Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Load Partial Configurations - Knowledge Base - Palo Alto Networks

How to Load Partial Configurations

81046
Created On 09/25/18 19:38 PM - Last Modified 01/30/25 21:53 PM


Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and below.
  • Loading partial configuration using XML API

Resolution


Details

PAN-OS allows loading part of a configuration file in three ways:

Important: All uncommitted changes must be committed before performing load config to avoid losing uncommitted configuration.

  1. Merge node at dst in x.xml onto node at src in candidate config. 
    > configure
# load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode merge
  2. Replace node at src in candidate config with node at dst in x.xml. 
    > configure
# load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode replace
  3. Append node at dst in x.xml UNDER node at src in candidate config. 
    > configure
# load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode append

Scenario 1:

Device A has security rules that need to be merged with the rules currently on Device B, which currently has no security rules.

  1. Save and export config from Device A.
  2. Import the saved config file into Device B.
  3. In configuration mode, enter the following command: 
    > configure
# load config partial from test.xml from-xpath devices/entry/vsys/entry/rulebase/security 
  mode merge to-xpath /config/devices/entry/vsys/entry/rulebase/security
# commit
# exit
  4. Device B now has the same security rules as Device A.

Scenario 2:

Load the partial config for security policies from a firewall that only has one VSys to a firewall that has multiple VSys.

  1. Export the config of the firewall that has the rules to be loaded.
  2. Import the config to the firewall that needs the rules to be loaded.
  3. To merge the security policies, run the following command from the CLI: 
    > configure
# load config partial from {File name e.g test.xml} mode merge from-xpath devices/entry/vsys/entry/
  rulebase/security to-xpath /config/devices/entry/vsys/entry[@name="vsys2"]/rulebase/security
# commit
# exit
  4. In the above command, we are loading the security policies from the default VSys1 to VSys2.

Important: When loading security rules, make sure that you have already configured zones, objects, and so on from the firewall where the configuration is being loaded from. Else commit may fail or this reference may show up as empty or none.

 

 

 

Additional Information


In PAN-OS 9.0 and above, the format is a little bit changed and the file name should be at the end of the command. Refer to Load a Partial Configuration
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 193,857
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language