Just a reminder that the "set" output cannot always be uploaded directly to a PA in a disaster scenario, only the XML can be used for that. You can try to paste in the "set" output through either the serial port or an SSH session once you have a network, but that is known to not always work 100% on all versions of PAN-OS. (The commands are not always generated in the correct order, and outright circular dependencies often exist.)
OTOH, good luck having a human read and understand XML or JSON diffs, so you're kind of stuck between a rock and a hard place... We used to solve this by backing up the same config twice, once in each format. PITA but it worked. If you also have and use Palo Alto's Panorama product to manage your firewalls, you may as well disregard everything I've just said, it changes the rules of the game completely anyway. Its config can be captured via SSH in "set" format like a firewall, which is still useful for human analysis. (Make sure your timeouts are high, though - my Panorama instance takes about 20min to dump ~0.7M lines in "set" format!) Source: currently in year 4 of a love-hate, no wait, more like a need-hate, relationship with Panorama. -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Rancid-discuss <[email protected]> on behalf of Chris <[email protected]> Sent: Wednesday, April 5, 2023 5:19:43 PM To: heasley <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [rancid] login script for PaloAlto PA850 Just wanted to add for the benefit of all, I like to edit my etc/rancid.types.conf and add a new “type”. Here is what the additional lines look like: paloaltofw;script;rancid -t paloaltofw paloaltofw;login;panlogin paloaltofw;module;panos paloaltofw;inloop;panos::inloop paloaltofw;command;panos::ShowInfo;show system info paloaltofw;command;panos::ShowInventory;show chassis inventory paloaltofw;command;rancid::RunCommand;set cli config-output-format set paloaltofw;command;rancid::RunCommand;configure paloaltofw;command;panos::ShowConfig;show This gives you a more human readable configuration. In your router.db you would need to add: Firewall1.yourdomain.com;paloaltofw;up Chris From: heasley<mailto:[email protected]> Sent: Wednesday, April 5, 2023 4:03 PM To: Chris Weakland<mailto:[email protected]> Cc: Anwar Durrani<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [rancid] login script for PaloAlto PA850 Wed, Apr 05, 2023 at 07:21:17AM -0400, Chris Weakland: > Palo Alto support has bee. built into Rancid for some time, no need for any additional scripts. The device type is: paloalto indeed; there is also device type paloaltoxml for the xml config. > Your router.db looks incorrect, it should be: > > Firewall1.yourdomain.com;paloalto;up to be pedantic, additional fields are simply ignored.
_______________________________________________ Rancid-discuss mailing list [email protected] https://www.shrubbery.net/mailman/listinfo/rancid-discuss
