topic Re: export config through cli in General Topics

export config through cli

mr.linus — Wed, 26 Mar 2014 09:18:31 GMT

Hey all,

Is there a way to export the (running) config through cli?

Output should be a config file we can IMPORT back into a new device.

- NOT using SCP (we have restrictions on this)

- NOT using the API (php/rest/browse.php/export::configuration) (we only have ssh access)

1) "show config running" or under configuration-mode "show" -> this will output the config, but is not in XML format and thus can not be imported

2) "set cli config-output-format xml" + under configuration-mode "show" -> this will output the config in xml format, but this is NOT importable in a PaloAlto. This is just a xml representation of the config, and not the config in xml format: there is a difference. (why you would want the "xml representation of the config" is a mystery to me, since you can not use it in any way)

3) "set cli config-output-format set" + under configuration-mode "show" -> this will output the config in set commands. This CAN technically be used to "import" the config, but importing a 1000+ lines of set commands is bound to fail somewhere down the line...

Any of you guys got any other solutions, or maybe just a nice script that will rewrite the output of "set cli config-output-format xml" + "show" into an importable config file?

Regards

Re: export config through cli

HULK — Wed, 26 Mar 2014 13:28:30 GMT

Hello Mr.linus,

Is there any specific reason you want to export the configuration file from CLI only..? ( It will be very easy to perform the same from GUI).

You can try below mentioned steps.

1. > set cli pager off

2. >set cli config-output-format xml

3. Log the putty session to a txt file

4. Go to configuration mode

5. PAN# show

6. Turn off logging for that session.

7. Edit that txt file and change the file extension to .xml.

Thanks

Re: Re: export config through cli

admin — Wed, 26 Mar 2014 14:14:07 GMT

Is there an automated way to export the config through the GUI since it seems like CLI is out? We need to backup many PA's but don't want to buy Panorama.

Thanks

Re: export config through cli

mr.linus — Wed, 26 Mar 2014 14:30:48 GMT

Dear Hulk,

Sorry but that is not correct. (as explained in my initial question)

If you do a "show" in configuration mode with cli config-output-format set to xml you do NOT get a xml config file. Try it.

Not only does the output contain things like "<response status="success" code="19">" also the order of the xml is different and thus can NOT be imported again.

The output DOES contain all necessary information to rebuild a working config, but you need to do a lot of find and replace...

I agree the GUI would be far easier, but if that would be possible in my setup, I would not be asking this question 🙂

Any other suggestions?

Re: export config through cli

mr.linus — Wed, 26 Mar 2014 14:35:11 GMT

Dear Jason,

You can use the API for this

1) go to https://XXX.XXX.XXX.XXX/esp/restapi.esp?type=keygen&user=XXX&password=XXX

-> this will generate an API key which you need to export the config (alternatively you can just login the PA and then go to the second url)

2) go to https://XXX.XXX.XXX.XXX/esp/restapi.esp?key=XXX&type=export&category=configuration

Also check out How to use the XML API to backup your firewall configuration

Regards

Re: export config through cli

mr.linus — Wed, 02 Apr 2014 08:32:41 GMT

Guess this is not possible then... I will send in a feature request

Re: export config through cli

${userLoginName} — Fri, 04 Apr 2014 14:39:26 GMT

Panorama makes backups (in 6.0 anyway)

Re: export config through cli

pulukas — Sun, 06 Apr 2014 18:44:17 GMT

Automatic backups from Panorama are also available in 5.0 and 5.1 trains.

Re: export config through cli

mr.linus — Mon, 07 Apr 2014 09:53:28 GMT

True,

But we don't have a panorama in our setup 🙂

Re: export config through cli

mivaldi — Wed, 16 Jul 2014 18:31:02 GMT

Besides exporting the configuration file to an SCP or a TFTP server through SSH CLI Commands to Export/Import Configuration and Log Files, there are two other options to extract a restorable version of the configuration file from the firewall. There is a 'dirty' way and a 'clean' way. The 'dirty' way can help you if you only had Console access. The 'clean' way requires HTTPS access to a firewall's interface.

The 'dirty' way is to extract the configuration file in a stanza of set commands.

You can achieve this by going to the CLI and executing:

> set cli pager off

> set cli config-output-format set

> configure

Entering configuration mode

[edit]

# show

The 'clean' method is to leverage the API using cURL to get the xml file. As a side note, the "> set cli config-output-format xml" command won't help you, as it will result in displaying the configuration file in an xml format that is not restorable.

To use the API, you must begin by obtaining the API KEY, which will be used as your authentication token for API queries.

To obtain it with curl, execute:

curl -k "https://<IP_PAN>/api/?type=keygen&user=<your_user>&password=<your_password>"

This will result in obtaining a long string, which will be your API key.

You can then obtain your config with command:

curl -o config.xml -k "https://<IP_PAN>/esp/restapi.esp?type=config&action=show&key=<API-KEY>"

Where <API-KEY> is the key previously obtained and <IP_PAN> is the management IP of your firewall.

If you vi config.xml, you will see the XML is wrapped in a <response status="success"><result> and at the end of the file closes with its corresponding

</result></response>.

You can clean your config.xml file with search and replace. If you used perl the commands will be:

To fix the header:

perl -i.bak -pe 's/<response status="success"><result>/<?xml version="1.0"?>\n/' config.xml

To fix the footer:

perl -i.bak -pe 's/<\/result><\/response>//' config.xml

Or you can alternatively concatenate the command as:

curl -o config.xml -k "https://<IP_PAN>/esp/restapi.esp?type=config&action=show&key=<API-KEY>" && perl -i.bak -pe 's/<response status="success"><result>/<?xml version="1.0"?>\n/' config.xml && perl -i.bak -pe 's/<\/result><\/response>//' config.xml