Mailing List Archive

Palo Alto XML backups - sort of solved
I remember this being discussed several times here - Palo Alto's PANOS only emits JSON-formatted config when you run "show config running", which cannot be used to restore the device from scratch.

You can (at least as of v9.x) convince "show config running" to emit XML, you need the "set cli op-command-xml-output on" command first, then "show config running".

It's not very useful to humans, e.g. email diffs become utterly useless, but it IS usable for restoring a firewall from scratch.

I documented this in slightly deeper detail at https://github.com/ytti/oxidized/issues/440#issuecomment-914517884 on the "other" project, don't feel like re-typing it all.

Hopefully that helps someone...

-Adam

Adam Thompson
Consultant, Infrastructure Services
[1593169877849]
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athompson@merlin.mb.ca<mailto:athompson@merlin.mb.ca>
www.merlin.mb.ca<http://www.merlin.mb.ca/>
Re: Palo Alto XML backups - sort of solved [ In reply to ]
Tue, Sep 07, 2021 at 06:28:39PM +0000, Adam Thompson:
> I remember this being discussed several times here - Palo Alto's PANOS only emits JSON-formatted config when you run "show config running", which cannot be used to restore the device from scratch.
>
> You can (at least as of v9.x) convince "show config running" to emit XML, you need the "set cli op-command-xml-output on" command first, then "show config running".
>
> It's not very useful to humans, e.g. email diffs become utterly useless, but it IS usable for restoring a firewall from scratch.
>
> I documented this in slightly deeper detail at https://github.com/ytti/oxidized/issues/440#issuecomment-914517884 on the "other" project, don't feel like re-typing it all.

Hey, Thanks for the note.

This could be done in rancid like this:

diff --git a/etc/rancid.types.base b/etc/rancid.types.base
index 30e90477..a55c61ed 100644
--- a/etc/rancid.types.base
+++ b/etc/rancid.types.base
@@ -777,6 +777,7 @@ paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowInventory;show chassis inventory
+paloalto;command;rancid::RunCommand;set cli op-command-xml-output on
paloalto;command;panos::ShowConfig;show config running
#
redback;script;rrancid

Could also collect both.

That will not maintain the password filtering that is normally done with
the json output, though code could be added to do that.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss