Loading partial configuration snapshot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Loading partial configuration snapshot

L0 Member

Hello,

I am new to Palo Alto and its API, and I am a bit lost: I need to load a named configuration snapshot, which may be uploaded from a third party, without changing the

/config/shared/local-user-database-user-database entry.

 

I am currently downloading the snapshot, editing it and re-uploading it in a very messy fashion:

 

From the documentation I only found how to get the current configuration with /api/?type=config&action=show&key=<key>, but can't find any way to get a named saved configuration via normal API call.

 

I can download the named snapshot with /php/device/config.export.php?name=<config name> but it requires mimicking a web admin login, is there any way to do so normally via API?

 


I also tried to use <partial> (which, in the documentation, is used with <commit> and some other commands) but I can't get it to work with <load>, for instance with:

 

/api/?&type=op&cmd=<load><config><regenerate-rule-uuid-all>no</regenerate-rule-uuid-all><from>config_name</from><partial><local-user-database>excluded</local-user-database></partial></config></load>&key=key

But I get

<response status="error" code="17"><msg><line><![CDATA[ load -> config -> partial -> local-user-database unexpected here]]></line><line><![CDATA[ load -> config -> partial is invalid]]></line></msg></response>


Is my syntax wrong or <partial> can't be used with <load> at all?

2 REPLIES 2

L4 Transporter

@LucaVitali I think the your approach is slightly wrong. You can load any part of the configuration (e.g. address objects), but you can't directly load the whole configuration file, but exclude some conifg items. 

I am not sure why exactly you need to do that, but one way to automate it could be to take the current config of the "/config/shared/local-user-database-user-database" then load the old configuration snapshot file and have a second API call to load the most up to date content of "/config/shared/local-user-database-user-database". 

@batd2 Thanks for your reply!

 

I was hoping to keep the local-user-database unchanged during the whole operation because if some of the defined users are doing something, when I switch to a configuration without them, then add them back, I might cause some interruptions I guess? As the configuration change does not seem disruptive per se (no reboot and stuff) this seems avoidable, although I may be misunderstanding how it all works so it may be a pointless effort.

 

Nonetheless I realised I still need to download the unselected configuration snapshots (to show some of the data to the end-user), I know can get the list of available named configs with:

 

/api/?type=op&action=complete&xpath=/operations/show/config/saved&key=<key>

but can't figure out how to get them with an api call (can only get them via /php/device/config.export.php?name=  with the PHPSESSION cookie, like palo alto web interface does, but that's not ideal)

  • 3319 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!