Re: [rancid] Palo Alto (Panorama) configuration
So, once again, cut and paste bit me…. My sincere apologies. Change the first line to read: panw;script;rancid -t panw Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee Date: Friday, July 12, 2019 at 3:35 PM To: "Gauthier, Chris" Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Hi Chris, I've made similar chnages on v3.9 but not getting the new 'merged' config based on yours. Below are the panw code i added : panw;script;rancid -t paloalto panw;login;panlogin panw;module;panos panw;inloop;panos::inloop panw;command;panos::ShowInfo;show system info panw;command;panos::ShowInventory;show chassis inventory panw;command;panos::ShowConfig;show config merged Unfortunately still didnt captured the panorama configs. On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris mailto:cgauth...@comscore.com>> wrote: So, if you look at my posting below, I made a rather dumb copy/paste error in my ‘panw’ definition. The first line should read: panw;script;rancid -t paloalto not: panw;script;rancid -t paloalto Thanks to Heasley for pointing that out! I would have not seen that for a while. Having changed the line as shown above, the ‘show config merged’ now works great on Panorama-managed and non-managed PA devices. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss mailto:rancid-discuss-boun...@shrubbery.net>> on behalf of "Gauthier, Chris" mailto:cgauth...@comscore.com>> Date: Friday, July 12, 2019 at 9:24 AM To: annie lee mailto:lsy.an...@gmail.com>> Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration I’m getting some interesting results in my testing. Rancid Version: 3.7 I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf: panw;script;rancid -t paloalto panw;login;panlogin panw;module;panos panw;inloop;panos::inloop panw;command;rancid::RunCommand;set cli scripting-mode on panw;command;rancid::RunCommand;set cli pager off panw;command;panos::ShowInfo;show system info panw;command;panos::ShowConfig;show config merged This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s. For reference: Here is the device type of “paloalto” in etc/rancid.types.base: paloalto;script;rancid -t paloalto paloalto;login;panlogin paloalto;module;panos paloalto;inloop;panos::inloop paloalto;command;rancid::RunCommand;set cli scripting-mode on paloalto;command;rancid::RunCommand;set cli pager off paloalto;command;panos::ShowInfo;show system info paloalto;command;panos::ShowConfig;show config running With the PA-5050’s, started with the following lines in router.db: pa-1.example.com<http://pa-1.example.com>;paloalto;up;PA-5050 ha pair pa-2.example.com<http://pa-2.example.com>;paloalto;up;PA-5050 ha pair They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to: pa-1.example.com<http://pa-1.example.com>;panw;up;PA-5050 ha pair pa-2.example.com<http://pa-2.example.com>;panw;up;PA-5050 ha pair I got the email that said the original devices were deleted and the new devices were added. - pa-1.example.com<http://pa-1.example.com>;paloalto;up;PA-5050 - pa-2.example.com<http://pa-2.example.com>;panw;paloalto;up;PA-5050 + pa-1.example.com<http://pa-1.example.com>;panw;up;PA-5050 + pa-2.example.com<http://pa-2.example.com>;panw;panw;up;PA-5050 I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com<http://pa-1.example.com>’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output? What might I try next? --Chris Chris Gauthier Senior Network Engineer | Comscore t +1
Re: [rancid] Palo Alto (Panorama) configuration
Hi Chris, I've made similar chnages on v3.9 but not getting the new 'merged' config based on yours. Below are the panw code i added : panw;script;rancid -t paloalto panw;login;panlogin panw;module;panos panw;inloop;panos::inloop panw;command;panos::ShowInfo;show system info panw;command;panos::ShowInventory;show chassis inventory panw;command;panos::ShowConfig;show config merged Unfortunately still didnt captured the panorama configs. On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris wrote: > So, if you look at my posting below, I made a rather dumb copy/paste error > in my ‘panw’ definition. The first line should read: > > > > panw;script;rancid -t paloalto > > > > not: > > panw;script;rancid -t paloalto > > > > > > Thanks to Heasley for pointing that out! I would have not seen that for a > while. Having changed the line as shown above, the ‘show config merged’ > now works great on Panorama-managed and non-managed PA devices. > > > > --Chris > Chris Gauthier Senior Network Engineer | Comscore > t +1 *(503) 331-2704* <(503)%20331-2704> | > *cgauth...@comscore.com* > *comscore.com* <http://www.comscore.com/> > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify sender. > > *From: *Rancid-discuss on behalf > of "Gauthier, Chris" > *Date: *Friday, July 12, 2019 at 9:24 AM > *To: *annie lee > *Cc: *"rancid-discuss@shrubbery.net" > *Subject: *Re: [rancid] Palo Alto (Panorama) configuration > > > > I’m getting some interesting results in my testing. > > > > Rancid Version: 3.7 > > > > I have a pair of PA-5050’s managed by Panorama that have been only getting > the ‘show config running’ output (the limited output). I made a new device > type in etc/rancid.types.conf: > > > > panw;script;rancid -t paloalto > > panw;login;panlogin > > panw;module;panos > > panw;inloop;panos::inloop > > panw;command;rancid::RunCommand;set cli scripting-mode on > > panw;command;rancid::RunCommand;set cli pager off > > panw;command;panos::ShowInfo;show system info > > panw;command;panos::ShowConfig;show config merged > > > > This works well for my test unit (PA-220, unmanaged), but I am having > problems with the PA-5050’s. > > > > For reference: Here is the device type of “paloalto” in > etc/rancid.types.base: > > paloalto;script;rancid -t paloalto > > paloalto;login;panlogin > > paloalto;module;panos > > paloalto;inloop;panos::inloop > > paloalto;command;rancid::RunCommand;set cli scripting-mode on > > paloalto;command;rancid::RunCommand;set cli pager off > > paloalto;command;panos::ShowInfo;show system info > > paloalto;command;panos::ShowConfig;show config running > > > > With the PA-5050’s, started with the following lines in router.db: > > pa-1.example.com;paloalto;up;PA-5050 ha pair > > pa-2.example.com;paloalto;up;PA-5050 ha pair > > > > They’ve been getting the limited output because of the show config running > command and that they’re managed by Panorama. I altered the router.db file > to: > > pa-1.example.com;panw;up;PA-5050 ha pair > > pa-2.example.com;panw;up;PA-5050 ha pair > > > > I got the email that said the original devices were deleted and the new > devices were added. > > > > - pa-1.example.com;paloalto;up;PA-5050 > > - pa-2.example.com;panw;paloalto;up;PA-5050 > > + pa-1.example.com;panw;up;PA-5050 > > + pa-2.example.com;panw;panw;up;PA-5050 > > > > I checked the config files after running rancid again a couple times and > the config was unchanged. The output captured doesn’t seem to have > changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw > pa-1.example.com’ and reviewing the output. It captured everything > cleanly, as far as I can tell. No errors. It’s like the diff is not > catching the difference in output? > > > > What might I try next? > > > > --Chris > > > > > > *Chris*** > > *Gauthier* > > Senior Network Engineer > > | > > Comscore > > t +1 *(503) 331-2704* <(503)%20331-2704> > > | > > *cgauth...@comscore.com* > > *comscore.com* <http://www.comscore.com/> > > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify se
Re: [rancid] Palo Alto (Panorama) configuration
So, if you look at my posting below, I made a rather dumb copy/paste error in my ‘panw’ definition. The first line should read: panw;script;rancid -t paloalto not: panw;script;rancid -t paloalto Thanks to Heasley for pointing that out! I would have not seen that for a while. Having changed the line as shown above, the ‘show config merged’ now works great on Panorama-managed and non-managed PA devices. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss on behalf of "Gauthier, Chris" Date: Friday, July 12, 2019 at 9:24 AM To: annie lee Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration I’m getting some interesting results in my testing. Rancid Version: 3.7 I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf: panw;script;rancid -t paloalto panw;login;panlogin panw;module;panos panw;inloop;panos::inloop panw;command;rancid::RunCommand;set cli scripting-mode on panw;command;rancid::RunCommand;set cli pager off panw;command;panos::ShowInfo;show system info panw;command;panos::ShowConfig;show config merged This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s. For reference: Here is the device type of “paloalto” in etc/rancid.types.base: paloalto;script;rancid -t paloalto paloalto;login;panlogin paloalto;module;panos paloalto;inloop;panos::inloop paloalto;command;rancid::RunCommand;set cli scripting-mode on paloalto;command;rancid::RunCommand;set cli pager off paloalto;command;panos::ShowInfo;show system info paloalto;command;panos::ShowConfig;show config running With the PA-5050’s, started with the following lines in router.db: pa-1.example.com;paloalto;up;PA-5050 ha pair pa-2.example.com;paloalto;up;PA-5050 ha pair They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to: pa-1.example.com;panw;up;PA-5050 ha pair pa-2.example.com;panw;up;PA-5050 ha pair I got the email that said the original devices were deleted and the new devices were added. - pa-1.example.com;paloalto;up;PA-5050 - pa-2.example.com;panw;paloalto;up;PA-5050 + pa-1.example.com;panw;up;PA-5050 + pa-2.example.com;panw;panw;up;PA-5050 I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output? What might I try next? --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee Date: Thursday, July 11, 2019 at 4:00 PM To: "Gauthier, Chris" Cc: john heasley , "Anderson, Charles R" , "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Hi Chris, Thats very kind of you to spend time doing that and thanks for that. Rgds On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris mailto:cgauth...@comscore.com>> wrote: I’m working through that right now. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee mailto:lsy.an...@gmail.com>> Date: Thursday, July 11, 2019 at 2:43 PM To: "Gauthier, Chris" mailto:cgauth...@comscore.com>> Cc: john heasley mailto:h...@shrubbery.net>>, "Anderson, Charles R" mailto:c...@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Thats good to know on the new cli (show config merged will grab everyt
Re: [rancid] Palo Alto (Panorama) configuration
I’m getting some interesting results in my testing. Rancid Version: 3.7 I have a pair of PA-5050’s managed by Panorama that have been only getting the ‘show config running’ output (the limited output). I made a new device type in etc/rancid.types.conf: panw;script;rancid -t paloalto panw;login;panlogin panw;module;panos panw;inloop;panos::inloop panw;command;rancid::RunCommand;set cli scripting-mode on panw;command;rancid::RunCommand;set cli pager off panw;command;panos::ShowInfo;show system info panw;command;panos::ShowConfig;show config merged This works well for my test unit (PA-220, unmanaged), but I am having problems with the PA-5050’s. For reference: Here is the device type of “paloalto” in etc/rancid.types.base: paloalto;script;rancid -t paloalto paloalto;login;panlogin paloalto;module;panos paloalto;inloop;panos::inloop paloalto;command;rancid::RunCommand;set cli scripting-mode on paloalto;command;rancid::RunCommand;set cli pager off paloalto;command;panos::ShowInfo;show system info paloalto;command;panos::ShowConfig;show config running With the PA-5050’s, started with the following lines in router.db: pa-1.example.com;paloalto;up;PA-5050 ha pair pa-2.example.com;paloalto;up;PA-5050 ha pair They’ve been getting the limited output because of the show config running command and that they’re managed by Panorama. I altered the router.db file to: pa-1.example.com;panw;up;PA-5050 ha pair pa-2.example.com;panw;up;PA-5050 ha pair I got the email that said the original devices were deleted and the new devices were added. - pa-1.example.com;paloalto;up;PA-5050 - pa-2.example.com;panw;paloalto;up;PA-5050 + pa-1.example.com;panw;up;PA-5050 + pa-2.example.com;panw;panw;up;PA-5050 I checked the config files after running rancid again a couple times and the config was unchanged. The output captured doesn’t seem to have changed. Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw pa-1.example.com’ and reviewing the output. It captured everything cleanly, as far as I can tell. No errors. It’s like the diff is not catching the difference in output? What might I try next? --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee Date: Thursday, July 11, 2019 at 4:00 PM To: "Gauthier, Chris" Cc: john heasley , "Anderson, Charles R" , "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Hi Chris, Thats very kind of you to spend time doing that and thanks for that. Rgds On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris mailto:cgauth...@comscore.com>> wrote: I’m working through that right now. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee mailto:lsy.an...@gmail.com>> Date: Thursday, July 11, 2019 at 2:43 PM To: "Gauthier, Chris" mailto:cgauth...@comscore.com>> Cc: john heasley mailto:h...@shrubbery.net>>, "Anderson, Charles R" mailto:c...@wpi.edu>>, "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama). How do we add the cli and diff to rancid ?? On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris mailto:cgauth...@comscore.com>> wrote: Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss mailto:rancid-discuss-boun...@shrubbery.net>> on behalf of "Gauthier, Chris" mailto:cgauth...@comscore.com>> Date: Thursday, July 11, 2019 at 11:16 AM To: john heasley mailto:h...@shrubbery.net>>, "Anderson, Charles R" mailto:c...@wpi.edu>> Cc: "rancid-discuss@shrubbery.net<mailto
Re: [rancid] Palo Alto (Panorama) configuration
