Palo-Alto-FW> set cli config-output-format xml
> User@Palo-Alto-FW> configure
> Entering configuration mode
> [edit]
> User@Palo-Alto-FW# show
> <response status="success" code="19">
> <result total-count="1" count="1">
> <device-group>
> ****Truncated to hide my config****
>
> --Chris

I am confused; please help me understand so that we wrap-up this issue.

There are two configs, the normal one in show config run, and one that
comes from panorama config (if in use) that is visible on the "panorama
clients" (my term) with show config merged.

the panorama (master) offers a cli, just like a panorama client, where
the panorama configuration can be viewed with 'show config run'.

these configs can be dumped as xml or text. only xml can be loaded.

Do i have all of this correct? I did not glean much useful info from the
palo alto website.

thanks

> -----Original Message-----
> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
> Date: Monday, July 15, 2019 at 3:00 PM
> To: Erik Muller <erikm@buh.org>
> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
>
> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> > On 7/12/19 14:15 , Gauthier, Chris wrote:
> > > Rancid configs for PAN can NOT be used to restore the config, unless you
> > > cut and paste the configuration. This is because the native config files
> > > are stored in XML format and that is the format the Palo Alto utilities
> > > expect when performing restorations.
> >
> > Having recently needed to deal with a bunch of PAs, I ran into that same
> > issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> > to simplify the process.
> >
> > RE the other question about Panorama vs device configs, if you're backing
> > up your Panorama configuration (which has been fine via Rancid in my
>
> How are you backing the Panorama configuration? is that just another
> rancid 'paloalto' target?
>
> > experience) as well as the base config on the device, you don't need to
> > backup the merged configuration. And you probably shouldn't pull the
> > merged config, for restore purposes, as anything other than the local
> > device configuration will come from the Panorama templates once the device
> > is replaced. Of course, the merged config might still be convenient to
> > save to easily see the complete policy set active on a given box.
> >
> > -e

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
On 7/16/19 0:00 , john heasley wrote:
> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
>> On 7/12/19 14:15 , Gauthier, Chris wrote:
>>> Rancid configs for PAN can NOT be used to restore the config, unless you
>>> cut and paste the configuration. This is because the native config files
>>> are stored in XML format and that is the format the Palo Alto utilities
>>> expect when performing restorations.
>>
>> Having recently needed to deal with a bunch of PAs, I ran into that same
>> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
>> to simplify the process.
>>
>> RE the other question about Panorama vs device configs, if you're backing
>> up your Panorama configuration (which has been fine via Rancid in my
>
> How are you backing the Panorama configuration? is that just another
> rancid 'paloalto' target?

Exactly, the Panorama instance just looks like another PANOS device, with
the same basic CLI. All the configuration rules and templates that are
deployed to the managed devices are stored as just a normal part of the
Panorama box's standard config, so from a rancid perspective it's just
another normal paloalto box, and Just Works (AFAICT - I've not checked it
closely, but it appears to be complete).
-e

>> experience) as well as the base config on the device, you don't need to
>> backup the merged configuration. And you probably shouldn't pull the
>> merged config, for restore purposes, as anything other than the local
>> device configuration will come from the Panorama templates once the device
>> is replaced. Of course, the merged config might still be convenient to
>> save to easily see the complete policy set active on a given box.
>>
>> -e
>>
>>

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
On 7/19/19 22:32 , john heasley wrote:
> Mon, Jul 15, 2019 at 10:30:42PM +0000, Gauthier, Chris:
>> The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):
>>
>> User@Palo-Alto-FW> set cli config-output-format xml
>> User@Palo-Alto-FW> configure
>> Entering configuration mode
>> [edit]
>> User@Palo-Alto-FW# show
>> <response status="success" code="19">
>> <result total-count="1" count="1">
>> <device-group>
>> ****Truncated to hide my config****
>>
>> --Chris
>
> I am confused; please help me understand so that we wrap-up this issue.
>
> There are two configs, the normal one in show config run, and one that
> comes from panorama config (if in use) that is visible on the "panorama
> clients" (my term) with show config merged.

Correct. Each PANOS device that's managed via Panorama has a local
persistent configuration that includes device-specific things like local
management address, HA-pair, user accounts...
Panorama stores in it's config a bunch of rulesets and templates that can
be applied to the managed devices; when it pushes those to a managed device
they're merged at runtime into that device's live config, but not part of
that box's actual local config.

> the panorama (master) offers a cli, just like a panorama client, where
> the panorama configuration can be viewed with 'show config run'.
>
> these configs can be dumped as xml or text. only xml can be loaded.
>
> Do i have all of this correct? I did not glean much useful info from the
> palo alto website.

all correct, TTBOMK.
-e

> thanks
>
>> -----Original Message-----
>> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
>> Date: Monday, July 15, 2019 at 3:00 PM
>> To: Erik Muller <erikm@buh.org>
>> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
>> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
>>
>> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
>>> On 7/12/19 14:15 , Gauthier, Chris wrote:
>>>> Rancid configs for PAN can NOT be used to restore the config, unless you
>>>> cut and paste the configuration. This is because the native config files
>>>> are stored in XML format and that is the format the Palo Alto utilities
>>>> expect when performing restorations.
>>>
>>> Having recently needed to deal with a bunch of PAs, I ran into that same
>>> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
>>> to simplify the process.
>>>
>>> RE the other question about Panorama vs device configs, if you're backing
>>> up your Panorama configuration (which has been fine via Rancid in my
>>
>> How are you backing the Panorama configuration? is that just another
>> rancid 'paloalto' target?
>>
>>> experience) as well as the base config on the device, you don't need to
>>> backup the merged configuration. And you probably shouldn't pull the
>>> merged config, for restore purposes, as anything other than the local
>>> device configuration will come from the Panorama templates once the device
>>> is replaced. Of course, the merged config might still be convenient to
>>> save to easily see the complete policy set active on a given box.
>>>
>>> -e
>

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Restore a Palo Alto Firewall from a Rancid bacup [ In reply to ]
Sat, Jul 20, 2019 at 12:29:19AM +0200, Erik Muller:
> On 7/19/19 22:32 , john heasley wrote:
> > Mon, Jul 15, 2019 at 10:30:42PM +0000, Gauthier, Chris:
> >> The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):
> >>
> >> User@Palo-Alto-FW> set cli config-output-format xml
> >> User@Palo-Alto-FW> configure
> >> Entering configuration mode
> >> [edit]
> >> User@Palo-Alto-FW# show
> >> <response status="success" code="19">
> >> <result total-count="1" count="1">
> >> <device-group>
> >> ****Truncated to hide my config****
> >>
> >> --Chris
> >
> > I am confused; please help me understand so that we wrap-up this issue.
> >
> > There are two configs, the normal one in show config run, and one that
> > comes from panorama config (if in use) that is visible on the "panorama
> > clients" (my term) with show config merged.
>
> Correct. Each PANOS device that's managed via Panorama has a local
> persistent configuration that includes device-specific things like local
> management address, HA-pair, user accounts...
> Panorama stores in it's config a bunch of rulesets and templates that can
> be applied to the managed devices; when it pushes those to a managed device
> they're merged at runtime into that device's live config, but not part of
> that box's actual local config.
>
> > the panorama (master) offers a cli, just like a panorama client, where
> > the panorama configuration can be viewed with 'show config run'.
> >
> > these configs can be dumped as xml or text. only xml can be loaded.
> >
> > Do i have all of this correct? I did not glean much useful info from the
> > palo alto website.
>
> all correct, TTBOMK.
> -e
>

Super; thanks.

Is it sensible to collect all three? ie: the xml of the base, the base,
and the merged.

> >
> >> -----Original Message-----
> >> From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of john heasley <heas@shrubbery.net>
> >> Date: Monday, July 15, 2019 at 3:00 PM
> >> To: Erik Muller <erikm@buh.org>
> >> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
> >> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
> >>
> >> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> >>> On 7/12/19 14:15 , Gauthier, Chris wrote:
> >>>> Rancid configs for PAN can NOT be used to restore the config, unless you
> >>>> cut and paste the configuration. This is because the native config files
> >>>> are stored in XML format and that is the format the Palo Alto utilities
> >>>> expect when performing restorations.
> >>>
> >>> Having recently needed to deal with a bunch of PAs, I ran into that same
> >>> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> >>> to simplify the process.
> >>>
> >>> RE the other question about Panorama vs device configs, if you're backing
> >>> up your Panorama configuration (which has been fine via Rancid in my
> >>
> >> How are you backing the Panorama configuration? is that just another
> >> rancid 'paloalto' target?
> >>
> >>> experience) as well as the base config on the device, you don't need to
> >>> backup the merged configuration. And you probably shouldn't pull the
> >>> merged config, for restore purposes, as anything other than the local
> >>> device configuration will come from the Panorama templates once the device
> >>> is replaced. Of course, the merged config might still be convenient to
> >>> save to easily see the complete policy set active on a given box.
> >>>
> >>> -e
> >

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss