Re: [rancid] Palo Alto (Panorama) configuration

[annie lee]

Hi Chris,

I've made similar chnages on v3.9 but not getting the new 'merged' config
based on yours.
Below are the panw code i added :

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowInventory;show chassis inventory
panw;command;panos::ShowConfig;show config merged

Unfortunately still didnt captured the panorama configs.

On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris 
wrote:

> So, if you look at my posting below, I made a rather dumb copy/paste error
> in my ‘panw’ definition.  The first line should read:
>
>
>
> panw;script;rancid -t paloalto
>
>
>
> not:
>
> panw;script;rancid -t paloalto
>
>
>
>
>
> Thanks to Heasley for pointing that out!  I would have not seen that for a
> while.  Having changed the line as shown above, the ‘show config merged’
> now works great on Panorama-managed and non-managed PA devices.
>
>
>
> --Chris
> Chris​  Gauthier  Senior Network Engineer  |  Comscore
> t +1 *(503) 331-2704* <(503)%20331-2704>  |
> *cgauth...@comscore.com* 
> *comscore.com* 
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss  on behalf
> of "Gauthier, Chris" 
> *Date: *Friday, July 12, 2019 at 9:24 AM
> *To: *annie lee 
> *Cc: *"rancid-discuss@shrubbery.net" 
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> I’m getting some interesting results in my testing.
>
>
>
> Rancid Version:  3.7
>
>
>
> I have a pair of PA-5050’s managed by Panorama that have been only getting
> the ‘show config running’ output (the limited output).  I made a new device
> type in etc/rancid.types.conf:
>
>
>
> panw;script;rancid -t paloalto
>
> panw;login;panlogin
>
> panw;module;panos
>
> panw;inloop;panos::inloop
>
> panw;command;rancid::RunCommand;set cli scripting-mode on
>
> panw;command;rancid::RunCommand;set cli pager off
>
> panw;command;panos::ShowInfo;show system info
>
> panw;command;panos::ShowConfig;show config merged
>
>
>
> This works well for my test unit (PA-220, unmanaged), but I am having
> problems with the PA-5050’s.
>
>
>
> For reference:  Here is the device type of “paloalto” in
> etc/rancid.types.base:
>
> paloalto;script;rancid -t paloalto
>
> paloalto;login;panlogin
>
> paloalto;module;panos
>
> paloalto;inloop;panos::inloop
>
> paloalto;command;rancid::RunCommand;set cli scripting-mode on
>
> paloalto;command;rancid::RunCommand;set cli pager off
>
> paloalto;command;panos::ShowInfo;show system info
>
> paloalto;command;panos::ShowConfig;show config running
>
>
>
> With the PA-5050’s, started with the following lines in router.db:
>
> pa-1.example.com;paloalto;up;PA-5050 ha pair
>
> pa-2.example.com;paloalto;up;PA-5050 ha pair
>
>
>
> They’ve been getting the limited output because of the show config running
> command and that they’re managed by Panorama.  I altered the router.db file
> to:
>
> pa-1.example.com;panw;up;PA-5050 ha pair
>
> pa-2.example.com;panw;up;PA-5050 ha pair
>
>
>
> I got the email that said the original devices were deleted and the new
> devices were added.
>
>
>
> - pa-1.example.com;paloalto;up;PA-5050
>
> - pa-2.example.com;panw;paloalto;up;PA-5050
>
> + pa-1.example.com;panw;up;PA-5050
>
> + pa-2.example.com;panw;panw;up;PA-5050
>
>
>
> I checked the config files after running rancid again a couple times and
> the config was unchanged.  The output captured doesn’t seem to have
> changed.  Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw
> pa-1.example.com’ and reviewing the output.  It captured everything
> cleanly, as far as I can tell.  No errors.  It’s like the diff is not
> catching the difference in output?
>
>
>
> What might I try next?
>
>
>
> --Chris
>
>
>
>
>
> *Chris**​*
>
> *Gauthier*
>
>  Senior Network Engineer
>
>  |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
>  |
>
> *cgauth...@comscore.com* 
>
> *comscore.com* 
>
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *annie lee 
> *Date: *Thursday, July 11, 2019 at 4:00 PM
> *To: *"Gauthier, Chris" 
> *Cc: *john heasley , "Anderson, Charles R" <
> c...@wpi.edu>, "rancid-discuss@shrubbery.net"  >
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Hi Chris,
>
>
>
> Thats very kind of you to spend time doing that and thanks for that.
>
>
>
> Rgds
>
>
>
> On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris 
> wrote:
>
> I’m working through that right now.
>
>
>
> *Chris**​*
>
> *Gauthier*
>
>  Senior Network Engineer
>
>  |
>
> Comscore
>
> t +1 *(503) 331-2704* <

