Palo Alto Networks Knowledgebase: How to Load Partial Configurations

How to Load Partial Configurations

6220
Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:03 AM
Content Release Deployment
Resolution

Details

PAN-OS allows loading part of a configuration file in three ways:

  1. Merge node at dst in x.xml onto node at src in candidate config.
    > configure
    # load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode merge

  2. Replace node at src in candidate config with node at dst in x.xml.
    > configure
    # load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode replace

  3. Append node at dst in x.xml UNDER node at src in candidate config.
    > configure
    # load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode append

 

Scenario 1:

Device A has security rules that need to be merged with the rules currently on Device B, which currently has no security rules.

  1. Save and export config from Device A.
  2. Import the saved config file into Device B.
  3. In configuration mode, enter the following command:
    # load config partial from test.xml from-xpath devices/entry/vsys/entry/rulebase/security mode merge to-xpath /config/devices/entry/vsys/entry/rulebase/security
  4. Device B now has the same security rules as Device A.

 

Scenario 2:

Load the partial config for security policies from a firewall that only has one VSys to a firewall which has multiple VSys.

  1. Export the config of the firewall that has the rules to be loaded.
  2. Import the config to the firewall that needs the rules to be loaded.
  3. To merge the security policies, run the following command from the CLI:
    # load config partial from {File name e.g test.xml} mode merge from-xpath devices/entry/vsys/entry/rulebase/security to-xpath /config/devices/entry/vsys/entry[@name="vsys2"]/rulebase/security
  4. In the above command, we are loading the security policies from the default VSys1 to VSys2.

 

When loading security rules, make sure that you have already configured zones, objects, and so on from the firewall where the configuration is being loaded from. Otherwise, it will show up as empty or none.

 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language