Required role to do cli backups

What about using a tool like CatTools to capture the output of 'show config running' ? The readonly permissions lets the user run this command.

Hi Mike

From a RO account, there is the command "show config running" and the output is in xml format.

testadminro@Cantwell-PA-220> show config running

config {

preferences {
saved-log-query {
traffic {
h323 {
query "( addr.src in 172.17.13.13 ) and ( app neq dns ) and ( app neq dhcp ) and ( app neq ntp ) and ( receive_time geq '2019/01/14 16:59:32' )";
}
}
}
}
}
expedition {
permissions {
role-based {
superuser yes;
}
}
phash ********;
}
fred;
testadmin {
permissions {
role-based {
custom {

So, to summarize, there does not seem a good ability to load a config in "set" notation, but could export with 1000s of lines as XML.

Any other questions I can answer for you?

What are you saying here? Are you saying that if the config is exported as XML that there is no ability to restore it?

"So, to summarize, there does not seem a good ability to load a config in "set" notation, but could export with 1000s of lines as XML."

Hi @MikeSangray2019 

What I was suggesting is that config management is best done via the GUI vs from CLI.

You can properly create a customized role to allow export/import of config file, using WebUI.

But from CLI, you are very/extremely limited in permissions, hence very difficult, almost impossible, for config administration.

Hope this helps.

Do you know if the output of 'show config running' in an xml file can be used to restore the config?

Hi Mike.

I think I should clarify my comments, as I would not want to mislead information here.

The original request was that you wanted an admin-role from CLI that could do backups.

My interpretation was that you ONLY wanted the person to do backups and not have any other access.

That is not possible feasible to provide a RO account, with ability to export configs (or upload configs), whether that is a single line, or full config.

It is definitely possible to choose a CLI admin role of "device admin".  This will allow the user to do whatever they want from CLI, import/export, look at the config in "set" notation etc.  But it also comes with the ability to admin the entire firewall from CLI.

So, if you created a custom admin-role and remove all GUI privileges, then the person would not be able to log into the FW GUI to make changes.  On the flip side... by allowing them to be a device-admin from cli, allows them to manipulate the config to give them back permissions that were taken away from the GUI... well, see, that is not right either.

So, as an engineer, what to do.  My recommendation is create a GUI role (not from cli) that has access only to the Operations Tab... as such.

Everything (like EVERYTHING is disabled, so when a admin logs in.. only choice they have is the menu options under Operations.

Does this help you out a little more...  Don't restrict yourself to CLI only.  Learn what the UI can do, and allow UI access.

Much easier and you will keep your hair.  😛

The GUI was a limiting factor in this scenario, but thanks for the information. We're after an automated solution, so maybe Panorama or API.

With API and a small script works perfectly