https://live.paloaltonetworks.com/t5/general-topics/email-config-audit-on-change/m-p/192282#M57777 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a>,</P><P>I don't believe this is possible through the API itself. I've setup a fairly basic process of automating this myself that I've outlined below that works fairly well. The API however won't actually do the compare to the best of my knowledge, and that feature is actually just baked into the GUI. What the API can do for you is provide the XML file for the different config versions; so if for example you ran '&lt;show&gt;&lt;config&gt;&lt;audit&gt;&lt;info&gt;&lt;/info&gt;&lt;/audit&gt;,/config&gt;&lt;/show&gt;' to get what version number gets assigned to which config; you could then run the '&lt;show&gt;&lt;config&gt;&lt;audit&gt;&lt;version&gt;<EM>number</EM>&lt;/version&gt;&lt;/audit&gt;&lt;/config&gt;&lt;/show&gt;' to pull that XML config down. You could then use the different config versions to actually run a compare.</P><P>&nbsp;</P><P>Personally I do this:</P><P>I use a script for all commits that will pull the running-config right before it issues the commit command, saving it to a folder as 'pre-commit.xml'. The script then issues the commit, I've included a 60 second wait in the script, then it pulls the running-config once the commit finishes and saves it as 'post-commit.xml'.&nbsp;</P><P>Then I simply utilize another program within that script to actually run an XML compare, which then gets sent to my email. This way I don't have to worry about what config version I'm on or anything like that; I simply run an XML compare using whatever program via the same script against pre-commit.xml and post-commit.xml.&nbsp;</P><P>&nbsp;</P> Tue, 19 Dec 2017 15:36:27 GMT BPry 2017-12-19T15:36:27Z https://live.paloaltonetworks.com/t5/general-topics/email-config-audit-on-change/m-p/192229#M57768 <P>On our old firewalls we used KIWI CATTOOLS to pick up configs hourly and compare them for differences, this sort of works on the Palo but each night it seems to generate strange changes in the configs.</P><P>&nbsp;</P><P>Ideally I would&nbsp;want to send out the config audit on commit, the emails that normaly come through are more or less useless and unreadable.</P><P>&nbsp;</P><P>Or can&nbsp;I automate it hourly to send out a config Audit?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 19 Dec 2017 09:59:26 GMT https://live.paloaltonetworks.com/t5/general-topics/email-config-audit-on-change/m-p/192229#M57768 RobinClayton 2017-12-19T09:59:26Z https://live.paloaltonetworks.com/t5/general-topics/email-config-audit-on-change/m-p/192282#M57777 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a>,</P><P>I don't believe this is possible through the API itself. I've setup a fairly basic process of automating this myself that I've outlined below that works fairly well. The API however won't actually do the compare to the best of my knowledge, and that feature is actually just baked into the GUI. What the API can do for you is provide the XML file for the different config versions; so if for example you ran '&lt;show&gt;&lt;config&gt;&lt;audit&gt;&lt;info&gt;&lt;/info&gt;&lt;/audit&gt;,/config&gt;&lt;/show&gt;' to get what version number gets assigned to which config; you could then run the '&lt;show&gt;&lt;config&gt;&lt;audit&gt;&lt;version&gt;<EM>number</EM>&lt;/version&gt;&lt;/audit&gt;&lt;/config&gt;&lt;/show&gt;' to pull that XML config down. You could then use the different config versions to actually run a compare.</P><P>&nbsp;</P><P>Personally I do this:</P><P>I use a script for all commits that will pull the running-config right before it issues the commit command, saving it to a folder as 'pre-commit.xml'. The script then issues the commit, I've included a 60 second wait in the script, then it pulls the running-config once the commit finishes and saves it as 'post-commit.xml'.&nbsp;</P><P>Then I simply utilize another program within that script to actually run an XML compare, which then gets sent to my email. This way I don't have to worry about what config version I'm on or anything like that; I simply run an XML compare using whatever program via the same script against pre-commit.xml and post-commit.xml.&nbsp;</P><P>&nbsp;</P> Tue, 19 Dec 2017 15:36:27 GMT https://live.paloaltonetworks.com/t5/general-topics/email-config-audit-on-change/m-p/192282#M57777 BPry 2017-12-19T15:36:27Z