Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

export config through cli

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

export config through cli

L4 Transporter

Hey all,

Is there a way to export the (running) config through cli?

Output should be a config file we can IMPORT back into a new device.

- NOT using SCP (we have restrictions on this)

- NOT using the API (php/rest/browse.php/export::configuration) (we only have ssh access)

1) "show config running" or under configuration-mode "show" -> this will output the config, but is not in XML format and thus can not be imported

2) "set cli config-output-format xml" + under configuration-mode "show" -> this will output the config in xml format, but this is NOT importable in a PaloAlto. This is just a xml representation of the config, and not the config in xml format: there is a difference. (why you would want the "xml representation of the config" is a mystery to me, since you can not use it in any way)

3) "set cli config-output-format set" + under configuration-mode "show" -> this will output the config in set commands. This CAN technically be used to "import" the config, but importing a 1000+ lines of set commands is bound to fail somewhere down the line...

Any of you guys got any other solutions, or maybe just a nice script that will rewrite the output of "set cli config-output-format xml" + "show" into an importable config file?

Regards

9 REPLIES 9

L7 Applicator

Hello Mr.linus,

Is there any specific reason you want to export the configuration file from CLI only..? ( It will be very easy to perform the same from GUI).

You can try below mentioned steps.

1. > set cli pager off

2. >set cli config-output-format xml

3. Log the putty session to a txt file

4. Go to configuration mode

5. PAN# show 

6. Turn off logging for that session.

7. Edit that txt file and change the file extension to .xml.

Thanks

Not applicable

Is there an automated way to export the config through the GUI since it seems like CLI is out?  We need to backup many PA's but don't want to buy Panorama.

Thanks

Dear Hulk,

Sorry but that is not correct. (as explained in my initial question)

If you do a "show" in configuration mode with cli config-output-format set to xml you do NOT get a xml config file. Try it.

Not only does the output contain things like "<response status="success" code="19">" also the order of the xml is different and thus can NOT be imported again.

The output DOES contain all necessary information to rebuild a working config, but you need to do a lot of find and replace...

I agree the GUI would be far easier, but if that would be possible in my setup, I would not be asking this question 🙂

Any other suggestions?

Dear Jason,

You can use the API for this

1) go to https://XXX.XXX.XXX.XXX/esp/restapi.esp?type=keygen&user=XXX&password=XXX

-> this will generate an API key which you need to export the config (alternatively you can just login the PA and then go to the second url)

2) go to https://XXX.XXX.XXX.XXX/esp/restapi.esp?key=XXX&type=export&category=configuration

Also check out How to use the XML API to backup your firewall configuration

Regards

L4 Transporter

Guess this is not possible then... I will send in a feature request

Panorama makes backups (in 6.0 anyway)

Automatic backups from Panorama are also available in 5.0 and 5.1 trains.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

True,

But we don't have a panorama in our setup 🙂

L7 Applicator

Besides exporting the configuration file to an SCP or a TFTP server through SSH CLI Commands to Export/Import Configuration and Log Files, there are two other options to extract a restorable version of the configuration file from the firewall. There is a 'dirty' way and a 'clean' way. The 'dirty' way can help you if you only had Console access. The 'clean' way requires HTTPS access to a firewall's interface.

The 'dirty' way is to extract the configuration file in a stanza of set commands.

You can achieve this by going to the CLI and executing:

> set cli pager off

> set cli config-output-format set

> configure

Entering configuration mode

[edit]

# show

The 'clean' method is to leverage the API using cURL to get the xml file. As a side note, the "> set cli config-output-format xml" command won't help you, as it will result in displaying the configuration file in an xml format that is not restorable.

To use the API, you must begin by obtaining the API KEY, which will be used as your authentication token for API queries.

To obtain it with curl, execute:

curl -k "https://<IP_PAN>/api/?type=keygen&user=<your_user>&password=<your_password>"

This will result in obtaining a long string, which will be your API key.

You can then obtain your config with command:

curl -o config.xml -k "https://<IP_PAN>/esp/restapi.esp?type=config&action=show&key=<API-KEY>"

Where <API-KEY> is the key previously obtained and <IP_PAN> is the management IP of your firewall.

If you vi config.xml, you will see the XML is wrapped in a <response status="success"><result> and at the end of the file closes with its corresponding

</result></response>.

You can clean your config.xml file with search and replace. If you used perl the commands will be:

To fix the header:

perl -i.bak -pe 's/<response status="success"><result>/<?xml version="1.0"?>\n/' config.xml

To fix the footer:

perl -i.bak -pe 's/<\/result><\/response>//' config.xml

Or you can alternatively concatenate the command as:

curl -o config.xml -k "https://<IP_PAN>/esp/restapi.esp?type=config&action=show&key=<API-KEY>" && perl -i.bak -pe 's/<response status="success"><result>/<?xml version="1.0"?>\n/' config.xml && perl -i.bak -pe 's/<\/result><\/response>//' config.xml

  • 18120 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!