Hi Chris, Thats very kind of you to spend time doing that and thanks for that. Rgds On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris wrote: > I’m working through that right now. > > > Chris Gauthier Senior Network Engineer | Comscore > t +1 *(503) 331-2704* <(503)%20331-2704> | > *cgauth...@comscore.com* > *comscore.com* <http://www.comscore.com/> > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify sender. > > *From: *annie lee > *Date: *Thursday, July 11, 2019 at 2:43 PM > *To: *"Gauthier, Chris" > *Cc: *john heasley , "Anderson, Charles R" < > c...@wpi.edu>, "rancid-discuss@shrubbery.net" > > *Subject: *Re: [rancid] Palo Alto (Panorama) configuration > > > > Thats good to know on the new cli (show config merged will grab everything > from the firewall and panorama). > > How do we add the cli and diff to rancid ?? > > > > On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris > wrote: > > Just validated the ‘show config merged’ command works with any PA > firewall, managed by Panorama or not. > > > > *Chris*** > > *Gauthier* > > Senior Network Engineer > > | > > Comscore > > t +1 *(503) 331-2704* <(503)%20331-2704> > > | > > *cgauth...@comscore.com* > > *comscore.com* <http://www.comscore.com/> > > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify sender. > > *From: *Rancid-discuss on behalf > of "Gauthier, Chris" > *Date: *Thursday, July 11, 2019 at 11:16 AM > *To: *john heasley , "Anderson, Charles R" < > c...@wpi.edu> > *Cc: *"rancid-discuss@shrubbery.net" > *Subject: *Re: [rancid] Palo Alto (Panorama) configuration > > > > Yes, the command "show config merged" gives the locally-managed config > output AND the configuration that is pushed out by Panorama. I'll make a > custom device type and see how this works in my environment. If it works, > I'll post the results here. I will also test with a non-Panorama-managed > system. > > --Chris > > *Chris*** > > *Gauthier* > > Senior Network Engineer > > | > > Comscore > > t +1 *(503) 331-2704* <(503)%20331-2704> > > | > > *cgauth...@comscore.com* > > *comscore.com* <http://www.comscore.com/> > > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify sender. > > -Original Message- > From: Rancid-discuss on behalf of > john heasley > Date: Thursday, July 11, 2019 at 8:17 AM > To: "Anderson, Charles R" > Cc: "rancid-discuss@shrubbery.net" > Subject: Re: [rancid] Palo Alto (Panorama) configuration > > Thu, Jul 11, 2019 at 02:37:51PM +, Anderson, Charles R: > > You can use "show config merged" to see the local device's config merged > with the templates from Panorama. > > Does this work with "non-managed" (better term?) configs? And, was this > command introduced recently? > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1 > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1> > > ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
I’m working through that right now. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: annie lee Date: Thursday, July 11, 2019 at 2:43 PM To: "Gauthier, Chris" Cc: john heasley , "Anderson, Charles R" , "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama). How do we add the cli and diff to rancid ?? On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris mailto:cgauth...@comscore.com>> wrote: Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss mailto:rancid-discuss-boun...@shrubbery.net>> on behalf of "Gauthier, Chris" mailto:cgauth...@comscore.com>> Date: Thursday, July 11, 2019 at 11:16 AM To: john heasley mailto:h...@shrubbery.net>>, "Anderson, Charles R" mailto:c...@wpi.edu>> Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Rancid-discuss mailto:rancid-discuss-boun...@shrubbery.net>> on behalf of john heasley mailto:h...@shrubbery.net>> Date: Thursday, July 11, 2019 at 8:17 AM To: "Anderson, Charles R" mailto:c...@wpi.edu>> Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] Palo Alto (Panorama) configuration Thu, Jul 11, 2019 at 02:37:51PM +, Anderson, Charles R: > You can use "show config merged" to see the local device's config merged with > the templates from Panorama. Does this work with "non-managed" (better term?) configs? And, was this command introduced recently? ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net> http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1> ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
Thats good to know on the new cli (show config merged will grab everything from the firewall and panorama). How do we add the cli and diff to rancid ?? On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris wrote: > Just validated the ‘show config merged’ command works with any PA > firewall, managed by Panorama or not. > > > Chris Gauthier Senior Network Engineer | Comscore > t +1 *(503) 331-2704* <(503)%20331-2704> | > *cgauth...@comscore.com* > *comscore.com* <http://www.comscore.com/> > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify sender. > > *From: *Rancid-discuss on behalf > of "Gauthier, Chris" > *Date: *Thursday, July 11, 2019 at 11:16 AM > *To: *john heasley , "Anderson, Charles R" < > c...