How to Duplicate Device Groups on Panorama

How to Duplicate Device Groups on Panorama

44784
Created On 09/25/18 19:36 PM - Last Modified 02/26/22 03:33 AM


Symptom


Device Groups (DG) in Panorama are used to build configurations that are shared among the managed firewalls. Policy and address objects configurations are pushed to the managed firewalls within Device Groups.

At times, the Panorama administrator may need to clone a device group for efficiency and make further edits to customize the device group for a new set of managed firewalls. This task can be performed from the CLI using the method described below.

This process requires an administrator account with ‘superuser’ privileges to run the command and issue a commit.

Environment


  • Any Panorama
  • PAN-OS 8.1, 9.0, 9.1
Note: For PAN-OS 10.0, Refer to the command provided in the additional section.

Resolution


The command, load configure partial <attributes>, can be used to merge the XML elements from a certain XPath in a Panorama configuration.
  1. The devices from the original device group will be moved to the new device group. For example, 36-AP-500 is being moved to DG_clone.
  2. The new device group's Parent Device Group will be Shared. If it is necessary for it to have the same parent as the original, then go to GUI: Panorama > Device Groups > DG_clone and change the Parent Device Group to the correct DG

Details:

First, the configuration must be imported into Panorama. The configuration can be imported from the web-interface or the CLI. The example below will use the predefined ‘running-config.xml’ file which stores the current running configuration on the Panorama server. Whenever a successful commit is completed in Panorama, the configuration is saved to the ‘running-config.xml’ file.

Following is the snapshot of the Device Group, DG_1, as seen from the web-interface:

 

The Device Group, DG_1, already exists in the Panorama running-config.xml file. This is the Device Group that will be cloned/duplicated, and the new DG will be named, DG_clone. Run the following command to create DG_clone as a clone of DG_1:

> configure
# load config partial from running-config.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_1'] to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_clone'] mode merge

Config loaded from running-config.xml

[edit]
#
# exit

 

The above command uses 'running-config.xml' as the source configuration and DG_clone for the name of the newly created clone configuration. Enter the appropriate configuration file if different from 'running-config.xml'. The mode used in the command must be specified as ‘merge’ (as seen in the above example).

A new DG with the name, DG_clone, is created after the command above is performed. The following screenshot shows DG_clone in the list of Device Groups:

 

Additional Information


For PAN-OS 10.0, the command is modified a bit. See below. 
admin@Panorama# load config partial from-xpath /config/devices/entry[@name=‘localhost.localdomain’]/device-group/entry[@name=‘test_merge’] to-xpath /config/devices/entry[@name=‘localhost.localdomain’]/device-group/entry[@name=‘test_merge_clone’] mode merge from running-config.xml

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla3CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language