Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Sat, Jul 20, 2019 at 12:29:19AM +0200, Erik Muller: > On 7/19/19 22:32 , john heasley wrote: > > Mon, Jul 15, 2019 at 10:30:42PM +, Gauthier, Chris: > >> The only way in CLI to do a "show run" type of output in XML format is to > >> execute the following commands. This holds true for both Panorama and > >> Pan-OS (not managed by Panorama): > >> > >> User@Palo-Alto-FW> set cli config-output-format xml > >> User@Palo-Alto-FW> configure > >> Entering configuration mode > >> [edit] > >> User@Palo-Alto-FW# show > >> > >> > >> > >> Truncated to hide my config > >> > >> --Chris > > > > I am confused; please help me understand so that we wrap-up this issue. > > > > There are two configs, the normal one in show config run, and one that > > comes from panorama config (if in use) that is visible on the "panorama > > clients" (my term) with show config merged. > > Correct. Each PANOS device that's managed via Panorama has a local > persistent configuration that includes device-specific things like local > management address, HA-pair, user accounts... > Panorama stores in it's config a bunch of rulesets and templates that can > be applied to the managed devices; when it pushes those to a managed device > they're merged at runtime into that device's live config, but not part of > that box's actual local config. > > > the panorama (master) offers a cli, just like a panorama client, where > > the panorama configuration can be viewed with 'show config run'. > > > > these configs can be dumped as xml or text. only xml can be loaded. > > > > Do i have all of this correct? I did not glean much useful info from the > > palo alto website. > > all correct, TTBOMK. > -e > Super; thanks. Is it sensible to collect all three? ie: the xml of the base, the base, and the merged. > > > >> -Original Message- > >> From: Rancid-discuss on behalf of > >> john heasley > >> Date: Monday, July 15, 2019 at 3:00 PM > >> To: Erik Muller > >> Cc: "rancid-discuss@shrubbery.net" > >> Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup > >> > >> Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: > >>> On 7/12/19 14:15 , Gauthier, Chris wrote: > >>>> Rancid configs for PAN can NOT be used to restore the config, unless you > >>>> cut and paste the configuration. This is because the native config files > >>>> are stored in XML format and that is the format the Palo Alto utilities > >>>> expect when performing restorations. > >>> > >>> Having recently needed to deal with a bunch of PAs, I ran into that same > >>> issue and ended up writing a tool (https://github.com/ermuller/bracematch) > >>> to simplify the process. > >>> > >>> RE the other question about Panorama vs device configs, if you're backing > >>> up your Panorama configuration (which has been fine via Rancid in my > >> > >> How are you backing the Panorama configuration? is that just another > >> rancid 'paloalto' target? > >> > >>> experience) as well as the base config on the device, you don't need to > >>> backup the merged configuration. And you probably shouldn't pull the > >>> merged config, for restore purposes, as anything other than the local > >>> device configuration will come from the Panorama templates once the device > >>> is replaced. Of course, the merged config might still be convenient to > >>> save to easily see the complete policy set active on a given box. > >>> > >>> -e > > ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
On 7/19/19 22:32 , john heasley wrote: Mon, Jul 15, 2019 at 10:30:42PM +, Gauthier, Chris: The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama): User@Palo-Alto-FW> set cli config-output-format xml User@Palo-Alto-FW> configure Entering configuration mode [edit] User@Palo-Alto-FW# show Truncated to hide my config --Chris I am confused; please help me understand so that we wrap-up this issue. There are two configs, the normal one in show config run, and one that comes from panorama config (if in use) that is visible on the "panorama clients" (my term) with show config merged. Correct. Each PANOS device that's managed via Panorama has a local persistent configuration that includes device-specific things like local management address, HA-pair, user accounts... Panorama stores in it's config a bunch of rulesets and templates that can be applied to the managed devices; when it pushes those to a managed device they're merged at runtime into that device's live config, but not part of that box's actual local config. the panorama (master) offers a cli, just like a panorama client, where the panorama configuration can be viewed with 'show config run'. these configs can be dumped as xml or text. only xml can be loaded. Do i have all of this correct? I did not glean much useful info from the palo alto website. all correct, TTBOMK. -e thanks -Original Message- From: Rancid-discuss on behalf of john heasley Date: Monday, July 15, 2019 at 3:00 PM To: Erik Muller Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: On 7/12/19 14:15 , Gauthier, Chris wrote: Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations. Having recently needed to deal with a bunch of PAs, I ran into that same issue and ended up writing a tool (https://github.com/ermuller/bracematch) to simplify the process. RE the other question about Panorama vs device configs, if you're backing up your Panorama configuration (which has been fine via Rancid in my How are you backing the Panorama configuration? is that just another rancid 'paloalto' target? experience) as well as the base config on the device, you don't need to backup the merged configuration. And you probably shouldn't pull the merged config, for restore purposes, as anything other than the local device configuration will come from the Panorama templates once the device is replaced. Of course, the merged config might still be convenient to save to easily see the complete policy set active on a given box. -e ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
On 7/16/19 0:00 , john heasley wrote: Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: On 7/12/19 14:15 , Gauthier, Chris wrote: Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations. Having recently needed to deal with a bunch of PAs, I ran into that same issue and ended up writing a tool (https://github.com/ermuller/bracematch) to simplify the process. RE the other question about Panorama vs device configs, if you're backing up your Panorama configuration (which has been fine via Rancid in my How are you backing the Panorama configuration? is that just another rancid 'paloalto' target? Exactly, the Panorama instance just looks like another PANOS device, with the same basic CLI. All the configuration rules and templates that are deployed to the managed devices are stored as just a normal part of the Panorama box's standard config, so from a rancid perspective it's just another normal paloalto box, and Just Works (AFAICT - I've not checked it closely, but it appears to be complete). -e experience) as well as the base config on the device, you don't need to backup the merged configuration. And you probably shouldn't pull the merged config, for restore purposes, as anything other than the local device configuration will come from the Panorama templates once the device is replaced. Of course, the merged config might still be convenient to save to easily see the complete policy set active on a given box. -e ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Mon, Jul 15, 2019 at 10:30:42PM +, Gauthier, Chris: > The only way in CLI to do a "show run" type of output in XML format is to > execute the following commands. This holds true for both Panorama and Pan-OS > (not managed by Panorama): > > User@Palo-Alto-FW> set cli config-output-format xml > User@Palo-Alto-FW> configure > Entering configuration mode > [edit] > User@Palo-Alto-FW# show > > > > Truncated to hide my config > > --Chris I am confused; please help me understand so that we wrap-up this issue. There are two configs, the normal one in show config run, and one that comes from panorama config (if in use) that is visible on the "panorama clients" (my term) with show config merged. the panorama (master) offers a cli, just like a panorama client, where the panorama configuration can be viewed with 'show config run'. these configs can be dumped as xml or text. only xml can be loaded. Do i have all of this correct? I did not glean much useful info from the palo alto website. thanks > -Original Message- > From: Rancid-discuss on behalf of john > heasley > Date: Monday, July 15, 2019 at 3:00 PM > To: Erik Muller > Cc: "rancid-discuss@shrubbery.net" > Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup > > Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: > > On 7/12/19 14:15 , Gauthier, Chris wrote: > > > Rancid configs for PAN can NOT be used to restore the config, unless you > > > cut and paste the configuration. This is because the native config files > > > are stored in XML format and that is the format the Palo Alto utilities > > > expect when performing restorations. > > > > Having recently needed to deal with a bunch of PAs, I ran into that same > > issue and ended up writing a tool (https://github.com/ermuller/bracematch) > > to simplify the process. > > > > RE the other question about Panorama vs device configs, if you're backing > > up your Panorama configuration (which has been fine via Rancid in my > > How are you backing the Panorama configuration? is that just another > rancid 'paloalto' target? > > > experience) as well as the base config on the device, you don't need to > > backup the merged configuration. And you probably shouldn't pull the > > merged config, for restore purposes, as anything other than the local > > device configuration will come from the Panorama templates once the device > > is replaced. Of course, the merged config might still be convenient to > > save to easily see the complete policy set active on a given box. > > > > -e ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
The only way in CLI to do a "show run" type of output in XML format is to execute the following commands. This holds true for both Panorama and Pan-OS (not managed by Panorama): User@Palo-Alto-FW> set cli config-output-format xml User@Palo-Alto-FW> configure Entering configuration mode [edit] User@Palo-Alto-FW# show Truncated to hide my config --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Rancid-discuss on behalf of john heasley Date: Monday, July 15, 2019 at 3:00 PM To: Erik Muller Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: > On 7/12/19 14:15 , Gauthier, Chris wrote: > > Rancid configs for PAN can NOT be used to restore the config, unless you > > cut and paste the configuration. This is because the native config files > > are stored in XML format and that is the format the Palo Alto utilities > > expect when performing restorations. > > Having recently needed to deal with a bunch of PAs, I ran into that same > issue and ended up writing a tool (https://github.com/ermuller/bracematch) > to simplify the process. > > RE the other question about Panorama vs device configs, if you're backing > up your Panorama configuration (which has been fine via Rancid in my How are you backing the Panorama configuration? is that just another rancid 'paloalto' target? > experience) as well as the base config on the device, you don't need to > backup the merged configuration. And you probably shouldn't pull the > merged config, for restore purposes, as anything other than the local > device configuration will come from the Panorama templates once the device > is replaced. Of course, the merged config might still be convenient to > save to easily see the complete policy set active on a given box. > > -e > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,hdku7bLUQv7d0MAZOo8JrRXyca7FQEKjBwWLzlp0SJrUL-sb15koHXRbLiFA-stZLGQTyAvtcN8gShdbJ7Kpb47cHU_aXg5ZJBdwGDVSJSgIWDsF&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,bcAQYO-5xrzHw_0wfIv6Q3dm9-YAo8bMXWeVwZUulp3epd9ZkICII1QaJ_OJNdOV1XBK8gk0mx4wElmLp_3tZbcNWaLh8Q-9CLt0HJWGahly9knQqA,,&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Fri, Jul 12, 2019 at 09:18:34PM +0200, Erik Muller: > On 7/12/19 14:15 , Gauthier, Chris wrote: > > Rancid configs for PAN can NOT be used to restore the config, unless you > > cut and paste the configuration. This is because the native config files > > are stored in XML format and that is the format the Palo Alto utilities > > expect when performing restorations. > > Having recently needed to deal with a bunch of PAs, I ran into that same > issue and ended up writing a tool (https://github.com/ermuller/bracematch) > to simplify the process. > > RE the other question about Panorama vs device configs, if you're backing > up your Panorama configuration (which has been fine via Rancid in my How are you backing the Panorama configuration? is that just another rancid 'paloalto' target? > experience) as well as the base config on the device, you don't need to > backup the merged configuration. And you probably shouldn't pull the > merged config, for restore purposes, as anything other than the local > device configuration will come from the Panorama templates once the device > is replaced. Of course, the merged config might still be convenient to > save to easily see the complete policy set active on a given box. > > -e > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Yes, you can export the different formats, but the restore expects XML, in my experience. Also, for those using Panorama, Erik’s advice to rely on Panorama is sound. Been there, done that, don’t want to restore again, but it worked! --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Scott Granados Date: Friday, July 12, 2019 at 12:23 PM To: "Gauthier, Chris" Cc: john heasley , "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup We haven’t bothered with Panorama much because unlike the firewalls themselves the Panorama interface is very poor with screen readers and other accessibility technologies used. In AWS we do a lot of exporting of configs and use S3 to bootstrap the virtual appliances so there may be a difference in what I’m working with. We can edit the configs in S3 and they an be automatically imported or grabbed on boot. On the hardware though I thought it was selectable. I’ll review the link you sent, thank you. Just queried my PA and the choices I have to export or import configs are JSUN, XML, SET or Default which looks like JSUN to me so not sure why that’s duplicated. I am just setting the CLI variable I assume you’re using a different mechanism that’s different. Thanks If you’re connecting via SSH and pulling the config I don’t see why you couldn’t set it to what ever format you wanted and then push with the correct flag set at the head of the request. On Jul 12, 2019, at 2:56 PM, Gauthier, Chris mailto:cgauth...@comscore.com>> wrote: Exported config files are in XML format. Here is a link to the documentation. Nowhere in their documentation does it reference using JSON as the format for import/export. Also, Palo Alto has a "scheduled export" facility, especially if you are using Panorama. We use RANCiD to track the changes more than anything, but use the utility to auto-export configs. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdocs.paloaltonetworks.com%2fpan-os%2f8-1%2fpan-os-admin%2ffirewall-administration%2fmanage-configuration-backups%2fsave-and-export-firewall-configurations.html&c=E,1,0qhQpOJ3IE1t6MumBQfYeWwWzNiZrVzg8lehAsq9yfYLyBR3HCK63tvfAGhFRKzvMcASnfiojsE3uVNGhsURGTNARWTNMuKI_9o9a0Y9KSrmudi6fw,,&typo=1> --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Scott Granados Date: Friday, July 12, 2019 at 11:44 AM To: john heasley Cc: "Gauthier, Chris" , "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup It’s not XML, it’s JSUN if I understand where you’re going with this. >From exec mode Set cli config-output-format default Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field. Thanks > On Jul 12, 2019, at 2:20 PM, john heasley wrote: > > Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris: >> Rancid configs for PAN can NOT be used to restore the config, unless you cut >> and paste the configuration. This is because the native config files are >> stored in XML format and that is the format the Palo Alto utilities expect >> when performing restorations. >> > > so, store both in rancid. what is the cmd to retrieve the xml format? > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
We haven’t bothered with Panorama much because unlike the firewalls themselves the Panorama interface is very poor with screen readers and other accessibility technologies used. In AWS we do a lot of exporting of configs and use S3 to bootstrap the virtual appliances so there may be a difference in what I’m working with. We can edit the configs in S3 and they an be automatically imported or grabbed on boot. On the hardware though I thought it was selectable. I’ll review the link you sent, thank you. Just queried my PA and the choices I have to export or import configs are JSUN, XML, SET or Default which looks like JSUN to me so not sure why that’s duplicated. I am just setting the CLI variable I assume you’re using a different mechanism that’s different. Thanks If you’re connecting via SSH and pulling the config I don’t see why you couldn’t set it to what ever format you wanted and then push with the correct flag set at the head of the request. > On Jul 12, 2019, at 2:56 PM, Gauthier, Chris wrote: > > Exported config files are in XML format. Here is a link to the documentation. > Nowhere in their documentation does it reference using JSON as the format for > import/export. > > Also, Palo Alto has a "scheduled export" facility, especially if you are > using Panorama. We use RANCiD to track the changes more than anything, but > use the utility to auto-export configs. > > https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html > > --Chris > > > > > ChrisGauthier Senior Network Engineer | Comscore > t +1 (503) 331-2704 | > cgauth...@comscore.com <mailto:cgauth...@comscore.com> > comscore.com <http://www.comscore.com/> > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. If > you received this e-mail in error, please delete it from your system and > notify sender. > -Original Message- > From: Scott Granados > Date: Friday, July 12, 2019 at 11:44 AM > To: john heasley > Cc: "Gauthier, Chris" , > "rancid-discuss@shrubbery.net" > Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup > > It’s not XML, it’s JSUN if I understand where you’re going with this. > > From exec mode > Set cli config-output-format default > > Also other variables here can be set for set form andother formats which you > can select and display with a ? In the config-output-format parameter field. > > Thanks > > > > On Jul 12, 2019, at 2:20 PM, john heasley wrote: > > > > Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris: > >> Rancid configs for PAN can NOT be used to restore the config, unless you > >> cut and paste the configuration. This is because the native config files > >> are stored in XML format and that is the format the Palo Alto utilities > >> expect when performing restorations. > >> > > > > so, store both in rancid. what is the cmd to retrieve the xml format? > > > > ___ > > Rancid-discuss mailing list > > Rancid-discuss@shrubbery.net > > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1 > > ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
On 7/12/19 14:15 , Gauthier, Chris wrote: Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations. Having recently needed to deal with a bunch of PAs, I ran into that same issue and ended up writing a tool (https://github.com/ermuller/bracematch) to simplify the process. RE the other question about Panorama vs device configs, if you're backing up your Panorama configuration (which has been fine via Rancid in my experience) as well as the base config on the device, you don't need to backup the merged configuration. And you probably shouldn't pull the merged config, for restore purposes, as anything other than the local device configuration will come from the Panorama templates once the device is replaced. Of course, the merged config might still be convenient to save to easily see the complete policy set active on a given box. -e ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Exported config files are in XML format. Here is a link to the documentation. Nowhere in their documentation does it reference using JSON as the format for import/export. Also, Palo Alto has a "scheduled export" facility, especially if you are using Panorama. We use RANCiD to track the changes more than anything, but use the utility to auto-export configs. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.html --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Scott Granados Date: Friday, July 12, 2019 at 11:44 AM To: john heasley Cc: "Gauthier, Chris" , "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup It’s not XML, it’s JSUN if I understand where you’re going with this. >From exec mode Set cli config-output-format default Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field. Thanks > On Jul 12, 2019, at 2:20 PM, john heasley wrote: > > Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris: >> Rancid configs for PAN can NOT be used to restore the config, unless you cut >> and paste the configuration. This is because the native config files are >> stored in XML format and that is the format the Palo Alto utilities expect >> when performing restorations. >> > > so, store both in rancid. what is the cmd to retrieve the xml format? > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,sOD-u4Fb7FVnpwIC-I0Noqe21OYAOvq8QodxcvUVO6-_RwELL2hG9BvQdat-eHRfzF59pW8ydxDEwG45J8a3oI9ghdsNO9UKZn3Kwl9xyPeaQm2MlpRKXQLW2A,,&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
It’s not XML, it’s JSUN if I understand where you’re going with this. From exec mode Set cli config-output-format default Also other variables here can be set for set form andother formats which you can select and display with a ? In the config-output-format parameter field. Thanks > On Jul 12, 2019, at 2:20 PM, john heasley wrote: > > Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris: >> Rancid configs for PAN can NOT be used to restore the config, unless you cut >> and paste the configuration. This is because the native config files are >> stored in XML format and that is the format the Palo Alto utilities expect >> when performing restorations. >> > > so, store both in rancid. what is the cmd to retrieve the xml format? > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Fri, Jul 12, 2019 at 06:15:39PM +, Gauthier, Chris: > Rancid configs for PAN can NOT be used to restore the config, unless you cut > and paste the configuration. This is because the native config files are > stored in XML format and that is the format the Palo Alto utilities expect > when performing restorations. > so, store both in rancid. what is the cmd to retrieve the xml format? ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Rancid configs for PAN can NOT be used to restore the config, unless you cut and paste the configuration. This is because the native config files are stored in XML format and that is the format the Palo Alto utilities expect when performing restorations. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Rancid-discuss on behalf of john heasley Date: Friday, July 5, 2019 at 10:43 AM To: STUART WALTON Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup Thu, Jul 04, 2019 at 08:23:51AM +, STUART WALTON: > Hi > > Has anyone used a backup from Rancid to restore a Palo Alto Firewall? > > If so how have you done it? (I have the backup but it does not appear to be > in the correct format) > > I have searched the discussion but cannot seem to find the answer. Any help > would be appreciated. I do not know much of anything about PAN devices. However, be aware that, depending upon your rancid configuration, passwords may be removed. Also, see the FAQ S1 Q5 for another caveat that may apply to PAN. Also, include the error you received when attempting to load the config. It might provide clue to someone with more experience with PAN. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,qrWANWlQYaUeaaoEGf6I-WmqahOFpLboIOsZz7b3yKfSUzpY5cUajZzVEWvA4kobgPxxfRU1MaUB91_9kWsr_BYI8TlZE-d1DrWcD7WIFEmJsZMiU0LMHAkW&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Restore a Palo Alto Firewall from a Rancid bacup
Thu, Jul 04, 2019 at 08:23:51AM +, STUART WALTON: > Hi > > Has anyone used a backup from Rancid to restore a Palo Alto Firewall? > > If so how have you done it? (I have the backup but it does not appear to be > in the correct format) > > I have searched the discussion but cannot seem to find the answer. Any help > would be appreciated. I do not know much of anything about PAN devices. However, be aware that, depending upon your rancid configuration, passwords may be removed. Also, see the FAQ S1 Q5 for another caveat that may apply to PAN. Also, include the error you received when attempting to load the config. It might provide clue to someone with more experience with PAN. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
[rancid] Restore a Palo Alto Firewall from a Rancid bacup
Hi Has anyone used a backup from Rancid to restore a Palo Alto Firewall? If so how have you done it? (I have the backup but it does not appear to be in the correct format) I have searched the discussion but cannot seem to find the answer. Any help would be appreciated. Regards Stu This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient of this e-mail (even if the e-mail address above is yours), (i) you may not use, copy or retransmit it, (ii) please delete this message and (iii) please notify the sender immediately. Any disclosure, copying, or distribution of this message or the taking of any action based on it, is strictly prohibited. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