Re: [rancid] Extreme switch policy backup.

[john heasley]

Fri, Jul 12, 2019 at 08:30:28PM +0100, Paul Thornton:
> Hi
> 
> We had a patch to 2.3's xrancid which we were running at some stage in 
> the past N years that did this already - but can't I find it, and we 
> aren't running it on our current rancid system either.  Thanks to Chris' 
> E-mail at least I've been reminded of that.
> 
> It wasn't a hard thing to add.
> 
> On 12/07/2019 20:15, john heasley wrote:
> > Tue, Jul 09, 2019 at 09:55:56PM +, Chris Davis:
> >> We've just gotten a few Extreme switches (model X440-G2) and I've gotten 
> >> them set up in Rancid.  But while I get the configs, I have a few policies 
> >> as well.  They're kept as .pol files on the switch.  Is there a way to 
> >> include the policy files in the backup that Rancid takes?  It would be 
> >> particularly helpful.  I've done some searching, and seen folks ask about 
> >> it.  But no real answers.  Lots of modifications to commands from 4 years 
> >> ago but nothing current.  There's a command that will print it all out, 
> >> just not sure how to add it into the mix.  Don't like to modify something 
> >> like Rancid if there's already a way within the system to make it happen.
> >
> > what is the command to display the policy?  can you provide an example of
> > the command and output, from prompt to the next prompt?  is the output
> > format and order stable?
> >
> > i see an incomplete example here;
> > http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007659.html
> 
> The format isn't great.  The switch basically outputs
> Policies at Policy Server:
> Policy: 
> 
> Number of clients bound to policy: 
> Client: 
> 
> My hunch would be not to try and parse this lot at all, but just execute 
> the 'show policy detail' and wait for the prompt to come back.  I'm 
> pretty sure that's all we did; I remember it just diffed everything and 
> you saw quickly if a policy was added/removed just as easily.
> It is theoretically possible for someone to have a prompt matching 
> string in the policy file as a comment, but lets ignore that madness for 
> now.
> 
> This example shows three policies as an example:
> 
> * ag1.hbr.2 # dis clip
> * ag1.hbr.3 # show policy detail
> Policies at Policy Server:
> Policy: as65001-in-v4
> entry term10 {

Cool.  Could you test this?

diff --git a/etc/rancid.types.base b/etc/rancid.types.base
index 18139479..6c3a80aa 100644
--- a/etc/rancid.types.base
+++ b/etc/rancid.types.base
@@ -381,6 +381,7 @@ extreme;command;exos::ShowMemory;show memory
 extreme;command;exos::ShowDiag;show diag
 extreme;command;exos::ShowSwitch;show switch
 extreme;command;exos::ShowSlot;show slot
+extreme;command;exos::ShowPolicy;show policy detail
 extreme;command;exos::WriteTerm;show configuration detail
 extreme;command;exos::WriteTerm;show configuration
 #
diff --git a/lib/exos.pm.in b/lib/exos.pm.in
index fd7d1482..710a5c0f 100644
--- a/lib/exos.pm.in
+++ b/lib/exos.pm.in
@@ -1,7 +1,5 @@
 package exos;
 ##
-## $Id$
-##
 ## @PACKAGE@ @VERSION@
 @copyright@
 #
@@ -161,6 +159,21 @@ sub ShowDiag {
 return(0);
 }
 
+# This routine parses "show policy detail"
+sub ShowPolicy {
+my($INPUT, $OUTPUT, $cmd) = @_;
+print STDERR "In ShowPolicy: $_" if ($debug);
+
+while (<$INPUT>) {
+   tr/\015//d;
+   last if (/^$prompt/);
+   next if (/^(\s*|\s*$cmd\s*)$/);
+
+   ProcessHistory("POLICY","","","# $_");
+}
+return(0);
+}
+
 # This routine parses "show slot"
 sub ShowSlot {
 my($INPUT, $OUTPUT, $cmd) = @_;

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Extreme switch policy backup.

