on 03-14-2023 11:41 PM - edited on 03-14-2023 11:43 PM by emgarcia
This Nominated Discussion Article is based on the post "Merging Two Palo Configs" by @john.mayer and responded to by Cyber Elites @TomYoung, @OtakarKlier, and Community Moderator @JayGolf. Read on to see the discussion and solution!
Hello everyone
I have two Palo PA-850s with software version 10.2.2 that are running in different locations. To merge all the services to one location, I must merge two Palos configurations from ACLs, NATs, and Interfaces to a single device (or the HA pair).
As far as I know, I can export the .xml config, edit it, and then import it to Palo, but does it merge with the old config or replace it?
Regards
John
Solutions:
If you import a new config it will replace the current config on the device. In the past, I found Expedition to be very useful. You can import the preferred firewall config as the base config and the secondary firewall config as the source configuration file. You will be able to move/edit interfaces, NAT rules, security policies, and services/objects. For more info, check the Expedition section we have within LiveCommunity.
After you update the xml, remove the parts that you don't want to update. This way it will only update the parts you want to update.
Another way you could do it is as follows:
- Import and load the 1st configuration (the one with the most config to keep) onto the NGFW.
- Import and do not load the 2nd configuration.
- Load config partial the sections you want to add to the candidate configuration. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...
- Use mode merge.
- Find the XPath from the API browser. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...
- The from file will be the XML of the 2nd config.
If the sections are not too big, copying the set commands on the CLI from one NGFW to another is quick also.