@wpi.edu> > *Cc: *"rancid-discuss@shrubbery.net" > *Subject: *Re: [rancid] Palo Alto (Panorama) configuration > > > > Yes, the command "show config merged" gives the locally-managed config > output AND the configuration that is pushed out by Panorama. I'll make a > custom device type and see how this works in my environment. If it works, > I'll post the results here. I will also test with a non-Panorama-managed > system. > > --Chris > > *Chris*** > > *Gauthier* > > Senior Network Engineer > > | > > Comscore > > t +1 *(503) 331-2704* <(503)%20331-2704> > > | > > *cgauth...@comscore.com* > > *comscore.com* <http://www.comscore.com/> > > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. > If you received this e-mail in error, please delete it from your system and > notify sender. > > -----Original Message- > From: Rancid-discuss on behalf of > john heasley > Date: Thursday, July 11, 2019 at 8:17 AM > To: "Anderson, Charles R" > Cc: "rancid-discuss@shrubbery.net" > Subject: Re: [rancid] Palo Alto (Panorama) configuration > > Thu, Jul 11, 2019 at 02:37:51PM +, Anderson, Charles R: > > You can use "show config merged" to see the local device's config merged > with the templates from Panorama. > > Does this work with "non-managed" (better term?) configs? And, was this > command introduced recently? > > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1 > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
Just validated the ‘show config merged’ command works with any PA firewall, managed by Panorama or not. Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss on behalf of "Gauthier, Chris" Date: Thursday, July 11, 2019 at 11:16 AM To: john heasley , "Anderson, Charles R" Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com<mailto:cgauth...@comscore.com> comscore.com<http://www.comscore.com/> This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Rancid-discuss on behalf of john heasley Date: Thursday, July 11, 2019 at 8:17 AM To: "Anderson, Charles R" Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Thu, Jul 11, 2019 at 02:37:51PM +, Anderson, Charles R: > You can use "show config merged" to see the local device's config merged with > the templates from Panorama. Does this work with "non-managed" (better term?) configs? And, was this command introduced recently? ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
Yes, the command "show config merged" gives the locally-managed config output AND the configuration that is pushed out by Panorama. I'll make a custom device type and see how this works in my environment. If it works, I'll post the results here. I will also test with a non-Panorama-managed system. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. -Original Message- From: Rancid-discuss on behalf of john heasley Date: Thursday, July 11, 2019 at 8:17 AM To: "Anderson, Charles R" Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration Thu, Jul 11, 2019 at 02:37:51PM +, Anderson, Charles R: > You can use "show config merged" to see the local device's config merged with > the templates from Panorama. Does this work with "non-managed" (better term?) configs? And, was this command introduced recently? ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1 ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
Thu, Jul 11, 2019 at 02:37:51PM +, Anderson, Charles R: > You can use "show config merged" to see the local device's config merged with > the templates from Panorama. Does this work with "non-managed" (better term?) configs? And, was this command introduced recently? ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
Thu, Jul 11, 2019 at 02:19:00PM +, Gauthier, Chris: > I have run into the issues seen below, as we migrated to a fully-managed > Panorama ecosystem in recent months. The output of the “show configuration > running” (or whatever it is) is more limited on the managed device because (I > believe) what is being shown is only the locally-managed configuration. I > haven’t looked yet to see if there is a workaround. > > --Chris I have no experience with these. If more commands are necessary, lmk. > Chris Gauthier Senior Network Engineer | Comscore > t +1 (503) 331-2704 | > cgauth...@comscore.com > comscore.com > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. If > you received this e-mail in error, please delete it from your system and > notify sender. > From: Rancid-discuss on behalf of > annie lee > Date: Wednesday, July 10, 2019 at 6:02 PM > To: john heasley > Cc: "rancid-discuss@shrubbery.net" > Subject: Re: [rancid] Palo Alto (Panorama) configuration > > i tried to grab the configs from the panorama and it's what i wanted :-) > apology, im pretty new to the paloalto and panorama device/setup. > > thanks and glad i can backup the palo/panorama configs without any tweaking. > > On Thu, Jul 11, 2019 at 9:23 AM annie lee > mailto:lsy.an...