Mailing List Archive

Palo Alto support has bee. built into Rancid for some time, no need for any additional scripts. The device type is: paloalto
Your router.db looks incorrect, it should be:
Firewall1.yourdomain.com;paloalto;up

Chris

On Apr 5, 2023, at 1:16 AM, Anwar Durrani <durrani.anwar@gmail.com> wrote:

?Hi Team,
For the past week, I am trying to configure PA-850 firewalls in rancid, since I am new to rancid, I was not the aware complete and right procedure for how to do it, and later I came across several articles on the internet. Now, I found a very old panrancid script which ends up with the error as belowI am running PAN-OS Version 10.1.7


Can't use 'defined(%hash)' (Maybe you should just omit the defined()?) at /usr/lib/rancid/bin/panrancid line 53.
My Configuration files look like as below

cat /var/lib/rancid/firewalls/router.db firewall1.<domain-name>.http://com.com"]com.com;paloalto;up;


cat /etc/rancid/rancid.types.conf

paloalto;script;panrancid




Where i have panrancid file under /var/lib/rancid/bin directory

(I am running ubuntu 22.02)






cat /var/lib/rancid/firewalls/routers.up




firewall1;paloalto

Where i am wrong?
--
Thanks & regards,
Anwar M. Durrani+91-9923205011
http://in.linkedin.com/pub/anwar-durrani/20/b55/60b"]


_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:
> Palo Alto support has bee. built into Rancid for some time, no need for any
additional scripts. The device type is: paloalto

indeed; there is also device type paloaltoxml for the xml config.

> Your router.db looks incorrect, it should be:
>
> Firewall1.yourdomain.com;paloalto;up

to be pedantic, additional fields are simply ignored.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

Just wanted to add for the benefit of all, I like to edit my etc/rancid.types.conf and add a new “type”. Here is what the additional lines look like:



paloaltofw;script;rancid -t paloaltofw

paloaltofw;login;panlogin

paloaltofw;module;panos

paloaltofw;inloop;panos::inloop

paloaltofw;command;panos::ShowInfo;show system info

paloaltofw;command;panos::ShowInventory;show chassis inventory

paloaltofw;command;rancid::RunCommand;set cli config-output-format set

paloaltofw;command;rancid::RunCommand;configure

paloaltofw;command;panos::ShowConfig;show



This gives you a more human readable configuration.



In your router.db you would need to add:



Firewall1.yourdomain.com;paloaltofw;up



Chris



From: heasley
Sent: Wednesday, April 5, 2023 4:03 PM
To: Chris Weakland
Cc: Anwar Durrani; rancid-discuss@www.shrubbery.net
Subject: Re: [rancid] login script for PaloAlto PA850



Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:

> Palo Alto support has bee. built into Rancid for some time, no need for any

additional scripts.  The device type is:  paloalto



indeed; there is also device type paloaltoxml for the xml config.



> Your router.db looks incorrect, it should be:

>

> Firewall1.yourdomain.com;paloalto;up



to be pedantic, additional fields are simply ignored.

Thanks heasley for reaching out, yes i have intentionally took off domain
part for security reasons

On Thu, 6 Apr 2023 at 01:33, heasley <heas@shrubbery.net> wrote:

> Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:
> > Palo Alto support has bee. built into Rancid for some time, no need for
> any
> additional scripts. The device type is: paloalto
>
> indeed; there is also device type paloaltoxml for the xml config.
>
> > Your router.db looks incorrect, it should be:
> >
> > Firewall1.yourdomain.com;paloalto;up
>
> to be pedantic, additional fields are simply ignored.
>


--
Thanks & regards,
Anwar M. Durrani
+91-9923205011
<http://in.linkedin.com/pub/anwar-durrani/20/b55/60b>

Thanks, Chris for your prompt response.