[Paul Thornton]

Hi

We had a patch to 2.3's xrancid which we were running at some stage in 
the past N years that did this already - but can't I find it, and we 
aren't running it on our current rancid system either.  Thanks to Chris' 
E-mail at least I've been reminded of that.


It wasn't a hard thing to add.

On 12/07/2019 20:15, john heasley wrote:

Tue, Jul 09, 2019 at 09:55:56PM +, Chris Davis:

We've just gotten a few Extreme switches (model X440-G2) and I've gotten them 
set up in Rancid.  But while I get the configs, I have a few policies as well.  
They're kept as .pol files on the switch.  Is there a way to include the policy 
files in the backup that Rancid takes?  It would be particularly helpful.  I've 
done some searching, and seen folks ask about it.  But no real answers.  Lots 
of modifications to commands from 4 years ago but nothing current.  There's a 
command that will print it all out, just not sure how to add it into the mix.  
Don't like to modify something like Rancid if there's already a way within the 
system to make it happen.


what is the command to display the policy?  can you provide an example of
the command and output, from prompt to the next prompt?  is the output
format and order stable?

i see an incomplete example here;
http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007659.html


The format isn't great.  The switch basically outputs
Policies at Policy Server:
Policy: 

Number of clients bound to policy: 
Client: 

My hunch would be not to try and parse this lot at all, but just execute 
the 'show policy detail' and wait for the prompt to come back.  I'm 
pretty sure that's all we did; I remember it just diffed everything and 
you saw quickly if a policy was added/removed just as easily.
It is theoretically possible for someone to have a prompt matching 
string in the policy file as a comment, but lets ignore that madness for 
now.


This example shows three policies as an example:

* ag1.hbr.2 # dis clip
* ag1.hbr.3 # show policy detail
Policies at Policy Server:
Policy: as65001-in-v4
entry term10 {
if match all {
nlri 185.0.0.0/23 exact ;
nlri 185.0.2.0/24 exact ;
nlri 185.0.3.0/24 exact ;
}
then {
local-preference 500 ;
community add "65301:200" ;
permit  ;
}
}
entry term999 {
if match all {
}
then {
deny  ;
}
}
Number of clients bound to policy: 1
Client: bgp bound once

Policy: as65001-in-v6
entry term10 {
if match all {
nlri 2001:db8:0::/45 ;
}
then {
local-preference 500 ;
community add "65301:200" ;
permit  ;
}
}
entry term999 {
if match all {
}
then {
deny  ;
}
}
Number of clients bound to policy: 1
Client: bgp bound once

Policy: as65001-out-v4
entry term10 {
if match all {
nlri 0.0.0.0/0 exact ;
}
then {
permit  ;
}
}
entry term999 {
if match all {
}
then {
deny  ;
}
}
Number of clients bound to policy: 1
Client: bgp bound once

* ag1.hbr.3 #

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[Gauthier, Chris]

Yes, you can export the different formats, but the restore expects XML, in my 
experience.  Also, for those using Panorama, Erik’s advice to rely on Panorama 
is sound.  Been there, done that, don’t want to restore again, but it worked!

--Chris



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: Scott Granados 
Date: Friday, July 12, 2019 at 12:23 PM
To: "Gauthier, Chris" 
Cc: john heasley , "rancid-discuss@shrubbery.net" 

Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

We haven’t bothered with Panorama much because unlike the firewalls themselves 
the Panorama interface is very poor with screen readers and other accessibility 
technologies used.

