date:20190715

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

2019-07-15 Thread Gauthier, Chris

The only way in CLI to do a "show run" type of output in XML format is to 
execute the following commands.  This holds true for both Panorama and Pan-OS 
(not managed by Panorama):

User@Palo-Alto-FW> set cli config-output-format xml
User@Palo-Alto-FW> configure
Entering configuration mode
[edit]
User@Palo-Alto-FW# show

  

Truncated to hide my config

--Chris




Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
-Original Message-
From: Rancid-discuss  on behalf of john 
heasley 
Date: Monday, July 15, 2019 at 3:00 PM
To: Erik Muller 
Cc: "rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> On 7/12/19 14:15 , Gauthier, Chris wrote:
> > Rancid configs for PAN can NOT be used to restore the config, unless you
> > cut and paste the configuration. This is because the native config files
> > are stored in XML format and that is the format the Palo Alto utilities
> > expect when performing restorations.
>
> Having recently needed to deal with a bunch of PAs, I ran into that same
> issue and ended up writing a tool (https://github.com/ermuller/bracematch)
> to simplify the process.
>
> RE the other question about Panorama vs device configs, if you're backing
> up your Panorama configuration (which has been fine via Rancid in my

How are you backing the Panorama configuration?  is that just another
rancid 'paloalto' target?

> experience) as well as the base config on the device, you don't need to
> backup the merged configuration.  And you probably shouldn't pull the
> merged config, for restore purposes, as anything other than the local
> device configuration will come from the Panorama templates once the device
> is replaced.  Of course, the merged config might still be convenient to
> save to easily see the complete policy set active on a given box.
>
> -e
>
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,hdku7bLUQv7d0MAZOo8JrRXyca7FQEKjBwWLzlp0SJrUL-sb15koHXRbLiFA-stZLGQTyAvtcN8gShdbJ7Kpb47cHU_aXg5ZJBdwGDVSJSgIWDsF&typo=1

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,bcAQYO-5xrzHw_0wfIv6Q3dm9-YAo8bMXWeVwZUulp3epd9ZkICII1QaJ_OJNdOV1XBK8gk0mx4wElmLp_3tZbcNWaLh8Q-9CLt0HJWGahly9knQqA,,&typo=1

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

2019-07-15 Thread john heasley

Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller:
> On 7/12/19 14:15 , Gauthier, Chris wrote:
> > Rancid configs for PAN can NOT be used to restore the config, unless you 
> > cut and paste the configuration. This is because the native config files 
> > are stored in XML format and that is the format the Palo Alto utilities 
> > expect when performing restorations.
> 
> Having recently needed to deal with a bunch of PAs, I ran into that same 
> issue and ended up writing a tool (https://github.com/ermuller/bracematch) 
> to simplify the process.
> 
> RE the other question about Panorama vs device configs, if you're backing 
> up your Panorama configuration (which has been fine via Rancid in my 

How are you backing the Panorama configuration?  is that just another
rancid 'paloalto' target?

> experience) as well as the base config on the device, you don't need to 
> backup the merged configuration.  And you probably shouldn't pull the 
> merged config, for restore purposes, as anything other than the local 
> device configuration will come from the Panorama templates once the device 
> is replaced.  Of course, the merged config might still be convenient to 
> save to easily see the complete policy set active on a given box.
> 
> -e
> 
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Palo Alto (Panorama) configuration

2019-07-15 Thread Gauthier, Chris

So, once again, cut and paste bit me….  My sincere apologies.

Change the first line to read:

panw;script;rancid -t panw



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauth...@comscore.com
comscore.com
This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: annie lee 
Date: Friday, July 12, 2019 at 3:35 PM
To: "Gauthier, Chris" 
Cc: "rancid-discuss@shrubbery.net" 
Subject: Re: [rancid] Palo Alto (Panorama) configuration

Hi Chris,

I've made similar chnages on v3.9 but not getting the new 'merged' config based 
on yours.
Below are the panw code i added :

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowInventory;show chassis inventory
panw;command;panos::ShowConfig;show config merged
Unfortunately still didnt captured the panorama configs.

On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris 
mailto:cgauth...@comscore.com>> wrote:
So, if you look at my posting below, I made a rather dumb copy/paste error in 
my ‘panw’ definition.  The first line should read:

panw;script;rancid -t paloalto

not:
panw;script;rancid -t paloalto


Thanks to Heasley for pointing that out!  I would have not seen that for a 
while.  Having changed the line as shown above, the ‘show config merged’ now 
works great on Panorama-managed and non-managed PA devices.

--Chris
Chris
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
This e-mail (including any attachments) may contain information that is 
private, confidential, or protected by attorney-client or other privilege. If 
you received this e-mail in error, please delete it from your system and notify 
sender.
From: Rancid-discuss 
mailto:rancid-discuss-boun...@shrubbery.net>>
 on behalf of "Gauthier, Chris" 
mailto:cgauth...@comscore.com>>
Date: Friday, July 12, 2019 at 9:24 AM
To: annie lee mailto:lsy.an...@gmail.com>>
Cc: "rancid-discuss@shrubbery.net" 
mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Palo Alto (Panorama) configuration

I’m getting some interesting results in my testing.

Rancid Version:  3.7

I have a pair of PA-5050’s managed by Panorama that have been only getting the 
‘show config running’ output (the limited output).  I made a new device type in 
etc/rancid.types.conf:

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;rancid::RunCommand;set cli scripting-mode on
panw;command;rancid::RunCommand;set cli pager off
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowConfig;show config merged

This works well for my test unit (PA-220, unmanaged), but I am having problems 
with the PA-5050’s.

For reference:  Here is the device type of “paloalto” in etc/rancid.types.base:
paloalto;script;rancid -t paloalto
paloalto;login;panlogin
paloalto;module;panos
paloalto;inloop;panos::inloop
paloalto;command;rancid::RunCommand;set cli scripting-mode on
paloalto;command;rancid::RunCommand;set cli pager off
paloalto;command;panos::ShowInfo;show system info
paloalto;command;panos::ShowConfig;show config running

With the PA-5050’s, started with the following lines in router.db:
pa-1.example.com;paloalto;up;PA-5050 ha pair
pa-2.example.com;paloalto;up;PA-5050 ha pair

They’ve been getting the limited output because of the show config running 
command and that they’re managed by Panorama.  I altered the router.db file to:
pa-1.example.com;panw;up;PA-5050 ha pair
pa-2.example.com;panw;up;PA-5050 ha pair

I got the email that said the original devices were deleted and the new devices 
were added.

- pa-1.example.com;paloalto;up;PA-5050
- pa-2.example.com;panw;paloalto;up;PA-5050
+ pa-1.example.com;panw;up;PA-5050
+ pa-2.example.com;panw;panw;up;PA-5050

I checked the config files after running rancid again a couple times and the 
config was unchanged.  The output captured doesn’t seem to have changed.  Next, 
I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw 
pa-1.example.com’ and reviewing the output.  It 
captured everything cleanly, as far as I can tell.  No errors.  It’s like the 
diff is not catching the difference in output?

What might I try next?

--Chris


Chris
Gauthier
 Senior Network Engineer
 |
Comscore
t +1 (503) 331-2704
 |
cgauth...@comscore.com
comscore.com
This e-mail (including any attachments) may contai

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup

Re: [rancid] Palo Alto (Panorama) configuration

3 matches

Site Navigation

Mail list logo

Footer information