I am putting complete procedure step by step so that every one can easily
understand

#Configure PaloAlto Firewall on rancid server
Rancid Version : 3.13-1 [apt -list | grep rancid]
OS Version : Ubuntu 22.04.2 LTS [lsb_release -a]

1. Make changes in rancid main configuration /etc/rancid/rancid.conf
add firewalls(whatever name you would like to keep) LIST_OF_GROUPS="routers
switches waps firewalls"; export LIST_OF_GROUPS

2. To take effets the changes in configuration run below command but you
have to be rancid user first
su - rancid
/usr/lib/rancid/bin/rancid-run

3. Make change in configuration file and add device
vim /var/lib/rancid/firewalls/router.db

add following line

firewall1.your-domain.com;paloalto;up;

4. Make changes in
vim /var/lib/rancid/firewalls/routers.up

add below line

firewall1.your-domain.com;paloalto

5. Make changes in vim /etc/rancid/rancid.types.base

add lines below

paloalto;login;plogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowInventory;show chassis inventory
paloalto;command;panos::ShowConfig;show config merged

6. Make changes in vim /etc/rancid/rancid.types.conf

# This is for PaloAlto Firewall
paloalto;script;panrancid

7. Make changes in vim /etc/rancid/rancid.types.conf

add lines as below

# This is for PaloAlto Firewall
paloalto;script;panrancid

8. Enable email configuration

vim /etc/aliases

add lines below

rancid-firewalls: infra-alerts@your-domain.com
rancid-firewalls-admin: infra-alerts@your-domain.com

# Run below command to take into effect
newaliases

# You Must have panos, panrancid & plogin files present under
/var/lib/rancid/bin

On Thu, 6 Apr 2023 at 03:49, Chris <chris.weakland@gmail.com> wrote:

> Just wanted to add for the benefit of all, I like to edit my
> etc/rancid.types.conf and add a new “type”. Here is what the additional
> lines look like:
>
>
>
> paloaltofw;script;rancid -t paloaltofw
>
> paloaltofw;login;panlogin
>
> paloaltofw;module;panos
>
> paloaltofw;inloop;panos::inloop
>
> paloaltofw;command;panos::ShowInfo;show system info
>
> paloaltofw;command;panos::ShowInventory;show chassis inventory
>
> paloaltofw;command;rancid::RunCommand;set cli config-output-format set
>
> paloaltofw;command;rancid::RunCommand;configure
>
> paloaltofw;command;panos::ShowConfig;show
>
>
>
> This gives you a more human readable configuration.
>
>
>
> In your router.db you would need to add:
>
>
>
> Firewall1.yourdomain.com;paloaltofw;up
>
>
>
> Chris
>
>
>
> *From: *heasley <heas@shrubbery.net>
> *Sent: *Wednesday, April 5, 2023 4:03 PM
> *To: *Chris Weakland <chris.weakland@gmail.com>
> *Cc: *Anwar Durrani <durrani.anwar@gmail.com>;
> rancid-discuss@www.shrubbery.net
> *Subject: *Re: [rancid] login script for PaloAlto PA850
>
>
>
> Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:
>
> > Palo Alto support has bee. built into Rancid for some time, no need for
> any
>
> additional scripts. The device type is: paloalto
>
>
>
> indeed; there is also device type paloaltoxml for the xml config.
>
>
>
> > Your router.db looks incorrect, it should be:
>
> >
>
> > Firewall1.yourdomain.com;paloalto;up
>
>
>
> to be pedantic, additional fields are simply ignored.
>
>
>


--
Thanks & regards,
Anwar M. Durrani
+91-9923205011
<http://in.linkedin.com/pub/anwar-durrani/20/b55/60b>

Just a reminder that the "set" output cannot always be uploaded directly to a PA in a disaster scenario, only the XML can be used for that. You can try to paste in the "set" output through either the serial port or an SSH session once you have a network, but that is known to not always work 100% on all versions of PAN-OS. (The commands are not always generated in the correct order, and outright circular dependencies often exist.)

OTOH, good luck having a human read and understand XML or JSON diffs, so you're kind of stuck between a rock and a hard place...

We used to solve this by backing up the same config twice, once in each format. PITA but it worked.

