DotW: Displaying the Configuration in a Friendly Format

DotW: Displaying the Configuration in a Friendly Format

116386
Created On 09/25/18 19:05 PM - Last Modified 06/13/23 16:38 PM


Resolution


Do you need a way to convert the XML configuration from a Palo Alto Networks device into a friendly format?

 

Community member Apadilla asks the question, and we've got the answer in our Discussion of the Week (DotW):

 

2015-10-12_13-50-40.png

 

There are several operation commands that can make life a little easier, depending on how you'd like to read a configuration file. In the default configuration, requesting the configuration from the system results in the XML format used by the system to interpret its configuration.

 

> configure 
Entering configuration mode
[edit]                                                                                                                                                                 
# show 
deviceconfig {
  system {
    ip-address 10.0.0.254;
    netmask 255.255.255.0;
    update-server updates.paloaltonetworks.com;
    update-schedule {
      threats {
        recurring {
          daily {
            at 05:00;
            action download-and-install;
            disable-new-content no;
          }
        }
      }
...

 

Depending on your needs, it may be easier or more convenient to have the configuration output in a different format than the default XML. This is why the config output can be changed into set commands or json (json is JavaScript Object Notation) style output.

 

> set cli config-output-format 
  default   default 
  json      json 
  set       set 
  xml       xml 

 

Configuration output in the form of set commands allow you to easily collect the configuration in a format that lends itself to easy reconfiguration of a fresh device.

 

You can simply list all the set commands from the configuration of your already configured firewall and store them in a text file. Next, you make alterations where needed, like the device IP, and connect to the new device via CLI, set configuration mode, and paste the list of set commands directly onto the new device. After a succesful commit, the new device's configuration will be identical to the original config donor:

 

> set cli config-output-format set
> configure 
Entering configuration mode
[edit]                                                                                                                                                                 
# show 
set deviceconfig system ip-address 10.0.0.254
set deviceconfig system netmask 255.255.255.0
set deviceconfig system update-server updates.paloaltonetworks.com
set deviceconfig system update-schedule threats recurring daily at 05:00
set deviceconfig system update-schedule threats recurring daily action download-and-install
set deviceconfig system update-schedule threats recurring daily disable-new-content no
set deviceconfig system update-schedule anti-virus recurring hourly action download-and-install
set deviceconfig system update-schedule wildfire recurring every-15-mins action download-and-install
set deviceconfig system timezone US/Pacific
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname PA-200
set deviceconfig system default-gateway 10.0.0.1
set deviceconfig system dns-setting servers primary 4.2.2.2
set deviceconfig system panorama-server 10.0.0.253
...

 

Using json, or JavaScript Object Notation, allows for a format that's easily read- and writable for humans and parsable for machines:

 

> set cli config-output-format json
> configure 
Entering configuration mode
[edit]                                                                                                                                                                 
# show 
{
"system":
{
"ip-address":
"10.0.0.254",
"netmask":
"255.255.255.0",
"update-server":
"updates.paloaltonetworks.com",
"update-schedule":
{
"threats":
{
"recurring":
{
"daily":
{
"at":
"05:00",
"action":
"download-and-install",
"disable-new-content":
"no"}
}
}
,
"anti-virus":
{
"recurring":
{
"hourly":
{
"action":
"download-and-install"}
}

 

Another useful command when processing lenghty configuration output from the CLI, where text will easily be longer than a single screen or page, and page breaks may be a nuisance when collecting the configuration into a text file, is control over the pager function. This function can be disabled to prevent the output from being paused to allow only one page of text to be displayed. By default, paging is enabled to allow for easier reading.

 

to turn paging off:
> set cli pager off
to turn it back on again:
> set cli pager on

 

Lastly, if you'd simply like to view the current running configuration in a web browser, you can request the XML output through the API:

 

First, generate the API key:

https://<IP>/api/?type=keygen&user=<id>&password=<pwd>

Collect the output of the <key> and add it to the command below:

 

https://<IP>/api/?type=op&cmd=<show><config><running></running></config></show>&REST_API_TOKEN=<key>

The above command now outputs the XML file in your browser window, which may also make it easier to interpret than through the CLI.

 

 

To view the original discussion, please follow this link: Tools to convert the xml PA configuration to friendly format

 

All comments or suggestions are encouraged.

 

Thanks for reading!

 

Tom Piens



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUHCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language