- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-25-2019 10:25 AM
Any way to copy objects and object groups from one firewall pair to another?
06-25-2019 10:54 AM - edited 06-25-2019 01:34 PM
Excellent question!!! Yes this can be done.
I would like you read/understand this link:
Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)
Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD
Next, from CLI the command is going to be
load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]
I am not aware of how to get ALL objects from a single config merged into a new config.
This is but a very small snippet of what can be done with the xml file.
Address
load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge
Address Group
load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge
The above will move ONLY the address objects and then Address Group objects into the config.
If you have service objects/groups, that is a similar pattern, but the path is located differently.
Enjoy! And welcome to advance FW configuration/administration!
06-25-2019 10:54 AM - edited 06-25-2019 01:34 PM
Excellent question!!! Yes this can be done.
I would like you read/understand this link:
Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)
Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD
Next, from CLI the command is going to be
load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]
I am not aware of how to get ALL objects from a single config merged into a new config.
This is but a very small snippet of what can be done with the xml file.
Address
load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge
Address Group
load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge
The above will move ONLY the address objects and then Address Group objects into the config.
If you have service objects/groups, that is a similar pattern, but the path is located differently.
Enjoy! And welcome to advance FW configuration/administration!
06-25-2019 10:54 AM
The Expedition tool can easily do this through a merge function, you could do it manually through the XML file directly, or if you need them to match on an on-going basis and don't have access to Panorama you could template the XML file via Jinja2 and recreate the function via Python.
06-26-2019 06:08 AM
Thank you so mcuh for the responses. I tried doing the partial config thing but my firewall says invalid syantax. it won't recognize the commadn after from{filename}. I am in config mode.
06-26-2019 11:33 AM
There was an issue on a subset of PAN-OS images that 'from' was the command termination point and needed to be done at the end of the command, similar to profile-setting when creating a security rulebase entry. Try moving that to the end of your command, as order doesn't really matter once the command is issued.
06-27-2019 12:10 AM
I would have used CLI for this. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0.
If the data is in a VSYS you just need to amend the lines in Notepad to add or change the VSYS - again relatively painless.
I have used this for a number of ongoing migrations where I do not have full access to the back.
Regards
Adrian
06-27-2019 06:10 AM
@S.Cantwell For some reason it is giving me an error. can you please help me puttting in the right command? Say my firewall hostname is fw-a and domain name is abc.com. I'm putting in @name='fw-a.abc.com' . Please correct me if I'm wrong.
thanks.
06-27-2019 06:11 AM
@a.jones Thanks Jones. Yes I did try this but for some address groups which has 300 address objects in it, it's very tedious to copy the whole output and paste in one line. But this was very helpful in address and service objects.
06-27-2019 06:15 AM
If you have over 300 objects you are trying to merge in, I would really recommend doing this simply in the XML file. I could help with that if neeeded, but it would be far faster to just do it manually if you can't get the merge function to work correctly.
06-27-2019 10:00 AM
Ah... I see what you are saying... Let me clarify.
You would not change the entry to match your FW domain
Keep it just as /config/devices/entry[@name='localhost.localdomain']
using localhost.localdomain. (dont put in FW-A.abc)
07-05-2019 06:54 AM
@S.Cantwell I copied pretty much everything but security policies. I am trying /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/security-plocy but it says incorrect syntax.
am I missing any syntax here for security policies?
thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!