If you also have and use Palo Alto's Panorama product to manage your firewalls, you may as well disregard everything I've just said, it changes the rules of the game completely anyway. Its config can be captured via SSH in "set" format like a firewall, which is still useful for human analysis. (Make sure your timeouts are high, though - my Panorama instance takes about 20min to dump ~0.7M lines in "set" format!)

Source: currently in year 4 of a love-hate, no wait, more like a need-hate, relationship with Panorama.

-Adam

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Rancid-discuss <rancid-discuss-bounces@www.shrubbery.net> on behalf of Chris <chris.weakland@gmail.com>
Sent: Wednesday, April 5, 2023 5:19:43 PM
To: heasley <heas@shrubbery.net>
Cc: rancid-discuss@www.shrubbery.net <rancid-discuss@www.shrubbery.net>
Subject: Re: [rancid] login script for PaloAlto PA850


Just wanted to add for the benefit of all, I like to edit my etc/rancid.types.conf and add a new ?type?. Here is what the additional lines look like:



paloaltofw;script;rancid -t paloaltofw

paloaltofw;login;panlogin

paloaltofw;module;panos

paloaltofw;inloop;panos::inloop

paloaltofw;command;panos::ShowInfo;show system info

paloaltofw;command;panos::ShowInventory;show chassis inventory

paloaltofw;command;rancid::RunCommand;set cli config-output-format set

paloaltofw;command;rancid::RunCommand;configure

paloaltofw;command;panos::ShowConfig;show



This gives you a more human readable configuration.



In your router.db you would need to add:



Firewall1.yourdomain.com;paloaltofw;up



Chris



From: heasley<mailto:heas@shrubbery.net>
Sent: Wednesday, April 5, 2023 4:03 PM
To: Chris Weakland<mailto:chris.weakland@gmail.com>
Cc: Anwar Durrani<mailto:durrani.anwar@gmail.com>; rancid-discuss@www.shrubbery.net<mailto:rancid-discuss@www.shrubbery.net>
Subject: Re: [rancid] login script for PaloAlto PA850



Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:

> Palo Alto support has bee. built into Rancid for some time, no need for any

additional scripts. The device type is: paloalto



indeed; there is also device type paloaltoxml for the xml config.



> Your router.db looks incorrect, it should be:

>

> Firewall1.yourdomain.com;paloalto;up



to be pedantic, additional fields are simply ignored.

I think you can remove step 4, in my experience it should not be needed



Chris



From: Anwar Durrani
Sent: Thursday, April 6, 2023 5:08 AM
To: Chris
Cc: heasley; rancid-discuss@www.shrubbery.net
Subject: Re: [rancid] login script for PaloAlto PA850



Thanks, Chris for your prompt response.



I am putting complete procedure step by step so that every one can easily understand



#Configure PaloAlto Firewall on rancid server

Rancid Version : 3.13-1   [apt -list | grep rancid]

OS Version : Ubuntu 22.04.2 LTS     [lsb_release -a]



1. Make changes in rancid main configuration /etc/rancid/rancid.conf

    add firewalls(whatever name you would like to keep) LIST_OF_GROUPS="routers switches waps firewalls"; export LIST_OF_GROUPS



2. To take effets the changes in configuration run below command but you have to be rancid user first

    su - rancid

    /usr/lib/rancid/bin/rancid-run



3. Make change in configuration file and add device

    vim /var/lib/rancid/firewalls/router.db



    add following line



    http://firewall1.your-domain.com"]firewall1.your-domain.com;paloalto;up;



