Panorama: config output on CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama: config output on CLI

L3 Networker

Hi,

I would like to backup and restore a panorama like I can with the firewall, on the firewall i set "set cli op-command-xml-output on" and get the config via the console, then bootstrap the firewall to restore the config...
now i am wondering how I can do the same with panorama...

it seems that i can neither set operational output to xml, nor restore a config via bootstrap... is that so?

is there any way i could automate backing up a panorama and restoring it?

11 REPLIES 11

Cyber Elite
Cyber Elite

panorama actually has a backup feature that allows you to automate ftp backups of its config, that way you only need to import the config file to be up and running again

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

yes but that doesnt work for me...

I need a solution via console or rather without network connectivity.

This is not for a production system, its for a lab software

 

For the firewall I save the output from the console in a file and automate the bootstrapping so you can easily backup/restore configs in seconds, works well so far actually (I tried to do it with saving and restoring the set commands but trying to automate the login is a pain for several reasons, 1.) password after 9.0.4 cannot be admin/admin anymore 2.) console keeps telling you incorrect login and there is no consistent way of telling when thats true or if the authentication daemon still needs time to start

L7 Applicator

@CLIq 

Please refer to this KB article.. it may be able to show you.. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgWCAS

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Thanks @jdelio but that doesnt help me unfortunately, seems more like its not possible although i dont understand why panorama does not have the same command to output the config in xml format...

Cyber Elite
Cyber Elite

@CLIqhow about

reaper@pano> set cli config-output-format xml
reaper@pano> set cli pager off
reaper@pano> configure 
Entering configuration mode
[edit]                                                                                                                                                                                                             
reaper@pano# show
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper yes, that does not seem to show the complete configuration and cannot be used to restore panorama with a file.

anyways it seems that panorama does not support something like bootstrapping...

so basically I guess I am asking what the best way would be to automate backup and restore of panorama...

i was thinking about using set commands but then there is the problem of not being able to detect when you are able to login... if I script it and it keeps saying invalid credentials... i cant differentiate that from actually not being able to login...

has anyone even ever tried that and will the "show" with set commands actually restore the complete panorama configuration if entered on a "fresh" panorama?

@CLIq the automated daily ftp backup gets you an easy to use set of xml config that doesnt require any scripting. Once you fi d yourself in a situation where you need to recover from zero, grab the last config backup zip file, unpack, import and you're ready to go

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Thanks but like I mentioned above, I need to do this without GUI and without network connections.

I can script it and I have access to the hypervisor and console of the Panorama.

so far the only option I see is to use the export as set commands (although i am not sure if a "show" will give you the complete panorama config as it does not if its in xml format) and then restore it the same way by entering those set commands... unfortunately the login prompt is **bleep**... so difficult to login with a script as you cannot know when the authdaemon is started.

any comments anyone? better idea? confirm any part of my hypothesis?

@CLIq  you dont  need the gui for this at all 🙂

The ftp export is a config you can put in, import can be achieved through scp or sftp

 

You may wanna reach out to your sales guys to submit a feature request 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper i dont need the gui but a network connection for this

Thanks, I wanted to see if there was any possibility as I doubt the feature request will be taken into consideration as this is not meant for production... anyways, will try.

Thanks

 as a further response...

seems the panorama has not been designed for such a use-case as without a valid license you cannot even enter most of the configuration...

was hoping that the licensing could be taken care of manually after the "automatic config restore"

  • 8140 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!