@gmail.com>> wrote: > Hi John, > > Thanks for your reply and apology for the typo on the paloalto type. > (1.1.1.1;paloalto;up) > Below are the sample config for one of the firewall configs (removed all the > ip addresses). > Basically there are heaps more configs (routing, policy, NAT, virtual router > and etc...) i can see from the Panorama. > Not sure its similar to F5 tweak that we need to add the partition to grab > the full configs. > > Rgds > > On Thu, Jul 11, 2019 at 7:42 AM john heasley > mailto:h...@shrubbery.net>> wrote: > Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee: > > Hi All, > > > > Another question, just added a new PaloAlto to rancid (3.9) but not much > > configurations being backup (not even interfaces addresses) > > Anything need to be changed/added to backup the entire configuration ? > > > > 1.1.1.1;palo-alto;up > > Please use the built-in type for PAN: paloalto. if that is still lacking, > please be more specific about what commands are missing. it collects > > show system info;show chassis inventory;show config running ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
You can use "show config merged" to see the local device's config merged with the templates from Panorama. On Thu, Jul 11, 2019 at 02:19:00PM +, Gauthier, Chris wrote: > I have run into the issues seen below, as we migrated to a fully-managed > Panorama ecosystem in recent months. The output of the “show configuration > running” (or whatever it is) is more limited on the managed device because (I > believe) what is being shown is only the locally-managed configuration. I > haven’t looked yet to see if there is a workaround. > > --Chris > > > Chris Gauthier Senior Network Engineer | Comscore > t +1 (503) 331-2704 | > cgauth...@comscore.com > comscore.com > This e-mail (including any attachments) may contain information that is > private, confidential, or protected by attorney-client or other privilege. If > you received this e-mail in error, please delete it from your system and > notify sender. > From: Rancid-discuss on behalf of > annie lee > Date: Wednesday, July 10, 2019 at 6:02 PM > To: john heasley > Cc: "rancid-discuss@shrubbery.net" > Subject: Re: [rancid] Palo Alto (Panorama) configuration > > i tried to grab the configs from the panorama and it's what i wanted :-) > apology, im pretty new to the paloalto and panorama device/setup. > > thanks and glad i can backup the palo/panorama configs without any tweaking. > > On Thu, Jul 11, 2019 at 9:23 AM annie lee > mailto:lsy.an...@gmail.com>> wrote: > Hi John, > > Thanks for your reply and apology for the typo on the paloalto type. > (1.1.1.1;paloalto;up) > Below are the sample config for one of the firewall configs (removed all the > ip addresses). > Basically there are heaps more configs (routing, policy, NAT, virtual router > and etc...) i can see from the Panorama. > Not sure its similar to F5 tweak that we need to add the partition to grab > the full configs. > > Rgds > > On Thu, Jul 11, 2019 at 7:42 AM john heasley > mailto:h...@shrubbery.net>> wrote: > Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee: > > Hi All, > > > > Another question, just added a new PaloAlto to rancid (3.9) but not much > > configurations being backup (not even interfaces addresses) > > Anything need to be changed/added to backup the entire configuration ? > > > > 1.1.1.1;palo-alto;up > > Please use the built-in type for PAN: paloalto. if that is still lacking, > please be more specific about what commands are missing. it collects > > show system info;show chassis inventory;show config running ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
I have run into the issues seen below, as we migrated to a fully-managed Panorama ecosystem in recent months. The output of the “show configuration running” (or whatever it is) is more limited on the managed device because (I believe) what is being shown is only the locally-managed configuration. I haven’t looked yet to see if there is a workaround. --Chris Chris Gauthier Senior Network Engineer | Comscore t +1 (503) 331-2704 | cgauth...@comscore.com comscore.com This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender. From: Rancid-discuss on behalf of annie lee Date: Wednesday, July 10, 2019 at 6:02 PM To: john heasley Cc: "rancid-discuss@shrubbery.net" Subject: Re: [rancid] Palo Alto (Panorama) configuration i tried to grab the configs from the panorama and it's what i wanted :-) apology, im pretty new to the paloalto and panorama device/setup. thanks and glad i can backup the palo/panorama configs without any tweaking. On Thu, Jul 11, 2019 at 9:23 AM annie lee mailto:lsy.an...@gmail.com>> wrote: Hi John, Thanks for your reply and apology for the typo on the paloalto type. (1.1.1.1;paloalto;up) Below are the sample config for one of the firewall configs (removed all the ip addresses). Basically there are heaps more configs (routing, policy, NAT, virtual router and etc...) i can see from the Panorama. Not sure its similar to F5 tweak that we need to add the partition to grab the full configs. Rgds On Thu, Jul 11, 2019 at 7:42 AM john heasley mailto:h...