4. Make changes in

    vim /var/lib/rancid/firewalls/routers.up



    add below line



    http://firewall1.your-domain.com"]firewall1.your-domain.com;paloalto



5. Make changes in vim /etc/rancid/rancid.types.base



    add lines below



    paloalto;login;plogin

    paloalto;module;panos

    paloalto;inloop;panos::inloop

    paloalto;command;panos::ShowInfo;show system info

    paloalto;command;panos::ShowInventory;show chassis inventory

    paloalto;command;panos::ShowConfig;show config merged



6. Make changes in vim /etc/rancid/rancid.types.conf



    # This is for PaloAlto Firewall

    paloalto;script;panrancid



7. Make changes in vim /etc/rancid/rancid.types.conf



    add lines as below



    # This is for PaloAlto Firewall

    paloalto;script;panrancid



8. Enable email configuration



    vim /etc/aliases



    add lines below



    rancid-firewalls:       infra-alerts@your-domain.com

    rancid-firewalls-admin:  infra-alerts@your-domain.com  



    # Run below command to take into effect

    newaliases



# You Must have panos, panrancid & plogin files present under /var/lib/rancid/bin



On Thu, 6 Apr 2023 at 03:49, Chris <chris.weakland@gmail.com> wrote:

Just wanted to add for the benefit of all, I like to edit my etc/rancid.types.conf and add a new “type”. Here is what the additional lines look like:



paloaltofw;script;rancid -t paloaltofw

paloaltofw;login;panlogin

paloaltofw;module;panos

paloaltofw;inloop;panos::inloop

paloaltofw;command;panos::ShowInfo;show system info

paloaltofw;command;panos::ShowInventory;show chassis inventory

paloaltofw;command;rancid::RunCommand;set cli config-output-format set

paloaltofw;command;rancid::RunCommand;configure

paloaltofw;command;panos::ShowConfig;show



This gives you a more human readable configuration.



In your router.db you would need to add:



http://Firewall1.yourdomain.com"]Firewall1.yourdomain.com;paloaltofw;up



Chris



From: heasley
Sent: Wednesday, April 5, 2023 4:03 PM
To: Chris Weakland
Cc: Anwar Durrani; rancid-discuss@www.shrubbery.net
Subject: Re: [rancid] login script for PaloAlto PA850



Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:

> Palo Alto support has bee. built into Rancid for some time, no need for any

additional scripts. The device type is: paloalto



indeed; there is also device type paloaltoxml for the xml config.



> Your router.db looks incorrect, it should be:

>

> http://Firewall1.yourdomain.com"]Firewall1.yourdomain.com;paloalto;up



to be pedantic, additional fields are simply ignored.

--

Thanks & regards,
Anwar M. Durrani

+91-9923205011

Ok Thanks, Chris, I will make a note.

One more thing, whenever I am pushing changes to Firewalls i am not getting
notified through email about changes made but in the case of Cisco, I
receive whatever changes are made through email. While in the Firewall I am
getting notifications as below every 30 mins.

#wf-private-version: 0
#wf-private-release-date: unknown
#url-db: paloaltonetworks
- #wildfire-version: 757373-760822
- #wildfire-release-date: 2023/04/06 19:57:32 IST
+ #wildfire-version: 757379-760828
+ #wildfire-release-date: 2023/04/06 20:27:32 IST
#wildfire-rt: Disabled
- #url-filtering-version: 20230406.20218
+ #url-filtering-version: 20230406.20226


On Thu, 6 Apr 2023 at 18:17, Chris <chris.weakland@gmail.com> wrote:

