Merging two Palos Config

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Merging two Palos Config

L0 Member

Hello everyone

I have two Palo PA-850s with software version 10.2.2 that are running in different locations. To merge all the services to one location, I must merge two Palos configurations from ACLs, NATs, and Interfaces to a single device (or the HA pair).

As far as I know, I can export the .xml config, edit it, and then import it to Palo, but does it merge with the old config or replace it?

 

Regards

John

3 REPLIES 3

Community Team Member

Hi @john.mayer ,

 

If you import a new config it will replace the current config on the device. In the past, I found Expedition to be very useful. You can import the preferred firewall config as the base config and the secondary firewall config as the source configuration file. You will be able to move/edit interfaces, NAT rules, security policies, and services/objects. For more info, check the Expedition section we have within LiveCommunity.

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Hello,

After you update the xml, remove the parts that you dont want to update. This way it will only update the parts you want to update.

 

Regards,

Cyber Elite
Cyber Elite

Hi @john.mayer ,

 

Another way you could do it is as follows:

 

  1. Import and load the 1st configuration (the one with the most config to keep) onto the NGFW.
  2. Import and do not load the 2nd configuration.
  3. Load config partial the sections you want to add to the candidate configuration.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...
    1. Use mode merge.
    2. Find the XPath from the API browser.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api...
    3. The from file will be the XML of the 2nd config.

If the sections are not too big, copying the set commands on the CLI from one NGFW to another is quick also.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 2151 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!