How to Load Partial Configurations

How to Load Partial Configurations

92003
Created On 09/25/18 19:38 PM - Last Modified 05/28/25 09:40 AM


Environment


  • Palo Alto Firewall.
  • PAN-OS 9.0 and above.
  • Loading partial configuration using XML API

Resolution


Details

  • To retrieve the required XPATHs for a firewall:

    • Log in to the Web UI.

    • Navigate to: https://<FW-IP>/api

    • Scroll down to Configuration Commands and expand the relevant section:
      devices > [deviceconfig | network | platform | vsys]

    • Copy the appropriate XPATH and use it as the from-xpath or to-xpath as needed.

  • PAN-OS allows loading part of a configuration file in three ways:

Important: All uncommitted changes must be committed before performing load config to avoid losing uncommitted configuration.

  1. Merge node at dst in x.xml onto node at src in candidate config. 
    > configure
# load config partial mode merge from-xpath <path-to-src> to-xpath <path-to-dst> from x.xml
  2. Replace node at src in candidate config with node at dst in x.xml. 
    > configure
# load config partial mode replace from-xpath <path-to-src> to-xpath <path-to-dst> from x.xml
  3. Append node at dst in x.xml UNDER node at src in candidate config. 
    > configure
# load config partial mode append from-xpath <path-to-src> to-xpath <path-to-dst> from x.xml

Scenario 1:

Device A has security rules that need to be merged with the rules currently on Device B, which currently has no security rules.

  1. Save and export config from Device A.
  2. Import the saved config file into Device B.
  3. In configuration mode, enter the following command: 
    > configure
# load config partial mode merge from-xpath devices/entry/vsys/entry/rulebase/security 
  mode merge to-xpath /config/devices/entry/vsys/entry/rulebase/security from test.xml
# commit
# exit
  4. Device B now has the same security rules as Device A.

Scenario 2:

Load the partial config for security policies from a firewall that only has one VSys to a firewall that has multiple VSys.

  1. Export the config of the firewall that has the rules to be loaded.
  2. Import the config to the firewall that needs the rules to be loaded.
  3. To merge the security policies, run the following command from the CLI: 
    > configure
# load config partial mode merge from-xpath devices/entry/vsys/entry/
  rulebase/security to-xpath /config/devices/entry/vsys/entry[@name="vsys2"]/rulebase/security from {File name e.g test.xml}
# commit
# exit
  4. In the above command, we are loading the security policies from the default VSys1 to VSys2.

Important: When loading security rules, make sure that you have already configured zones, objects, and so on from the firewall where the configuration is being loaded from. Else commit may fail or this reference may show up as empty or none.

 

 

 

Additional Information


In PAN-OS 8.1 and below, the command format is a bit different, and the file name should be at the beginning of the command.

i.e 

load config partial from x.xml from-xpath <path-to-src> to-xpath <path-to-dst> mode [replace|merge|append]

Also refer to

Load a Partial Configuration

XPATH location formats

Youtube - Palo Alto Firewall Load Config Partial - Example
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language