> I think you can remove step 4, in my experience it should not be needed
>
>
>
> Chris
>
>
>
> *From: *Anwar Durrani <durrani.anwar@gmail.com>
> *Sent: *Thursday, April 6, 2023 5:08 AM
> *To: *Chris <chris.weakland@gmail.com>
> *Cc: *heasley <heas@shrubbery.net>; rancid-discuss@www.shrubbery.net
> *Subject: *Re: [rancid] login script for PaloAlto PA850
>
>
>
> Thanks, Chris for your prompt response.
>
>
>
> I am putting complete procedure step by step so that every one can easily
> understand
>
>
>
> #Configure PaloAlto Firewall on rancid server
>
> Rancid Version : 3.13-1 [apt -list | grep rancid]
>
> OS Version : Ubuntu 22.04.2 LTS [lsb_release -a]
>
>
>
> 1. Make changes in rancid main configuration /etc/rancid/rancid.conf
>
> add firewalls(whatever name you would like to keep)
> LIST_OF_GROUPS="routers switches waps firewalls"; export LIST_OF_GROUPS
>
>
>
> 2. To take effets the changes in configuration run below command but you
> have to be rancid user first
>
> su - rancid
>
> /usr/lib/rancid/bin/rancid-run
>
>
>
> 3. Make change in configuration file and add device
>
> vim /var/lib/rancid/firewalls/router.db
>
>
>
> add following line
>
>
>
> firewall1.your-domain.com;paloalto;up;
>
>
>
> 4. Make changes in
>
> vim /var/lib/rancid/firewalls/routers.up
>
>
>
> add below line
>
>
>
> firewall1.your-domain.com;paloalto
>
>
>
> 5. Make changes in vim /etc/rancid/rancid.types.base
>
>
>
> add lines below
>
>
>
> paloalto;login;plogin
>
> paloalto;module;panos
>
> paloalto;inloop;panos::inloop
>
> paloalto;command;panos::ShowInfo;show system info
>
> paloalto;command;panos::ShowInventory;show chassis inventory
>
> paloalto;command;panos::ShowConfig;show config merged
>
>
>
> 6. Make changes in vim /etc/rancid/rancid.types.conf
>
>
>
> *# This is for PaloAlto Firewall*
>
> paloalto;script;panrancid
>
>
>
> 7. Make changes in vim /etc/rancid/rancid.types.conf
>
>
>
> add lines as below
>
>
>
> *# This is for PaloAlto Firewall*
>
> paloalto;script;panrancid
>
>
>
> 8. Enable email configuration
>
>
>
> vim /etc/aliases
>
>
>
> add lines below
>
>
>
> rancid-firewalls: infra-alerts@your-domain.com
>
> rancid-firewalls-admin: infra-alerts@your-domain.com
>
>
>
> *# Run below command to take into effect*
>
> newaliases
>
>
>
> *# You Must have panos, panrancid & plogin files present under
> /var/lib/rancid/bin*
>
>
>
> On Thu, 6 Apr 2023 at 03:49, Chris <chris.weakland@gmail.com> wrote:
>
> Just wanted to add for the benefit of all, I like to edit my
> etc/rancid.types.conf and add a new “type”. Here is what the additional
> lines look like:
>
>
>
> paloaltofw;script;rancid -t paloaltofw
>
> paloaltofw;login;panlogin
>
> paloaltofw;module;panos
>
> paloaltofw;inloop;panos::inloop
>
> paloaltofw;command;panos::ShowInfo;show system info
>
> paloaltofw;command;panos::ShowInventory;show chassis inventory
>
> paloaltofw;command;rancid::RunCommand;set cli config-output-format set
>
> paloaltofw;command;rancid::RunCommand;configure
>
> paloaltofw;command;panos::ShowConfig;show
>
>
>
> This gives you a more human readable configuration.
>
>
>
> In your router.db you would need to add:
>
>
>
> Firewall1.yourdomain.com;paloaltofw;up
>
>
>
> Chris
>
>
>
> *From: *heasley <heas@shrubbery.net>
> *Sent: *Wednesday, April 5, 2023 4:03 PM
> *To: *Chris Weakland <chris.weakland@gmail.com>
> *Cc: *Anwar Durrani <durrani.anwar@gmail.com>;
> rancid-discuss@www.shrubbery.net
> *Subject: *Re: [rancid] login script for PaloAlto PA850
>
>
>
> Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland:
>
> > Palo Alto support has bee. built into Rancid for some time, no need for
> any
>
> additional scripts. The device type is: paloalto
>
>
>
> indeed; there is also device type paloaltoxml for the xml config.
>
>
>
> > Your router.db looks incorrect, it should be:
>
> >
>
> > Firewall1.yourdomain.com;paloalto;up
>
>
>
> to be pedantic, additional fields are simply ignored.
>
>
>
>
>
>
> --
>
> Thanks & regards,
> Anwar M. Durrani
>
> +91-9923205011
>
>
>
>
>


--
Thanks & regards,
Anwar M. Durrani
+91-9923205011
<http://in.linkedin.com/pub/anwar-durrani/20/b55/60b>

Thu, Apr 06, 2023 at 02:36:35PM +0530, Anwar Durrani:
> Thanks heasley for reaching out, yes i have intentionally took off domain
> part for security reasons

You might have misunderstood.