In AWS we do a lot of exporting of configs and use S3 to bootstrap the virtual 
appliances so there may be a difference in what I’m working with.  We can edit 
the configs in S3 and they an be automatically imported or grabbed on boot.  On 
the hardware though I thought it was selectable.  I’ll review the link you 
sent, thank you.

 Just queried my PA and the choices I have to export or import configs are 
JSUN, XML, SET or Default which looks like JSUN to me so not sure why that’s 
duplicated.  I am just setting the CLI variable I assume you’re using a 
different mechanism that’s different.

Thanks


If you’re connecting via SSH and pulling the config I don’t see why you 
couldn’t set it to what ever format you wanted and then push with the correct 
flag set at the head of the request.




On Jul 12, 2019, at 2:56 PM, Gauthier, Chris 
mailto:cgauth...@comscore.com>> wrote:

Exported config files are in XML format. Here is a link to the documentation. 
Nowhere in their documentation does it reference using JSON as the format for 
import/export.

Also, Palo Alto has a "scheduled export" facility, especially if you are using 
Panorama. We use RANCiD to track the changes more than anything, but use the 
utility to auto-export configs.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html

--Chris


Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
-Original Message-
From: Scott Granados 
Date: Friday, July 12, 2019 at 11:44 AM
To: john heasley 
Cc: "Gauthier, Chris" , "rancid-discuss@shrubbery.net" 

Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

It’s not XML, it’s JSUN if I understand where you’re going with this.

>From exec mode
Set cli config-output-format default

Also other variables here can be set for set form andother formats which you 
can select and display with a ? In the config-output-format parameter field.

Thanks


> On Jul 12, 2019, at 2:20 PM, john heasley  wrote:
>
> Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris:
>> Rancid configs for PAN can NOT be used to restore the config, unless you cut 
>> and paste the configuration. This is because the native config files are 
>> stored in XML format and that is the format the Palo Alto utilities expect 
>> when performing restorations.
>>
>
> so, store both in rancid. what is the cmd to retrieve the xml format?
>
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1


___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[Scott Granados]

We haven’t bothered with Panorama much because unlike the firewalls themselves 
the Panorama interface is very poor with screen readers and other accessibility 
technologies used.

In AWS we do a lot of exporting of configs and use S3 to bootstrap the virtual 
appliances so there may be a difference in what I’m working with.  We can edit 
the configs in S3 and they an be automatically imported or grabbed on boot.  On 
the hardware though I thought it was selectable.  I’ll review the link you 
sent, thank you.

 Just queried my PA and the choices I have to export or import configs are 
JSUN, XML, SET or Default which looks like JSUN to me so not sure why that’s 
duplicated.  I am just setting the CLI variable I assume you’re using a 
different mechanism that’s different.

Thanks


If you’re connecting via SSH and pulling the config I don’t see why you 
couldn’t set it to what ever format you wanted and then push with the correct 
flag set at the head of the request.



> On Jul 12, 2019, at 2:56 PM, Gauthier, Chris  wrote:
> 
> Exported config files are in XML format. Here is a link to the documentation. 
> Nowhere in their documentation does it reference using JSON as the format for 
> import/export.
> 
> Also, Palo Alto has a "scheduled export" facility, especially if you are 
> using Panorama. We use RANCiD to track the changes more than anything, but 
> use the utility to auto-export configs.
> 
> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html
> 
> --Chris
> 
> 
> 
> 
> Chris​Gauthier Senior Network Engineer |  Comscore
> t +1 (503) 331-2704  | 
> cgauth...@comscore.com 
> comscore.com 
> ​​​This e-mail (including any attachments) may contain information that is 
> private, confidential, or protected by attorney-client or other privilege. If 
> you received this e-mail in error, please delete it from your system and 
> notify sender.
> -Original Message-
> From: Scott Granados 
> Date: Friday, July 12, 2019 at 11:44 AM
> To: john heasley 
> Cc: "Gauthier, Chris" , 
> "rancid-discuss@shrubbery.net" 
> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
> 
> It’s not XML, it’s JSUN if I understand where you’re going with this.
> 
> From exec mode
> Set cli config-output-format default
> 
> Also other variables here can be set for set form andother formats which you 
> can select and display with a ? In the config-output-format parameter field.
> 
> Thanks
> 
> 
> > On Jul 12, 2019, at 2:20 PM, john heasley  wrote:
> > 
> > Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris:
> >> Rancid configs for PAN can NOT be used to restore the config, unless you 
> >> cut and paste the configuration. This is because the native config files 
> >> are stored in XML format and that is the format the Palo Alto utilities 
> >> expect when performing restorations.
> >> 
> > 
> > so, store both in rancid. what is the cmd to retrieve the xml format?
> > 
> > ___
> > Rancid-discuss mailing list
> > Rancid-discuss@shrubbery.net
> > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1
> 
> 

