Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-23-2018 12:42 PM
Hello friends,
I have a question about saving my firewall changes and then applying them at a later date. What I want to do, is enter all my changes into a production firewall, but then not commit them. I want to save just my changes, ie a small configlet. And then at a later date, "load" my changes and commit them (during out of production hours). I know this can be done, but not sure what the best methods is.
Should I use "load" configurations or "revert" configs.
I dont want to commit my changes into production by accident........... so any advice would be appreciated on the best method.
Thanks.
04-24-2018 07:00 AM
Show config diff is a CLI command, if @Jedi_D is looking to get the set commands in the GUI as stated I'm not sure this is actually possible. It appears that if you are looking to get the set commands you'll have to fallback into the CLI instead of the GUI.
04-23-2018 01:12 PM
Hi @Jedi_D
You could configure all the things you want to change. Then you export the candidate configuration and revert to running configuration. And then out of production hours you import the previously exported config and commit this one. This makes sure that no other admin accidentially commits your configuration. If there isn't another admin that can commit, you can simply configure everything, save it and commit the changes at the time you want.
04-23-2018 04:13 PM
In addition to the export, another option would be to save it as a Named Configuration Snapshot then hit the Revert to running configuration link. That saves it as a name that can be referenced later but doesn't touch the running/current configuration.
04-24-2018 05:09 AM
That is very interesting, so thak you very much. I will try this out on a lab:
1) make changes to the candicate config
2) save "save named configuration snapshot"
3) revert the changes
4) then "load named configuration snapshot"
5) commit.
But if someone makes changes between the time me "saving the named config snapshot" and "loading named configuration snapshot", then their changes will be lost... thats my logic...
if that is the case, then maybe I cant use this technique....
04-24-2018 06:30 AM
That's correct, the other admins changes would be lost. Maybe a stupid question but have you taken a look at the Locks feature? Any admin can take a 'lock' for either Config or Commit. The Commit lock simply locks other admins from actually commiting changes without the other administrator removing the lock, or a superuser removing the lock on behalf of the user. The config lock isn't something I use that often, as it blocks other admins from making changes.
This ensures that other admins working on the system are aware that you are making changes, and if they have the superuser role and remove your lock it would essentially be them verifying that they've verified that your changes were complete and valid. This can be set automatically by the Device > Setup > Management > General Settings 'Automatically Acquire Commit Lock' option.
04-24-2018 06:36 AM
Do you know what changes you are looking to save?
What I would do in this situation is go to the command-line, issue a "set cli config-output-format set" then from configuration mode, show the portion of the configuration you are looking to save. This will output set commands you can copy somewhere safe and paste back in at a later time. you may need to clean some commands out of the output, therefore you would need to kknow pretty well what changes had been made.
Maybe someone else knows how to get a diff of the candidate configuration and teh runing configuration in these set commands?
04-24-2018 06:54 AM
Thanks, that's given me an idea...
how about doing the changes on the GUI, then doing a commit-> compare
this will show the new config to be added. If I can get this new config in set format, then I could just copy it into the FW at a later date.
problem is: how to get the new config in the "set" format.
04-24-2018 06:58 AM - edited 04-24-2018 06:58 AM
Looks like we were replying at the same time.
I verified, once you change your output format using "set cli config-output-format set" issuing "show config diff" will give the differences in "set" format
04-24-2018 07:00 AM
Show config diff is a CLI command, if @Jedi_D is looking to get the set commands in the GUI as stated I'm not sure this is actually possible. It appears that if you are looking to get the set commands you'll have to fallback into the CLI instead of the GUI.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
