DotW: Displaying the Configuration in a Friendly Format
Resolution
Do you need a way to convert the XML configuration from a Palo Alto Networks device into a friendly format?
Community member Apadilla asks the question, and we've got the answer in our Discussion of the Week (DotW):
There are several operation commands that can make life a little easier, depending on how you'd like to read a configuration file. In the default configuration, requesting the configuration from the system results in the XML format used by the system to interpret its configuration.
> configure Entering configuration mode [edit] # show deviceconfig { system { ip-address 10.0.0.254; netmask 255.255.255.0; update-server updates.paloaltonetworks.com; update-schedule { threats { recurring { daily { at 05:00; action download-and-install; disable-new-content no; } } } ...
Depending on your needs, it may be easier or more convenient to have the configuration output in a different format than the default XML. This is why the config output can be changed into set commands or json (json is JavaScript Object Notation) style output.
> set cli config-output-format default default json json set set xml xml
Configuration output in the form of set commands allow you to easily collect the configuration in a format that lends itself to easy reconfiguration of a fresh device.
You can simply list all the set commands from the configuration of your already configured firewall and store them in a text file. Next, you make alterations where needed, like the device IP, and connect to the new device via CLI, set configuration mode, and paste the list of set commands directly onto the new device. After a succesful commit, the new device's configuration will be identical to the original config donor:
> set cli config-output-format set > configure Entering configuration mode [edit] # show set deviceconfig system ip-address 10.0.0.254 set deviceconfig system netmask 255.255.255.0 set deviceconfig system update-server updates.paloaltonetworks.com set deviceconfig system update-schedule threats recurring daily at 05:00 set deviceconfig system update-schedule threats recurring daily action download-and-install set deviceconfig system update-schedule threats recurring daily disable-new-content no set deviceconfig system update-schedule anti-virus recurring hourly action download-and-install set deviceconfig system update-schedule wildfire recurring every-15-mins action download-and-install set deviceconfig system timezone US/Pacific set deviceconfig system service disable-telnet yes set deviceconfig system service disable-http yes set deviceconfig system hostname PA-200 set deviceconfig system default-gateway 10.0.0.1 set deviceconfig system dns-setting servers primary 4.2.2.2 set deviceconfig system panorama-server 10.0.0.253 ...
Using json, or JavaScript Object Notation, allows for a format that's easily read- and writable for humans and parsable for machines:
> set cli config-output-format json > configure Entering configuration mode [edit] # show { "system": { "ip-address": "10.0.0.254", "netmask": "255.255.255.0", "update-server": "updates.paloaltonetworks.com", "update-schedule": { "threats": { "recurring": { "daily": { "at": "05:00", "action": "download-and-install", "disable-new-content": "no"} } } , "anti-virus": { "recurring": { "hourly": { "action": "download-and-install"} }
Another useful command when processing lenghty configuration output from the CLI, where text will easily be longer than a single screen or page, and page breaks may be a nuisance when collecting the configuration into a text file, is control over the pager function. This function can be disabled to prevent the output from being paused to allow only one page of text to be displayed. By default, paging is enabled to allow for easier reading.
to turn paging off: > set cli pager off to turn it back on again: > set cli pager on
Lastly, if you'd simply like to view the current running configuration in a web browser, you can request the XML output through the API:
First, generate the API key:
https://<IP>/api/?type=keygen&user=<id>&password=<pwd>
Collect the output of the <key> and add it to the command below:
https://<IP>/api/?type=op&cmd=<show><config><running></running></config></show>&REST_API_TOKEN=<key>
The above command now outputs the XML file in your browser window, which may also make it easier to interpret than through the CLI.
To view the original discussion, please follow this link: Tools to convert the xml PA configuration to friendly format
All comments or suggestions are encouraged.
Thanks for reading!
Tom Piens