How to Load Partial Configurations

How to Load Partial Configurations

67578
Created On 09/25/18 19:38 PM - Last Modified 03/31/21 21:31 PM


Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and below.
  • Loading partial configuration using XML API

Resolution


Details

PAN-OS allows loading part of a configuration file in three ways:

  1. Merge node at dst in x.xml onto node at src in candidate config. 
    > configure
# load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode merge
  2. Replace node at src in candidate config with node at dst in x.xml. 
    > configure
# load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode replace
  3. Append node at dst in x.xml UNDER node at src in candidate config. 
    > configure
# load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode append

Scenario 1:

Device A has security rules that need to be merged with the rules currently on Device B, which currently has no security rules.

  1. Save and export config from Device A.
  2. Import the saved config file into Device B.
  3. In configuration mode, enter the following command: 
    > configure
# load config partial from test.xml from-xpath devices/entry/vsys/entry/rulebase/security 
  mode merge to-xpath /config/devices/entry/vsys/entry/rulebase/security
# commit
# exit
  4. Device B now has the same security rules as Device A.

Scenario 2:

Load the partial config for security policies from a firewall that only has one VSys to a firewall that has multiple VSys.

  1. Export the config of the firewall that has the rules to be loaded.
  2. Import the config to the firewall that needs the rules to be loaded.
  3. To merge the security policies, run the following command from the CLI: 
    > configure
# load config partial from {File name e.g test.xml} mode merge from-xpath devices/entry/vsys/entry/
  rulebase/security to-xpath /config/devices/entry/vsys/entry[@name="vsys2"]/rulebase/security
# commit
# exit
  4. In the above command, we are loading the security policies from the default VSys1 to VSys2.

Important: When loading security rules, make sure that you have already configured zones, objects, and so on from the firewall where the configuration is being loaded from. Else commit may fail or this reference may show up as empty or none.

 

 

 

Additional Information


In PAN-OS 9.0 and above, the format is a little bit changed and the file name should be at the end of the command. Refer to Load a Partial Configuration
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language