The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama):
User@Palo-Alto-FW> set cli config-output-format xml User@Palo-Alto-FW> configure Entering configuration mode [edit] User@Palo-Alto-FW# show <response status="success" code="19"> <result total-count="1" count="1"> <device-group> ****Truncated to hide my config**** --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -----Original Message----- From: Rancid-discuss <rancid-discuss-boun...@shrubbery.net> on behalf of john heasley <h...@shrubbery.net> Date: Monday, July 15, 2019 at 3:00 PM To: Erik Muller <er...@buh.org> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: > On 7/12/19 14:15 , Gauthier, Chris wrote: > > Rancid configs for PAN can NOT be used to restore the config, unless you > > cut and paste the configuration. This is because the native config files > > are stored in XML format and that is the format the Palo Alto utilities > > expect when performing restorations. > > Having recently needed to deal with a bunch of PAs, I ran into that same > issue and ended up writing a tool (https://github.com/ermuller/bracematch) > to simplify the process. > > RE the other question about Panorama vs device configs, if you're backing > up your Panorama configuration (which has been fine via Rancid in my How are you backing the Panorama configuration? is that just another rancid 'paloalto' target? > experience) as well as the base config on the device, you don't need to > backup the merged configuration. And you probably shouldn't pull the > merged config, for restore purposes, as anything other than the local > device configuration will come from the Panorama templates once the device > is replaced. Of course, the merged config might still be convenient to > save to easily see the complete policy set active on a given box. > > -e > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,hdku7bLUQv7d0MAZOo8JrRXyca7FQEKjBwWLzlp0SJrUL-sb15koHXRbLiFA-stZLGQTyAvtcN8gShdbJ7Kpb47cHU_aXg5ZJBdwGDVSJSgIWDsF&typo=1 _______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,bcAQYO-5xrzHw_0wfIv6Q3dm9-YAo8bMXWeVwZUulp3epd9ZkICII1QaJ_OJNdOV1XBK8gk0mx4wElmLp_3tZbcNWaLh8Q-9CLt0HJWGahly9knQqA,,&typo=1
_______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss