08-08-2022 07:23 PM
Migration / Import of configuration only to a destination Vsys, a particular vsys.
Hello good afternoon, as always thank you very much for the support and collaboration as always. Please your your suggestions, advice and / or guidance, how is it possible to perform the import/load config, of a PA configuration, to be loaded only, but only in a vsys( vsys4 ) without touching anything of the rest of vsys of the firewall, just import and load that configuration to the vsys4 ?
Environment/Infra:
PA-5250 Physical Firewall - HA
Vsys1 ready and OK
Vsys2 ready and OK
Vsys3 ready and OK.
Vys4 created, without any configuration, but waiting for the configuration.
Thank you, I remain attentive, best regards
08-09-2022 07:27 PM
Look into the load config partial command and its various options. Assuming that you are familiar with xpath this is an easy option that doesn't require you to manually modify the configuration file or utilize the Expedition tool. Expedition is the only option that I'm aware of that would let you do this easy enough without required knowledge of XML and the actual configuration file.
08-10-2022 12:41 AM
Hi @Metgatz ,
I would agree with @BPry and tried to expand a little. I recently used the "load partial config" feature and must say it is fantastic!
There is some nice documentations explaining how to use the command:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS
There you can also find instructions how to get the correct xpath for each part of the configuration.
Now let note that "load partial config" can be used only if you have your configuration in XML format. From your post I assume you already have complete FW config in XML format.
I would assume that you want to migrate single firewall as new vsys to existing firewall. In that case I would suggest the following:
- Export running config from the firewall that will be migrated. And save it with different name from "running-config.xml"
- Import that file to the firewall with the VSYSs. Only import it, do not load it. You can do that via the GUI. FW will save this xml and list it under saved configs.
- Using the API browser (explained in the links above) get the xpath for the relevant config you want to import. Depending on what configuration you want to keep and what want to ignore you can use xpaths for specific config only - address, address-groups, security policy rules, etc. Or more generic like all network settings
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