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[Erik Muller]

On 7/12/19 14:15 , Gauthier, Chris wrote:
Rancid configs for PAN can NOT be used to restore the config, unless you 
cut and paste the configuration. This is because the native config files 
are stored in XML format and that is the format the Palo Alto utilities 
expect when performing restorations.


Having recently needed to deal with a bunch of PAs, I ran into that same 
issue and ended up writing a tool (https://github.com/ermuller/bracematch) 
to simplify the process.


RE the other question about Panorama vs device configs, if you're backing 
up your Panorama configuration (which has been fine via Rancid in my 
experience) as well as the base config on the device, you don't need to 
backup the merged configuration.  And you probably shouldn't pull the 
merged config, for restore purposes, as anything other than the local 
device configuration will come from the Panorama templates once the device 
is replaced.  Of course, the merged config might still be convenient to 
save to easily see the complete policy set active on a given box.


-e

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Extreme switch policy backup.

[john heasley]

Tue, Jul 09, 2019 at 09:55:56PM +, Chris Davis:
> We've just gotten a few Extreme switches (model X440-G2) and I've gotten them 
> set up in Rancid.  But while I get the configs, I have a few policies as 
> well.  They're kept as .pol files on the switch.  Is there a way to include 
> the policy files in the backup that Rancid takes?  It would be particularly 
> helpful.  I've done some searching, and seen folks ask about it.  But no real 
> answers.  Lots of modifications to commands from 4 years ago but nothing 
> current.  There's a command that will print it all out, just not sure how to 
> add it into the mix.  Don't like to modify something like Rancid if there's 
> already a way within the system to make it happen.

what is the command to display the policy?  can you provide an example of
the command and output, from prompt to the next prompt?  is the output
format and order stable?

i see an incomplete example here;
http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007659.html

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[Gauthier, Chris]

Exported config files are in XML format.  Here is a link to the documentation.  
Nowhere in their documentation does it reference using JSON as the format for 
import/export.

Also, Palo Alto has a "scheduled export" facility, especially if you are using 
Panorama.  We use RANCiD to track the changes more than anything, but use the 
utility to auto-export configs.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html

--Chris




Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
-Original Message-
From: Scott Granados 
Date: Friday, July 12, 2019 at 11:44 AM
To: john heasley 
Cc: "Gauthier, Chris" , "rancid-discuss@shrubbery.net" 

Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

It’s not XML, it’s JSUN if I understand where you’re going with this.

>From exec mode
Set cli config-output-format default

Also other variables here can be set for set form andother formats which you 
can select and display with a ? In the config-output-format parameter field.

Thanks


> On Jul 12, 2019, at 2:20 PM, john heasley  wrote:
>
> Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris:
>> Rancid configs for PAN can NOT be used to restore the config, unless you cut 
>> and paste the configuration.  This is because the native config files are 
>> stored in XML format and that is the format the Palo Alto utilities expect 
>> when performing restorations.
>>
>
> so, store both in rancid.  what is the cmd to retrieve the xml format?
>
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1


___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[Scott Granados]

It’s not XML, it’s JSUN if I understand where you’re going with this.

From exec mode
Set cli config-output-format default

Also other variables here can be set for set form andother formats which you 
can select and display with a ? In the config-output-format parameter field.

