- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-24-2017 11:23 PM - edited 06-24-2017 11:26 PM
Hi
I wanted to move some pre-rules to post rules in my panorama config.
I wanted to try and do it with load partial.
But I am having issues generating the xml files
I ssh to panorama
set cli config-output-format xml
configure
save config to 20170625-AlexWorking.xml
and then exit out of config
show config saved 20170625-AlexWorking.xml
doesn't show me XML.
So GUI , export to xml .. looks good, scp back onto panorma and its been converted back..
so I want to do a load partial, but I can't seem to get an xml on there.
What am i missing
This is the command I am trying to do
load config partial from 20170625-AlexWorking.xml from-xpath /config/devices/entry/device-group/entry/pre-rulebase to-xpath /config/devices/entry/device-group/entry/post-rulebase mode append
and I get back
Server error : Failed to compose effective config to load. input file doesn't have anything at devices/entry/device-group/entry/pre-rule
base
06-24-2017 11:41 PM
Okay, seems like it doesn't matter
I had the wrong base
needed
load config partial from 20170625-AlexWorking.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Yieldbroker']/pre-rulebase to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Yieldbroker']/post-rulebase mode append
Got this from
06-24-2017 11:47 PM
Hi @Alex_Samad
I would recommend that you use the Palo Alto Migration tool to connect to your firewalls via XML API. By doing so, you will be able to automatically pull your production firewall configuration straight into the Migration tool, and then transform the policies you want from pre-rules into post-rules.
Once it is done, you can then generate an XML API call, and send it straight to the devices via the migration tool. All you need to do after that is to login into the appliance and hit commit.
Here is the guide that shows the detailed process. PAN_MigrationTool_users guide.pdf
I hope this helps.
Twitter: @willguibr
06-25-2017 12:12 AM
I will give it a try, I downloaded the vm' but thought it was a bit of over kill. Thought xpath would / should be able to do the move from pre to post.
I have instead used out to set and copied that config to a text file and changed the pre to post and re ran the commands .
Alex
06-25-2017 12:37 AM
In the scenario I described you don't have to import the xml file into the migration tool. You only need to add the device to the device list, and then double click on it to pull the configuration in. 😉
06-25-2017 03:08 AM
Hi
Sorry I think maybe I miss understood.
I have already downloaded the migration tool - which seems to be a VM for VMWare.
Personally I think this might be a bit of over kill - installing a vm to do migration.
Think I would rather learn to do it by hand, which is what I was trying to do by the load partial. But I ran into some sort of issue , not really sure what, but it seemed to want to add pre-base under post-base, instead of just added the pre-base children to post-base.
But I found another work around, I downloaded the XML config and then manual duplicated the sections I wanted and uploaded the modified XML.
Looks okay now I have 2 copies of the rules and I can delete as needed
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!