Any way to copy objects from one firewall pair to another?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Any way to copy objects from one firewall pair to another?

L4 Transporter

Any way to copy objects and object groups from one firewall pair to another?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Excellent question!!!   Yes this can be done.

I would like you read/understand this link:

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/load-configurations/...

 

Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)

 

Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD

 

Next, from CLI the command is going to be

load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]

I am not aware of how to get ALL objects from a single config merged into a new config.

This is but a very small snippet of what can be done with the xml file.

 

Address

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge

 

Address Group

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge

 

The above will move ONLY the address objects and then Address Group objects into the config.

If you have service objects/groups, that is a similar pattern, but the path is located differently.

 

Enjoy!  And welcome to advance FW configuration/administration!

 

Help the community: Like helpful comments and mark solutions

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

Excellent question!!!   Yes this can be done.

I would like you read/understand this link:

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/load-configurations/...

 

Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)

 

Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD

 

Next, from CLI the command is going to be

load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]

I am not aware of how to get ALL objects from a single config merged into a new config.

This is but a very small snippet of what can be done with the xml file.

 

Address

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge

 

Address Group

load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge

 

The above will move ONLY the address objects and then Address Group objects into the config.

If you have service objects/groups, that is a similar pattern, but the path is located differently.

 

Enjoy!  And welcome to advance FW configuration/administration!

 

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

@SThatipelly,

The Expedition tool can easily do this through a merge function, you could do it manually through the XML file directly, or if you need them to match on an on-going basis and don't have access to Panorama you could template the XML file via Jinja2 and recreate the function via Python. 

@SCantwell_IM & @BPry 

Thank you so mcuh for the responses. I tried doing the partial config thing but my firewall says invalid syantax. it won't recognize the commadn after from{filename}. I am in config mode. 

@SThatipelly,

There was an issue on a subset of PAN-OS images that 'from' was the command termination point and needed to be done at the end of the command, similar to profile-setting when creating a security rulebase entry. Try moving that to the end of your command, as order doesn't really matter once the command is issued. 

I would have used CLI for this. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0.

 

If the data is in a VSYS you just need to amend the lines in Notepad to add or change the VSYS - again relatively painless.

 

I have used this for a number of ongoing migrations where I do not have full access to the back.

 

Regards

 

Adrian

@SCantwell_IM For some reason it is giving me an error. can you please help me puttting in the right command? Say my firewall hostname is fw-a and domain name is abc.com. I'm putting in @name='fw-a.abc.com' . Please correct me if I'm wrong.

thanks.

@a.jones Thanks Jones. Yes I did try this but for some address groups which has 300 address objects in it, it's very tedious to copy the whole output and paste in one line. But this was very helpful in address and service objects.

@SThatipelly,

If you have over 300 objects you are trying to merge in, I would really recommend doing this simply in the XML file. I could help with that if neeeded, but it would be far faster to just do it manually if you can't get the merge function to work correctly. 

Ah... I see what you are saying... Let me clarify.

 

You would not change the entry to match your FW domain

Keep it just as /config/devices/entry[@name='localhost.localdomain']

 

using localhost.localdomain. (dont put in FW-A.abc)

 

 

Help the community: Like helpful comments and mark solutions

worked like gem. Thank you so much @SCantwell_IM @BPry @a.jones 

you are awesome.

@SCantwell_IM I copied pretty much everything but security policies. I am trying /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/security-plocy but it says incorrect syntax. 

am I missing any syntax here for security policies?

thanks.

  • 1 accepted solution
  • 17474 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!