> > > Firewall1.yourdomain.com;paloalto;up
> >
> > to be pedantic, additional fields are simply ignored.


Firewall1.yourdomain.com;paloalto;up;this is ignored;so is this;and that

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

My apologies, thanks for correction.

On Thu, 6 Apr, 2023, 9:52 pm heasley, <heas@shrubbery.net> wrote:

> Thu, Apr 06, 2023 at 02:36:35PM +0530, Anwar Durrani:
> > Thanks heasley for reaching out, yes i have intentionally took off domain
> > part for security reasons
>
> You might have misunderstood.
>
> > > > Firewall1.yourdomain.com;paloalto;up
> > >
> > > to be pedantic, additional fields are simply ignored.
>
>
> Firewall1.yourdomain.com;paloalto;up;this is ignored;so is this;and that
>

Thu, Apr 06, 2023 at 12:11:26PM +0000, Adam Thompson:
> Just a reminder that the "set" output cannot always be uploaded directly to a PA in a disaster scenario, only the XML can be used for that. You can try to paste in the "set" output through either the serial port or an SSH session once you have a network, but that is known to not always work 100% on all versions of PAN-OS. (The commands are not always generated in the correct order, and outright circular dependencies often exist.)
>
> OTOH, good luck having a human read and understand XML or JSON diffs, so you're kind of stuck between a rock and a hard place...
>
> We used to solve this by backing up the same config twice, once in each format. PITA but it worked.

There is probably a hack that can be used to collect both. the easiest
way would be a 'show config running' command that is slightly different
in its text, such as an additional argument. "show config running | no-more".

Is there such a thing?

Anything else will require changes to how rancid manages the command list,
so that it doesnt drop the duplicate.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

No, sadly you have to send a separate command to change formats:
set cli config-output-format
configure
show
exit
set cli config-output-format
configure
show
exit


Adam Thompson
Consultant, Infrastructure Services?
MERLIN
100 - 135 Innovation Drive?
Winnipeg, MB R3T 6A8?
(204) 977-6824 or 1-800-430-6404 (MB only)?
https://www.merlin.mb.ca?
Chat with me on Teams?
?

> -----Original Message-----
> From: heasley <heas@shrubbery.net>
> Sent: Friday, April 7, 2023 3:00 PM
> To: Adam Thompson <athompson@merlin.mb.ca>
> Cc: Chris <chris.weakland@gmail.com>; heasley <heas@shrubbery.net>;
> rancid-discuss@www.shrubbery.net
> Subject: Re: [rancid] login script for PaloAlto PA850
>
> Thu, Apr 06, 2023 at 12:11:26PM +0000, Adam Thompson:
> > Just a reminder that the "set" output cannot always be uploaded
> directly to a PA in a disaster scenario, only the XML can be used for
> that. You can try to paste in the "set" output through either the
> serial port or an SSH session once you have a network, but that is
> known to not always work 100% on all versions of PAN-OS. (The
> commands are not always generated in the correct order, and outright
> circular dependencies often exist.)
> >
> > OTOH, good luck having a human read and understand XML or JSON
> diffs, so you're kind of stuck between a rock and a hard place...
> >
> > We used to solve this by backing up the same config twice, once in
> each format. PITA but it worked.
>
> There is probably a hack that can be used to collect both. the
> easiest
> way would be a 'show config running' command that is slightly
> different
> in its text, such as an additional argument. "show config running |
> no-more".
>
> Is there such a thing?
>
> Anything else will require changes to how rancid manages the command
> list,
> so that it doesnt drop the duplicate.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss