So, if you look at my posting below, I made a rather dumb copy/paste error in my ‘panw’ definition. The first line should read:
panw;script;rancid -t paloalto not: panw;script;rancid -t paloalto Thanks to Heasley for pointing that out! I would have not seen that for a while. Having changed the line as shown above, the ‘show config merged’ now works great on Panorama-managed and non-managed PA devices. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss <rancid-discuss-boun...@shrubbery.net> on behalf of "Gauthier, Chris" <cgauth...@comscore.com> Date: Friday, July 12, 2019 at 9:24 AM To: annie lee <lsy.an...@gmail.com> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net> Subject: Re: [rancid] Palo Alto (Panorama) configuration I’m getting some interesting results in my testing. Rancid Version: 3.7 I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf: panw;script;rancid -t paloalto panw;login;panlogin panw;module;panos panw;inloop;panos::inloop panw;command;rancid::RunCommand;set cli scripting-mode on panw;command;rancid::RunCommand;set cli pager off panw;command;panos::ShowInfo;show system info panw;command;panos::ShowConfig;show config merged This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s. For reference: Here is the device type of “paloalto” in etc/rancid.types.base: paloalto;script;rancid -t paloalto paloalto;login;panlogin paloalto;module;panos paloalto;inloop;panos::inloop paloalto;command;rancid::RunCommand;set cli scripting-mode on paloalto;command;rancid::RunCommand;set cli pager off paloalto;command;panos::ShowInfo;show system info paloalto;command;panos::ShowConfig;show config running With the PA-5050’s, started with the following lines in router.db: pa-1.example.com;paloalto;up;PA-5050 ha pair pa-2.example.com;paloalto;up;PA-5050 ha pair They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to: pa-1.example.com;panw;up;PA-5050 ha pair pa-2.example.com;panw;up;PA-5050 ha pair I got the email that said the original devices were deleted and the new devices were added. - pa-1.example.com;paloalto;up;PA-5050 - pa-2.example.com;panw;paloalto;up;PA-5050 + pa-1.example.com;panw;up;PA-5050 + pa-2.example.com;panw;panw;up;PA-5050 I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output? What might I try next? --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704<tel:(503)%20331-2704> | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee <lsy.an...@gmail.com> Date: Thursday, July 11, 2019 at 4:00 PM To: "Gauthier, Chris" <cgauth...@comscore.com> Cc: john heasley <h...@shrubbery.net>, "Anderson, Charles R" <c...@wpi.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net> Subject: Re: [rancid] Palo Alto (Panorama) configuration Hi Chris, Thats very kind of you to spend time doing that and thanks for that. Rgds On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauth...@comscore.com<mailto:cgauth...@comscore.com>> wrote: I’m working through that right now. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704<tel:(503)%20331-2704> | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee <lsy.an...@gmail.com<mailto:lsy.an...@gmail.com>> Date: Thursday, July 11, 2019 at 2:43 PM To: "Gauthier, Chris" <cgauth...@comscore.com<mailto:cgauth...@comscore.com>> Cc: john heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>>, "Anderson, Charles R" <c...@wpi.edu<mailto:c...@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama). How do we add the cli and diff to rancid ?? On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauth...@comscore.com<mailto:cgauth...@comscore.com>> wrote: Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704<tel:(503)%20331-2704> | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss <rancid-discuss-boun...@shrubbery.net<mailto:rancid-discuss-boun...@shrubbery.net>> on behalf of "Gauthier, Chris" <cgauth...@comscore.com<mailto:cgauth...@comscore.com>> Date: Thursday, July 11, 2019 at 11:16 AM To: john heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>>, "Anderson, Charles R" <c...@wpi.edu<mailto:c...@wpi.edu>> Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704<tel:(503)%20331-2704> | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -----Original Message----- From: Rancid-discuss <rancid-discuss-boun...@shrubbery.net<mailto:rancid-discuss-boun...@shrubbery.net>> on behalf of john heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>> Date: Thursday, July 11, 2019 at 8:17 AM To: "Anderson, Charles R" <c...@wpi.edu<mailto:c...@wpi.edu>> Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R: > You can use "show config merged" to see the local device's config merged with > the templates from Panorama. Does this work with "non-managed" (better term?) configs? And, was this command introduced recently? _______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1 _______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net> http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
_______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
