Any way to copy objects from one firewall pair to another?

Reply
Highlighted
L4 Transporter

Any way to copy objects from one firewall pair to another?

Any way to copy objects and object groups from one firewall pair to another?

L4 Transporter

Re: Any way to copy objects from one firewall pair to another?

Excellent question!!!   Yes this can be done.

I would like you read/understand this link:

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/load-configurations/...

 

Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)

 

Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD

 

Next, from CLI the command is going to be

load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]

I am not aware of how to get ALL objects from a single config merged into a new config.

This is but a very small snippet of what can be done with the xml file.

 

Address

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge

 

Address Group

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge

 

The above will move ONLY the address objects and then Address Group objects into the config.

If you have service objects/groups, that is a similar pattern, but the path is located differently.

 

Enjoy!  And welcome to advance FW configuration/administration!

 

L7 Applicator

Re: Any way to copy objects from one firewall pair to another?

@SThatipelly,

The Expedition tool can easily do this through a merge function, you could do it manually through the XML file directly, or if you need them to match on an on-going basis and don't have access to Panorama you could template the XML file via Jinja2 and recreate the function via Python. 

L4 Transporter

Re: Any way to copy objects from one firewall pair to another?

@SteveCantwell & @BPry 

Thank you so mcuh for the responses. I tried doing the partial config thing but my firewall says invalid syantax. it won't recognize the commadn after from{filename}. I am in config mode. 

L7 Applicator

Re: Any way to copy objects from one firewall pair to another?

@SThatipelly,

There was an issue on a subset of PAN-OS images that 'from' was the command termination point and needed to be done at the end of the command, similar to profile-setting when creating a security rulebase entry. Try moving that to the end of your command, as order doesn't really matter once the command is issued. 

L2 Linker

Re: Any way to copy objects from one firewall pair to another?

I would have used CLI for this. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0.

 

If the data is in a VSYS you just need to amend the lines in Notepad to add or change the VSYS - again relatively painless.

 

I have used this for a number of ongoing migrations where I do not have full access to the back.

 

Regards

 

Adrian

L4 Transporter

Re: Any way to copy objects from one firewall pair to another?

@SteveCantwell For some reason it is giving me an error. can you please help me puttting in the right command? Say my firewall hostname is fw-a and domain name is abc.com. I'm putting in @name='fw-a.abc.com' . Please correct me if I'm wrong.

thanks.

L4 Transporter

Re: Any way to copy objects from one firewall pair to another?

@a.jones Thanks Jones. Yes I did try this but for some address groups which has 300 address objects in it, it's very tedious to copy the whole output and paste in one line. But this was very helpful in address and service objects.

L7 Applicator

Re: Any way to copy objects from one firewall pair to another?

@SThatipelly,

If you have over 300 objects you are trying to merge in, I would really recommend doing this simply in the XML file. I could help with that if neeeded, but it would be far faster to just do it manually if you can't get the merge function to work correctly. 

L4 Transporter

Re: Any way to copy objects from one firewall pair to another?

Ah... I see what you are saying... Let me clarify.

 

You would not change the entry to match your FW domain

Keep it just as /config/devices/entry[@name='localhost.localdomain']

 

using localhost.localdomain. (dont put in FW-A.abc)

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!