Thanks


> On Jul 12, 2019, at 2:20 PM, john heasley  wrote:
> 
> Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris:
>> Rancid configs for PAN can NOT be used to restore the config, unless you cut 
>> and paste the configuration.  This is because the native config files are 
>> stored in XML format and that is the format the Palo Alto utilities expect 
>> when performing restorations.
>> 
> 
> so, store both in rancid.  what is the cmd to retrieve the xml format?
> 
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[john heasley]

Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris:
> Rancid configs for PAN can NOT be used to restore the config, unless you cut 
> and paste the configuration.  This is because the native config files are 
> stored in XML format and that is the format the Palo Alto utilities expect 
> when performing restorations.
> 

so, store both in rancid.  what is the cmd to retrieve the xml format?

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

[Gauthier, Chris]

Rancid configs for PAN can NOT be used to restore the config, unless you cut 
and paste the configuration.  This is because the native config files are 
stored in XML format and that is the format the Palo Alto utilities expect when 
performing restorations.

--Chris



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
-Original Message-
From: Rancid-discuss  on behalf of john 
heasley 
Date: Friday, July 5, 2019 at 10:43 AM
To: STUART WALTON 
Cc: "rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Thu, Jul 04, 2019 at 08:23:51AM +, STUART WALTON:
> Hi
>
> Has anyone used a backup from Rancid to restore a Palo Alto Firewall?
>
> If so how have you done it?  (I have the backup but it does not appear to be 
> in the correct format)
>
> I have searched the discussion but cannot seem to find the answer. Any help 
> would be appreciated.

I do not know much of anything about PAN devices.  However, be aware that,
depending upon your rancid configuration, passwords may be removed.  Also,
see the FAQ S1 Q5 for another caveat that may apply to PAN.

Also, include the error you received when attempting to load the config.
It might provide clue to someone with more experience with PAN.

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,qrWANWlQYaUeaaoEGf6I-WmqahOFpLboIOsZz7b3yKfSUzpY5cUajZzVEWvA4kobgPxxfRU1MaUB91_9kWsr_BYI8TlZE-d1DrWcD7WIFEmJsZMiU0LMHAkW&typo=1

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Palo Alto (Panorama) configuration

[Gauthier, Chris]

So, if you look at my posting below, I made a rather dumb copy/paste error in 
my ‘panw’ definition.  The first line should read:

panw;script;rancid -t paloalto

not:
panw;script;rancid -t paloalto


Thanks to Heasley for pointing that out!  I would have not seen that for a 
while.  Having changed the line as shown above, the ‘show config merged’ now 
works great on Panorama-managed and non-managed PA devices.

--Chris

Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: Rancid-discuss  on behalf of 
"Gauthier, Chris" 
Date: Friday, July 12, 2019 at 9:24 AM
To: annie lee 
Cc: "rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Palo Alto (Panorama) configuration

I’m getting some interesting results in my testing.

Rancid Version:  3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the 
‘show config running’ output (the limited output).  I made a new device type in 
etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems 
with the PA-5050’s.

For reference:  Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com;paloalto;up;PA-5050 ha pair
pa-2.example.com;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running 
command and that they’re managed by Panorama.  I altered the router.db file to:
pa-1.example.com;panw;up;PA-5050 ha pair
pa-2.example.com;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices 
were added.

- pa-1.example.com;paloalto;up;PA-5050
- pa-2.example.com;panw;paloalto;up;PA-5050
+ pa-1.example.com;panw;up;PA-5050
+ pa-2.example.com;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the 
config was unchanged.  The output captured doesn’t seem to have changed.  Next, 
I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and 
reviewing the output.  It captured everything cleanly, as far as I can tell.  
No errors.  It’s like the diff is not catching the difference in output?

What might I try next?

--Chris


Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: annie lee 
Date: Thursday, July 11, 2019 at 4:00 PM
To: "Gauthier, Chris" 
Cc: john heasley , "Anderson, Charles R" , 
"rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris 
mailto:cgauth...@comscore.com>> wrote:
I’m working through that right now.

Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: annie lee mailto:lsy.an...@gmail.com>>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" mailto:cgauth...@comscore.com>>
Cc: john heasley mailto:h...@shrubbery.net>>, "Anderson, 
Charles R" mailto:c...@wpi.edu>>, 
"rancid-discuss@shrubbery.net" 
mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from 
the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris 
mailto:cgauth...

Re: [rancid] Rancid.Conf Disappeared on Ubuntu Update

[Gauthier, Chris]

I have to admit, I wish the etc/ directory was part of a Git repo.  I could do 
it locally, but would be a nice feature enhancement.



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: Rancid-discuss  on behalf of 
"Sheeter, Kyle" 
Date: Wednesday, July 3, 2019 at 1:18 PM
To: "rancid-discuss@shrubbery.net" 
Subject: [rancid] Rancid.Conf Disappeared on Ubuntu Update

Hey all,

I was doing some Ubuntu upgrades on my server, and just noticed that RANCID 
stop sending me updates.  Ran the rancid-run command and then found out that my 
rancid.conf file disappeared.  Anyone know the best way to recreate the conf 
file?  All of my other information is still there it seems, and the DB is still 
populated with my old network data.

Thanks!
Kyle James Sheeter


Please be advised that this email may contain confidential information. If you 
are not the intended recipient, please notify us by email by replying to the 
sender and delete this message. The sender disclaims that the content of this 
email constitutes an offer to enter into, or the acceptance of, any agreement; 
provided that the foregoing does not invalidate the binding effect of any 
digital or other electronic reproduction of a manual signature that is included 
in any attachment.
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Palo Alto (Panorama) configuration

[Gauthier, Chris]

I’m getting some interesting results in my testing.

Rancid Version:  3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the 
‘show config running’ output (the limited output).  I made a new device type in 
etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems 
with the PA-5050’s.

For reference:  Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com;paloalto;up;PA-5050 ha pair
pa-2.example.com;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running 
command and that they’re managed by Panorama.  I altered the router.db file to:
pa-1.example.com;panw;up;PA-5050 ha pair
pa-2.example.com;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices 
were added.

- pa-1.example.com;paloalto;up;PA-5050
- pa-2.example.com;panw;paloalto;up;PA-5050
+ pa-1.example.com;panw;up;PA-5050
+ pa-2.example.com;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the 
config was unchanged.  The output captured doesn’t seem to have changed.  Next, 
I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and 
reviewing the output.  It captured everything cleanly, as far as I can tell.  
No errors.  It’s like the diff is not catching the difference in output?

What might I try next?

--Chris



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: annie lee 
Date: Thursday, July 11, 2019 at 4:00 PM
To: "Gauthier, Chris" 
Cc: john heasley , "Anderson, Charles R" , 
"rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

Thats very kind of you to spend time doing that and thanks for that.

Rgds

On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris 
mailto:cgauth...@comscore.com>> wrote:
I’m working through that right now.

Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: annie lee mailto:lsy.an...@gmail.com>>
Date: Thursday, July 11, 2019 at 2:43 PM
To: "Gauthier, Chris" mailto:cgauth...@comscore.com>>
Cc: john heasley mailto:h...@shrubbery.net>>, "Anderson, 
Charles R" mailto:c...@wpi.edu>>, 
"rancid-discuss@shrubbery.net" 
mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Thats good to know on the new cli (show config merged will grab everything from 
the firewall and panorama).
How do we add the cli and diff to rancid ??

On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris 
mailto:cgauth...@comscore.com>> wrote:
Just validated the ‘show config merged’ command works with any PA firewall, 
managed by Panorama or not.

Chris​
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: Rancid-discuss 
mailto:rancid-discuss-boun...@shrubbery.net>>
 on behalf of "Gauthier, Chris" 
mailto:cgauth...@comscore.com>>
Date: Thursday, July 11, 2019 at 11:16 AM
To: john heasley mailto:h...@shrubbery.net>>, "Anderson, 
Charles R" mailto:c...@wpi.edu>>
Cc: "rancid-discuss@shrubbery.net" 
mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Yes, the command "show config merged" gives the locally-managed