@shrubbery.net>> wrote: Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee: > Hi All, > > Another question, just added a new PaloAlto to rancid (3.9) but not much > configurations being backup (not even interfaces addresses) > Anything need to be changed/added to backup the entire configuration ? > > 1.1.1.1;palo-alto;up Please use the built-in type for PAN: paloalto. if that is still lacking, please be more specific about what commands are missing. it collects show system info;show chassis inventory;show config running ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
i tried to grab the configs from the panorama and it's what i wanted :-) apology, im pretty new to the paloalto and panorama device/setup. thanks and glad i can backup the palo/panorama configs without any tweaking. On Thu, Jul 11, 2019 at 9:23 AM annie lee wrote: > Hi John, > > Thanks for your reply and apology for the typo on the paloalto type. > (1.1.1.1;paloalto;up) > Below are the sample config for one of the firewall configs (removed all > the ip addresses). > Basically there are heaps more configs (routing, policy, NAT, virtual > router and etc...) i can see from the Panorama. > Not sure its similar to F5 tweak that we need to add the partition to grab > the full configs. > > Rgds > > On Thu, Jul 11, 2019 at 7:42 AM john heasley wrote: > >> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee: >> > Hi All, >> > >> > Another question, just added a new PaloAlto to rancid (3.9) but not much >> > configurations being backup (not even interfaces addresses) >> > Anything need to be changed/added to backup the entire configuration ? >> > >> > 1.1.1.1;palo-alto;up >> >> Please use the built-in type for PAN: paloalto. if that is still lacking, >> please be more specific about what commands are missing. it collects >> >> show system info;show chassis inventory;show config running >> > ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Palo Alto (Panorama) configuration
Hi John,
Thanks for your reply and apology for the typo on the paloalto type.
(1.1.1.1;paloalto;up)
Below are the sample config for one of the firewall configs (removed all
the ip addresses).
Basically there are heaps more configs (routing, policy, NAT, virtual
router and etc...) i can see from the Panorama.
Not sure its similar to F5 tweak that we need to add the partition to grab
the full configs.
Rgds
On Thu, Jul 11, 2019 at 7:42 AM john heasley wrote:
> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> > Hi All,
> >
> > Another question, just added a new PaloAlto to rancid (3.9) but not much
> > configurations being backup (not even interfaces addresses)
> > Anything need to be changed/added to backup the entire configuration ?
> >
> > 1.1.1.1;palo-alto;up
>
> Please use the built-in type for PAN: paloalto. if that is still lacking,
> please be more specific about what commands are missing. it collects
>
> show system info;show chassis inventory;show config running
>
!RANCID-CONTENT-TYPE: paloalto
!
#
#hostname: palo-fw01
#ip-address: 1.1.1.1
#public-ip-address: unknown
#netmask: 255.255.255.0
#default-gateway: 1.1.1.254
#ip-assignment: static
#ipv6-address: unknown
#ipv6-link-local-address:
#ipv6-default-gateway:
#mac-address:
#family: 3000
#model: PA-3055
#serial:
#cloud-mode: non-cloud
#sw-version: 8.1.6
#global-protect-client-package-version: 5.0.1
#url-db: paloaltonetworks
#global-protect-clientless-vpn-version: 0
#global-protect-clientless-vpn-release-date:
#logdb-version: 8.1.8
#platform-family: 3000
#vpn-disable-mode: off
#multi-vsys: off
#operational-mode: normal
#
#
#
config {
mgt-config {
users;
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
authentication-profile;
local-user-database {
user;
}
server-profile {
ldap;
}
authentication-sequence;
content-preview {
application-type {
technology;
category;
}
application;
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet;
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
gateway;
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
Re: [rancid] Palo Alto (Panorama) configuration
Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee: > Hi All, > > Another question, just added a new PaloAlto to rancid (3.9) but not much > configurations being backup (not even interfaces addresses) > Anything need to be changed/added to backup the entire configuration ? > > 1.1.1.1;palo-alto;up Please use the built-in type for PAN: paloalto. if that is still lacking, please be more specific about what commands are missing. it collects show system info;show chassis inventory;show config running ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
