Any way to copy objects and object groups from one firewall pair to another?
Solved! Go to Solution.
Excellent question!!! Yes this can be done.
I would like you read/understand this link:
Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)
Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD
Next, from CLI the command is going to be
load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]
I am not aware of how to get ALL objects from a single config merged into a new config.
This is but a very small snippet of what can be done with the xml file.
load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge
load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge
The above will move ONLY the address objects and then Address Group objects into the config.
If you have service objects/groups, that is a similar pattern, but the path is located differently.
Enjoy! And welcome to advance FW configuration/administration!
The Expedition tool can easily do this through a merge function, you could do it manually through the XML file directly, or if you need them to match on an on-going basis and don't have access to Panorama you could template the XML file via Jinja2 and recreate the function via Python.
There was an issue on a subset of PAN-OS images that 'from' was the command termination point and needed to be done at the end of the command, similar to profile-setting when creating a security rulebase entry. Try moving that to the end of your command, as order doesn't really matter once the command is issued.
I would have used CLI for this. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0.
If the data is in a VSYS you just need to amend the lines in Notepad to add or change the VSYS - again relatively painless.
I have used this for a number of ongoing migrations where I do not have full access to the back.
@SteveCantwell For some reason it is giving me an error. can you please help me puttting in the right command? Say my firewall hostname is fw-a and domain name is abc.com. I'm putting in @name='fw-a.abc.com' . Please correct me if I'm wrong.
@a.jones Thanks Jones. Yes I did try this but for some address groups which has 300 address objects in it, it's very tedious to copy the whole output and paste in one line. But this was very helpful in address and service objects.
If you have over 300 objects you are trying to merge in, I would really recommend doing this simply in the XML file. I could help with that if neeeded, but it would be far faster to just do it manually if you can't get the merge function to work correctly.
Ah... I see what you are saying... Let me clarify.
You would not change the entry to match your FW domain
Keep it just as /config/devices/entry[@name='localhost.localdomain']
using localhost.localdomain. (dont put in FW-A.abc)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!