topic Re: Any way to copy objects from one firewall pair to another? in General Topics

Any way to copy objects from one firewall pair to another?

SThatipelly — Tue, 25 Jun 2019 17:25:14 GMT

Any way to copy objects and object groups from one firewall pair to another?

Re: Any way to copy objects from one firewall pair to another?

S.Cantwell — Tue, 25 Jun 2019 20:34:30 GMT

Excellent question!!! Yes this can be done.

I would like you read/understand this link:

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration#

Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)

Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD

Next, from CLI the command is going to be

load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]

I am not aware of how to get ALL objects from a single config merged into a new config.

This is but a very small snippet of what can be done with the xml file.

Address

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge

Address Group

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge

The above will move ONLY the address objects and then Address Group objects into the config.

If you have service objects/groups, that is a similar pattern, but the path is located differently.

Enjoy! And welcome to advance FW configuration/administration!

Re: Any way to copy objects from one firewall pair to another?

BPry — Tue, 25 Jun 2019 17:54:47 GMT

@SThatipelly,

The Expedition tool can easily do this through a merge function, you could do it manually through the XML file directly, or if you need them to match on an on-going basis and don't have access to Panorama you could template the XML file via Jinja2 and recreate the function via Python.

Re: Any way to copy objects from one firewall pair to another?

SThatipelly — Wed, 26 Jun 2019 13:08:05 GMT

@S.Cantwell & @BPry

Thank you so mcuh for the responses. I tried doing the partial config thing but my firewall says invalid syantax. it won't recognize the commadn after from{filename}. I am in config mode.

Re: Any way to copy objects from one firewall pair to another?

BPry — Wed, 26 Jun 2019 18:33:22 GMT

@SThatipelly,

There was an issue on a subset of PAN-OS images that 'from' was the command termination point and needed to be done at the end of the command, similar to profile-setting when creating a security rulebase entry. Try moving that to the end of your command, as order doesn't really matter once the command is issued.

Re: Any way to copy objects from one firewall pair to another?

a.jones — Thu, 27 Jun 2019 07:10:40 GMT

I would have used CLI for this. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0.

If the data is in a VSYS you just need to amend the lines in Notepad to add or change the VSYS - again relatively painless.

I have used this for a number of ongoing migrations where I do not have full access to the back.

Regards

Adrian

Re: Any way to copy objects from one firewall pair to another?

SThatipelly — Thu, 27 Jun 2019 13:10:19 GMT

@S.Cantwell For some reason it is giving me an error. can you please help me puttting in the right command? Say my firewall hostname is fw-a and domain name is abc.com. I'm putting in @name='fw-a.abc.com' . Please correct me if I'm wrong.

thanks.

Re: Any way to copy objects from one firewall pair to another?

SThatipelly — Thu, 27 Jun 2019 13:11:45 GMT

@a.jones Thanks Jones. Yes I did try this but for some address groups which has 300 address objects in it, it's very tedious to copy the whole output and paste in one line. But this was very helpful in address and service objects.

Re: Any way to copy objects from one firewall pair to another?

BPry — Thu, 27 Jun 2019 13:15:52 GMT

@SThatipelly,

If you have over 300 objects you are trying to merge in, I would really recommend doing this simply in the XML file. I could help with that if neeeded, but it would be far faster to just do it manually if you can't get the merge function to work correctly.

Re: Any way to copy objects from one firewall pair to another?

S.Cantwell — Thu, 27 Jun 2019 17:00:18 GMT

Ah... I see what you are saying... Let me clarify.

You would not change the entry to match your FW domain

Keep it just as /config/devices/entry[@name='localhost.localdomain']

using localhost.localdomain. (dont put in FW-A.abc)

Re: Any way to copy objects from one firewall pair to another?

SThatipelly — Thu, 27 Jun 2019 17:07:19 GMT

worked like gem. Thank you so much @S.Cantwell @BPry @a.jones

you are awesome.

Re: Any way to copy objects from one firewall pair to another?

SThatipelly — Fri, 05 Jul 2019 13:54:16 GMT

@S.Cantwell I copied pretty much everything but security policies. I am trying /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/security-plocy but it says incorrect syntax.

am I missing any syntax here for security policies?

thanks.