Copying Configuration From One Firewall to Another

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Cyber Elite
Cyber Elite

#DiscussionBuzz.png

 

Discussion of the Week: Copying Configuration From One Firewall to Another

A question in our discussion forum that caught my eye the other day was about copying a piece of configuration and pasting it onto another device. It sounds easier than it is, but it's not very difficult if you know how!

 

 

The premise was this question:

dotw question.png

 

The answer came VERY quickly (29 minutes later):

dotw answer.png

You can read conversation here:  Any way to copy objects from one firewall pair to another?

And access the document here: Load a Partial Configuration

 

But let me break it down for you:

The configuration file is in XML format and each section of the configuration is located in it's own "xpath." This is sort of a directory structure where everything is kept nice and tidy for the system to interpret once you hit the commit button.

A snapshot of a part of my home firewall's config fileA snapshot of a part of my home firewall's config file

This also means that you can grab one of the sections, or nodes, and implant it into the appropriate location on a different firewall.

 

From the CLI, you can navigate the configuration and even get the proper xpath if you enable these commands:

admin@ReaperGate> set cli config-output-format xml
admin@ReaperGate> debug cli on

 

You need to set the config output format to XML as the default is JSON, and enabling the debug will show the xpath (don't forget to turn this off again after you got what you came for).

 

With these commands, set your config output. It will now look like this:

admin@ReaperGate> configure
()
((context-inserted-at-end-p: . #t))
Entering configuration mode
[edit]                                                                                                                                                    
admin@ReaperGate# show network interface
(container-tag: network container-tag: interface)
((eol-matched: . #t) (eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']) (context-inserted-at-end-p: . #f))
/usr/local/bin/pan_ms_client --config-mode=xml --set-prefix='set network ' --cookie=1793408030469599 <<'EOF'  |sed 2>/dev/null -e 's/devices localhost.localdomain//'  |/usr/bin/less -X -E -M
<request cmd="get" obj="/config/devices/entry[@name='localhost.localdomain']/network/interface"></request>
EOF

<response status="success" code="19">
  <result total-count="1" count="1">
    <interface>
      <ethernet>
        <entry name="ethernet1/1">
          <layer3>
            <ipv6>
              <neighbor-discovery>
                <router-advertisement>
                  <enable>no</enable>
                </router-advertisement>
              </neighbor-discovery>
            </ipv6>
            <ndp-proxy>
              <enabled>no</enabled>
            </ndp-proxy>
            <lldp>
              <enable>no</enable>
            </lldp>
            <dhcp-client/>
          </layer3>
        </entry>
      </ethernet>
    </interface>
  </result>
</response>

 

The orange bit following "obj" is the xpath for the dataplane interfaces node.

 

Now that I have an easy way to find the xpath and verify the config snippet, I'm about to extract. I can go ahead and collect the section I need. For example, I'd like to export my admin access security policy, so I can easily import it onto all my other firewalls. 

admin@ReaperGate# show rulebase security rules AdminAccess 
(container-tag: rulebase container-tag: security container-tag: rules container-tag: entry key-tag: name value: AdminAccess)
((eol-matched: . #t) (eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']) (context-inserted-at-end-p: . #f))
/usr/local/bin/pan_ms_client --config-mode=xml --set-prefix='set rulebase security rules ' --cookie=3511483105011606 <<'EOF'  |sed 2>/dev/null -e 's/devices localhost.localdomain//'  |/usr/bin/less -X -E -M
<request cmd="get" obj="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess']"></request>
EOF

<response status="success" code="19">
  <result total-count="1" count="1">
    <entry name="AdminAccess" uuid="8b9a89d6-5035-441a-b679-f85c3a87ac6d">
      <to>
        <member>trust</member>
      </to>
      <from>
        <member>HQvpn</member>
      </from>
      <source>
        <member>10.0.10.0/24</member>
      </source>
      <destination>
        <member>any</member>
      </destination>
      <source-user>
        <member>any</member>
      </source-user>
      <category>
        <member>any</member>
      </category>
      <application>
        <member>ssh</member>
      </application>
      <service>
        <member>application-default</member>
      </service>
      <hip-profiles>
        <member>any</member>
      </hip-profiles>
      <action>allow</action>
      <profile-setting>
        <group>
          <member>default</member>
        </group>
      </profile-setting>
    </entry>
  </result>
</response>
[edit]                           

 

Next, I can export a partial configuration, which I can import onto the target firewalls.

admin@ReaperGate# save config partial policy-and-objects excluded to polobj.xml
(container-tag: config container-tag: partial leaf-tag: policy-and-objects value: excluded pop-tag: leaf-tag: to value: polobj.xml pop-tag:)
((eol-matched: . #t) (context-inserted-at-end-p: . #f))


<request cmd="op" cookie="3511483105011606" uid="1000"><operations><save><config><partial><policy-and-objects>excluded</policy-and-objects></partial><to>polobj.xml</to></config></save></operations></request>


2019-07-11 06:13:29
<response status="success"><result>Config saved to polobj.xml</result></response>

Config saved to polobj.xml
[edit]                                                                              

 

The config file can be exported off and on the firewall through tftp and scp export, or via the export/import on the web interface: Device > Setup > Operations.

admin@ReaperGate> tftp export configuration from polobj.xml to 10.0.0.12

 

Copy the part of the configuration you want onto the new firewall.

admin@ReaperGate2# load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] mode merge from polobj.xml 
(container-tag: config container-tag: partial leaf-tag: from-xpath value: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] leaf-tag: to-xpath value: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] leaf-tag: mode value: merge leaf-tag: from value: polobj.xml pop-tag: pop-tag:)
((eol-matched: . #t) (context-inserted-at-end-p: . #f))


<request cmd="op" cookie="3511483105011606" uid="1000"><operations><load><config><partial><from-xpath>/config/devices/entry[@name=&apos;localhost.localdomain&apos;]/vsys/entry[@name=&apos;vsys1&apos;]/rulebase/security/rules/entry[@name=&apos;AdminAccess&apos;]</from-xpath><to-xpath>/config/devices/entry[@name=&apos;localhost.localdomain&apos;]/vsys/entry[@name=&apos;vsys1&apos;]/rulebase/security/rules/entry[@name=&apos;AdminAccess&apos;]</to-xpath><mode>merge</mode><from>polobj.xml</from></partial></config></load></operations></request>


2019-07-11 06:28:01
<response status="success"><result><msg><line>Config loaded from polobj.xml</line></msg></result></response>

Config loaded from polobj.xml

[edit]                                                                                                                                                                                                                               
admin@ReaperGate2# 

 

Disable the CLI debug.

admin@ReaperGate2# run debug cli off
(leaf-tag: cli value: off)
((eol-matched: . #t) (cli-handler: . debug-cli-handler) (context-inserted-at-end-p: . #f))
[edit] 


Verify the config was imported properly.

admin@ReaperGate2# show rulebase security 
<response status="success" code="19">
  <result total-count="1" count="1">
    <security>
      <rules>
        <entry name="AdminAccess" admin="admin" dirtyId="7" time="2019/07/11 06:27:59" uuid="41823b0d-5b37-490b-9485-21af6d01ee69">
          <to>
            <member>trust</member>
          </to>
          <from>
            <member>HQvpn</member>
          </from>
          <source>
            <member>10.0.10.0/24</member>
          </source>
          <destination>
            <member>any</member>
          </destination>
          <source-user>
            <member>any</member>
          </source-user>
          <category>
            <member>any</member>
          </category>
          <application>
            <member>ssh</member>
          </application>
          <service>
            <member>application-default</member>
          </service>
          <hip-profiles>
            <member>any</member>
          </hip-profiles>
          <action>allow</action>
          <profile-setting>
            <group>
              <member>default</member>
            </group>
          </profile-setting>
        </entry>
      </rules>
    </security>
  </result>
</response>
[edit]                                               

 

Commit the changes.                          

admin@ReaperGate2# commit 
Commit job 9 is in progress. Use Ctrl+C to return to command prompt
....70%99%.....100%
Configuration committed successfully

[edit]                                                                                                                                                                                                                               
admin@ReaperGate2# run show running security-policy

"AdminAccess; index: 1" {
        from HQvpn;
        source 10.0.10.0/24;
        source-region none;
        to trust;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service 0:ssh/tcp/any/22;
        action allow;
        icmp-unreachable: no
        terminal yes;
}

 

Here are a few tips and caveats:

  • I copied over only one single security rule, but you can copy the entire rulebase by using the "container" xpath.
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules

 

You can even copy all of the rulebases, including NAT and QoS by dropping down another level.

/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase

 

Use the CLI debug and the "show" command in config mode to double check the xpath and content of any section you want to copy.

 

  • You may have noticed there's a vsys mentioned. It's also possible to copy configuration from one vsys to another within the same system, simply by changing the destination vsys. 
admin@ReaperGate2# load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/ to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys2']/rulebase mode merge 
  • The load command has 3 modes: append, merge, and replace.

Merge will try to merge two existing nodes when possible (i.e., if a rule with the same name already exists, Merge will try to add the attributes into the existing rule).

Replace will replace any existing node in favor of the new node

Append will try to add the node, but will fail if an identical node already exists

 

 

Hope this was helpful! Feel free to leave a comment below

 

Reaper out

2 Comments
L4 Transporter

@reaper This is really good guide and showed me something I did not know before.

Can you please elaborate more on what exactly "save config partial" does. How it differs from "save config" and what does the "exclude" option does? I could not find any documentation for it. 

Cyber Elite
Cyber Elite

hi @batd2 

the excluded is which part of the config you don't want to save (making the save partial)

if you save config partial with no exclusion, you just save the config

  • 11485 Views
  • 2 comments
  • 4 Likes
Register or Sign-in
Labels