- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
A question in our discussion forum that caught my eye the other day was about copying a piece of configuration and pasting it onto another device. It sounds easier than it is, but it's not very difficult if you know how!
The premise was this question:
The answer came VERY quickly (29 minutes later):
You can read conversation here: Any way to copy objects from one firewall pair to another?
And access the document here: Load a Partial Configuration
But let me break it down for you:
The configuration file is in XML format and each section of the configuration is located in it's own "xpath." This is sort of a directory structure where everything is kept nice and tidy for the system to interpret once you hit the commit button.
This also means that you can grab one of the sections, or nodes, and implant it into the appropriate location on a different firewall.
From the CLI, you can navigate the configuration and even get the proper xpath if you enable these commands:
admin@ReaperGate> set cli config-output-format xml admin@ReaperGate> debug cli on
You need to set the config output format to XML as the default is JSON, and enabling the debug will show the xpath (don't forget to turn this off again after you got what you came for).
With these commands, set your config output. It will now look like this:
admin@ReaperGate> configure () ((context-inserted-at-end-p: . #t)) Entering configuration mode [edit] admin@ReaperGate# show network interface (container-tag: network container-tag: interface) ((eol-matched: . #t) (eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']) (context-inserted-at-end-p: . #f)) /usr/local/bin/pan_ms_client --config-mode=xml --set-prefix='set network ' --cookie=1793408030469599 <<'EOF' |sed 2>/dev/null -e 's/devices localhost.localdomain//' |/usr/bin/less -X -E -M <request cmd="get" obj="/config/devices/entry[@name='localhost.localdomain']/network/interface"></request> EOF <response status="success" code="19"> <result total-count="1" count="1"> <interface> <ethernet> <entry name="ethernet1/1"> <layer3> <ipv6> <neighbor-discovery> <router-advertisement> <enable>no</enable> </router-advertisement> </neighbor-discovery> </ipv6> <ndp-proxy> <enabled>no</enabled> </ndp-proxy> <lldp> <enable>no</enable> </lldp> <dhcp-client/> </layer3> </entry> </ethernet> </interface> </result> </response>
The orange bit following "obj" is the xpath for the dataplane interfaces node.
Now that I have an easy way to find the xpath and verify the config snippet, I'm about to extract. I can go ahead and collect the section I need. For example, I'd like to export my admin access security policy, so I can easily import it onto all my other firewalls.
admin@ReaperGate# show rulebase security rules AdminAccess (container-tag: rulebase container-tag: security container-tag: rules container-tag: entry key-tag: name value: AdminAccess) ((eol-matched: . #t) (eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']) (context-inserted-at-end-p: . #f)) /usr/local/bin/pan_ms_client --config-mode=xml --set-prefix='set rulebase security rules ' --cookie=3511483105011606 <<'EOF' |sed 2>/dev/null -e 's/devices localhost.localdomain//' |/usr/bin/less -X -E -M <request cmd="get" obj="/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess']"></request> EOF <response status="success" code="19"> <result total-count="1" count="1"> <entry name="AdminAccess" uuid="8b9a89d6-5035-441a-b679-f85c3a87ac6d"> <to> <member>trust</member> </to> <from> <member>HQvpn</member> </from> <source> <member>10.0.10.0/24</member> </source> <destination> <member>any</member> </destination> <source-user> <member>any</member> </source-user> <category> <member>any</member> </category> <application> <member>ssh</member> </application> <service> <member>application-default</member> </service> <hip-profiles> <member>any</member> </hip-profiles> <action>allow</action> <profile-setting> <group> <member>default</member> </group> </profile-setting> </entry> </result> </response> [edit]
Next, I can export a partial configuration, which I can import onto the target firewalls.
admin@ReaperGate# save config partial policy-and-objects excluded to polobj.xml (container-tag: config container-tag: partial leaf-tag: policy-and-objects value: excluded pop-tag: leaf-tag: to value: polobj.xml pop-tag:) ((eol-matched: . #t) (context-inserted-at-end-p: . #f)) <request cmd="op" cookie="3511483105011606" uid="1000"><operations><save><config><partial><policy-and-objects>excluded</policy-and-objects></partial><to>polobj.xml</to></config></save></operations></request> 2019-07-11 06:13:29 <response status="success"><result>Config saved to polobj.xml</result></response> Config saved to polobj.xml [edit]
The config file can be exported off and on the firewall through tftp and scp export, or via the export/import on the web interface: Device > Setup > Operations.
admin@ReaperGate> tftp export configuration from polobj.xml to 10.0.0.12
Copy the part of the configuration you want onto the new firewall.
admin@ReaperGate2# load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] mode merge from polobj.xml (container-tag: config container-tag: partial leaf-tag: from-xpath value: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] leaf-tag: to-xpath value: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess'] leaf-tag: mode value: merge leaf-tag: from value: polobj.xml pop-tag: pop-tag:) ((eol-matched: . #t) (context-inserted-at-end-p: . #f)) <request cmd="op" cookie="3511483105011606" uid="1000"><operations><load><config><partial><from-xpath>/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='AdminAccess']</to-xpath><mode>merge</mode><from>polobj.xml</from></partial></config></load></operations></request> 2019-07-11 06:28:01 <response status="success"><result><msg><line>Config loaded from polobj.xml</line></msg></result></response> Config loaded from polobj.xml [edit] admin@ReaperGate2#
Disable the CLI debug.
admin@ReaperGate2# run debug cli off (leaf-tag: cli value: off) ((eol-matched: . #t) (cli-handler: . debug-cli-handler) (context-inserted-at-end-p: . #f)) [edit]
Verify the config was imported properly.
admin@ReaperGate2# show rulebase security <response status="success" code="19"> <result total-count="1" count="1"> <security> <rules> <entry name="AdminAccess" admin="admin" dirtyId="7" time="2019/07/11 06:27:59" uuid="41823b0d-5b37-490b-9485-21af6d01ee69"> <to> <member>trust</member> </to> <from> <member>HQvpn</member> </from> <source> <member>10.0.10.0/24</member> </source> <destination> <member>any</member> </destination> <source-user> <member>any</member> </source-user> <category> <member>any</member> </category> <application> <member>ssh</member> </application> <service> <member>application-default</member> </service> <hip-profiles> <member>any</member> </hip-profiles> <action>allow</action> <profile-setting> <group> <member>default</member> </group> </profile-setting> </entry> </rules> </security> </result> </response> [edit]
Commit the changes.
admin@ReaperGate2# commit Commit job 9 is in progress. Use Ctrl+C to return to command prompt ....70%99%.....100% Configuration committed successfully [edit] admin@ReaperGate2# run show running security-policy "AdminAccess; index: 1" { from HQvpn; source 10.0.10.0/24; source-region none; to trust; destination any; destination-region none; user any; category any; application/service 0:ssh/tcp/any/22; action allow; icmp-unreachable: no terminal yes; }
Here are a few tips and caveats:
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules
You can even copy all of the rulebases, including NAT and QoS by dropping down another level.
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase
Use the CLI debug and the "show" command in config mode to double check the xpath and content of any section you want to copy.
admin@ReaperGate2# load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/ to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys2']/rulebase mode merge
Merge will try to merge two existing nodes when possible (i.e., if a rule with the same name already exists, Merge will try to add the attributes into the existing rule).
Replace will replace any existing node in favor of the new node
Append will try to add the node, but will fail if an identical node already exists
Hope this was helpful! Feel free to leave a comment below
Reaper out
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
1 Like | |
1 Like | |
1 Like | |
1 Like | |
1 Like |