03-05-2018 10:26 PM - edited 03-05-2018 10:36 PM
When loading a partial config you have 3 options: replace, merge, append. I can't find a description anywhere as to what exactly each of these does! Especially between merge and append. I did see this KB article but it really doesn't explain the ramifications for each of these choice and neither does the CLI Guide.
KB Article referenced: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Load-Partial-Configurations/ta-p/625...
I'm doing an AppID optimization project using the Migration Tool 3.3.15 which does not export via API to PANOS 8. Well, it does, it just can't parse the security policies and commit. So, I'm going to import the changes manually using load partial config. All I have to do is remove unused objects, create 1 new service-group and update the security rulebase.
Before I do on a client's appliance I was trying to figure out what exactly each of these options do so I can make an intelligent (at least somewhat intelligent ;-)) decision.
Replace: My guess is this replaces the entire xpath section you reference in the call. For instance,
load config partial from x.xml from-xpath devices/entry/vsys/entry/rulebase/security mode replace to-xpath /config/devices/entry/vsys/entry/rulebase/security
This would replace everything in the security stanza with whatever exists in x.xml.
Append: This would put everything in the security stanza in the file x.xml at the end of the existing ruleset and not overwrite what's there. If this is true, what would happen if you had an entry that had the same name? Would it just update it or overwrite it? Generate an error?
Merge: This is the one that I have no idea how it would operate at all.
I'm leaning toward replace since I've got policies that were updated from services to AppID, I've got new policies and some have been rearrange.
Thank in advance!
