How to delete configurations through the CLI

How to delete configurations through the CLI

20355
Created On 01/03/19 03:50 AM - Last Updated 02/08/19 21:25 PM


Objective
Removing configurations through the CLI can be challenging due to the PANOS command hierarchy.
By default, the CLI shows the configuration in PAN-OS format
admin@Lab196-118-PA-VM1> configure
Entering configuration mode
[edit]
admin@Lab196-118-PA-VM1# show
deviceconfig {
  system {
    ip-address 10.46.196.118;
    netmask 255.255.255.192;
    hostname Lab196-118-PA-VM1;
    default-gateway 10.46.196.65;
    ssh {
      ciphers {
        mgmt {
          aes128-cbc;
        }
      }
    }
...


Environment
Platforms running PAN-OS

Procedure
  1. Change the configuration output from 'default' to 'set'
admin@Lab196-118-PA-VM1> set cli config-output-format set
 
  1. Examine the configuration. Identify which configuration needs to be deleted by going into configuration mode and running 'show'
admin@Lab196-118-PA-VM1> configure
Entering configuration mode
[edit]
admin@Lab196-118-PA-VM1# show
set deviceconfig system ip-address 10.46.196.118
set deviceconfig system netmask 255.255.255.192
set deviceconfig system hostname Lab196-118-PA-VM1
set deviceconfig system default-gateway 10.46.196.65
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-icmp no
...
 
  1. In this example, we will be removing a security policy called "No-facebook-app"
set rulebase security rules No-facebook-app to L3-Untrust
set rulebase security rules No-facebook-app from L3-Trust
set rulebase security rules No-facebook-app source any
set rulebase security rules No-facebook-app destination any
set rulebase security rules No-facebook-app source-user any
set rulebase security rules No-facebook-app category any
set rulebase security rules No-facebook-app application facebook
set rulebase security rules No-facebook-app service any
set rulebase security rules No-facebook-app hip-profiles any
set rulebase security rules No-facebook-app action deny
set rulebase security rules No-facebook-app disabled yes
 
  1. Copy the configuration to a notepad and replace the word set with delete (recommend the find and replace feature in notepad)
delete rulebase security rules No-facebook-app to L3-Untrust
delete rulebase security rules No-facebook-app from L3-Trust
delete rulebase security rules No-facebook-app source any
delete rulebase security rules No-facebook-app destination any
delete rulebase security rules No-facebook-app source-user any
delete rulebase security rules No-facebook-app category any
delete rulebase security rules No-facebook-app application facebook
delete rulebase security rules No-facebook-app service any
delete rulebase security rules No-facebook-app hip-profiles any
delete rulebase security rules No-facebook-app action deny
delete rulebase security rules No-facebook-app disabled yes
 
  1. Run the delete command to remove the security rule
[edit]
admin@Lab196-118-PA-VM1# delete rulebase security rules No-facebook-app
Note: Running each command may not be necessary. In this example, running the base of the command will work. 
 
  1. Commit the configuration and confirm the security rule no longer exists
admin@Lab196-118-PA-VM1# commit 



Commit job 24795 is in progress. Use Ctrl+C to return to command prompt
......55%70%99%......100%
Configuration committed successfully

[edit]
admin@Lab196-118-PA-VM1# show | match No-facebook-app
[edit]
admin@Lab196-118-PA-VM1#


Additional Information
At step 5, if the commands being pasted in exceed longer than 20 lines, recommend switching to scripting mode. Scripting mode allows copying and pasting commands from a text file directly into the CLI without the commands being truncated 
admin@Lab196-118-PA-VM1> set cli scripting-mode on
In scripting-mode, you cannot use Tab to complete commands or use ? to get help on command syntax. When you are done pasting commands, switch back to regular mode
admin@Lab196-118-PA-VM1> set cli scripting-mode off

Additional resources for reference:
Viewing the configuration in set and XML format
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHoCAK

How to view, create and delete security policies on the CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaCCAS

How to delete the interface configuration from the CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClM5CAK

*Please also see the CLI Quick Start guide for more information


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmW0CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments