Best way to save new config, so they can be loaded and committed later?

Reply
Highlighted
L2 Linker

Best way to save new config, so they can be loaded and committed later?

Hello friends, 

 

I have a question about saving my firewall changes and then applying them at a later date. What I want to do, is enter all my changes into a production firewall, but then not commit them. I want to save just my changes, ie a small configlet. And then at a later date, "load" my changes and commit them (during out of production hours). I know this can be done, but not sure what the best methods is. 

 

Should I use "load" configurations or "revert" configs.

 

I dont want to commit my changes into production by accident........... so any advice would be appreciated on the best method.

 

Thanks.


Accepted Solutions
Highlighted
Cyber Elite

@JoeAndreini,

Show config diff is a CLI command, if @Jedi_D is looking to get the set commands in the GUI as stated I'm not sure this is actually possible. It appears that if you are looking to get the set commands you'll have to fallback into the CLI instead of the GUI. 

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @Jedi_D

 

You could configure all the things you want to change. Then you export the candidate configuration and revert to running configuration. And then out of production hours you import the previously exported config and commit this one. This makes sure that no other admin accidentially commits your configuration. If there isn't another admin that can commit, you can simply configure everything, save it and commit the changes at the time you want.

Highlighted
L7 Applicator

In addition to the export, another option would be to save it as a Named Configuration Snapshot then hit the Revert to running configuration link. That saves it as a name that can be referenced later but doesn't touch the running/current configuration.

 

SaveNamedConfigSnapshot.png

Highlighted
L2 Linker

That is very interesting, so thak you very much. I will try this out on a lab:

 

1) make changes to the candicate config

2) save "save named configuration snapshot"

3) revert the changes

4) then "load named configuration snapshot"

5) commit. 

 

But if someone makes changes between the time me "saving the named config snapshot" and "loading named configuration snapshot", then their changes will be lost... thats my logic... 

 

if that is the case, then maybe I cant use this technique....

Highlighted
Cyber Elite

@Jedi_D,

That's correct, the other admins changes would be lost. Maybe a stupid question but have you taken a look at the Locks feature? Any admin can take a 'lock' for either Config or Commit. The Commit lock simply locks other admins from actually commiting changes without the other administrator removing the lock, or a superuser removing the lock on behalf of the user. The config lock isn't something I use that often, as it blocks other admins from making changes. 

This ensures that other admins working on the system are aware that you are making changes, and if they have the superuser role and remove your lock it would essentially be them verifying that they've verified that your changes were complete and valid.  This can be set automatically by the Device > Setup > Management > General Settings 'Automatically Acquire Commit Lock' option. 

Highlighted
L4 Transporter

Do you know what changes you are looking to save?

 

What I would do in this situation is go to the command-line, issue a "set cli config-output-format set"  then from configuration mode, show the portion of the configuration you are looking to save.  This will output set commands you can copy somewhere safe and paste back in at a later time.  you may need to clean some commands out of the output, therefore you would need to kknow pretty well what changes had been made.

 

Maybe someone else knows how to get a diff of the candidate configuration and teh runing configuration in these set commands?

Highlighted
L2 Linker

Thanks, that's given me an idea...

 

how about doing the changes on the GUI, then doing a commit-> compare 

this will show the new config to be added. If I can get this new config in set format, then I could just copy it into the FW at a later date. 

 

problem is: how to get the new config in the "set" format.

Highlighted
L4 Transporter

Looks like we were replying at the same time.

 

I verified, once you change your output format using "set cli config-output-format set" issuing "show config diff" will give the differences in "set" format

Highlighted
Cyber Elite

@JoeAndreini,

Show config diff is a CLI command, if @Jedi_D is looking to get the set commands in the GUI as stated I'm not sure this is actually possible. It appears that if you are looking to get the set commands you'll have to fallback into the CLI instead of the GUI. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!