How to Duplicate Device Groups on Panorama
Symptom
Device Groups (DG) in Panorama are used to build configurations that are shared among the managed firewalls. Policy and address objects configurations are pushed to the managed firewalls within Device Groups.
At times, the Panorama administrator may need to clone a device group for efficiency and make further edits to customize the device group for a new set of managed firewalls. This task can be performed from the CLI using the method described below.
This process requires an administrator account with ‘superuser’ privileges to run the command and issue a commit.
Environment
- Any Panorama
- PAN-OS 8.1, 9.0, 9.1
Resolution
The command, load configure partial <attributes>, can be used to merge the XML elements from a certain XPath in a Panorama configuration.
- The devices from the original device group will be moved to the new device group. For example, 36-AP-500 is being moved to DG_clone.
- The new device group's Parent Device Group will be Shared. If it is necessary for it to have the same parent as the original, then go to GUI: Panorama > Device Groups > DG_clone and change the Parent Device Group to the correct DG
Details:
First, the configuration must be imported into Panorama. The configuration can be imported from the web-interface or the CLI. The example below will use the predefined ‘running-config.xml’ file which stores the current running configuration on the Panorama server. Whenever a successful commit is completed in Panorama, the configuration is saved to the ‘running-config.xml’ file.
Following is the snapshot of the Device Group, DG_1, as seen from the web-interface:
The Device Group, DG_1, already exists in the Panorama running-config.xml file. This is the Device Group that will be cloned/duplicated, and the new DG will be named, DG_clone. Run the following command to create DG_clone as a clone of DG_1:
> configure
# load config partial from running-config.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_1'] to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_clone'] mode merge
Config loaded from running-config.xml
[edit]
#
# exit
The above command uses 'running-config.xml' as the source configuration and DG_clone for the name of the newly created clone configuration. Enter the appropriate configuration file if different from 'running-config.xml'. The mode used in the command must be specified as ‘merge’ (as seen in the above example).
A new DG with the name, DG_clone, is created after the command above is performed. The following screenshot shows DG_clone in the list of Device Groups:
Additional Information
For PAN-OS 10.0, the command is modified a bit. See below.
admin@Panorama# load config partial from-xpath /config/devices/entry[@name=‘localhost.localdomain’]/device-group/entry[@name=‘test_merge’] to-xpath /config/devices/entry[@name=‘localhost.localdomain’]/device-group/entry[@name=‘test_merge_clone’] mode merge from running-config.xml
If you encounter the below error message, it's expected — it occurs because the device group was cloned and the devices were moved to a different group, which triggers this message. To resolve this issue, ensure the associated devices are correctly linked by editing the newly cloned device group and remove the devices.
Config loaded from running-config.xml
device-group -> D-LAB-FW-DG-CLONE -> devices -> 0119010xxxx -> vsys -> vsys1 'vsys1' is invalid. Failed to add device/vsys to device group
device-group -> D-LAB-FW-DG-CLONE -> devices -> 0119010xxxx -> vsys -> vsys1 vsys1 is invalid. Discarding
device-group -> D-LAB-FW-DG-CLONE -> devices -> 0119010yyyy -> vsys -> vsys1 'vsys1' is invalid. Failed to add device/vsys to device group
device-group -> D-LAB-FW-DG-CLONE -> devices -> 0119010yyyy -> vsys -> vsys1 vsys1 is invalid. Discarding