How to delete configurations through the CLI
116685
Created On 01/03/19 03:50 AM - Last Modified 02/08/19 21:25 PM
Objective
Removing configurations through the CLI can be challenging due to the PANOS command hierarchy.
By default, the CLI shows the configuration in PAN-OS format
admin@Lab196-118-PA-VM1> configure Entering configuration mode
[edit] admin@Lab196-118-PA-VM1# show deviceconfig { system { ip-address 10.46.196.118; netmask 255.255.255.192; hostname Lab196-118-PA-VM1; default-gateway 10.46.196.65; ssh { ciphers { mgmt { aes128-cbc; } } } ...
Environment
Platforms running PAN-OS
Procedure
- Change the configuration output from 'default' to 'set'
admin@Lab196-118-PA-VM1> set cli config-output-format set
- Examine the configuration. Identify which configuration needs to be deleted by going into configuration mode and running 'show'
admin@Lab196-118-PA-VM1> configure Entering configuration mode [edit] admin@Lab196-118-PA-VM1# show set deviceconfig system ip-address 10.46.196.118 set deviceconfig system netmask 255.255.255.192 set deviceconfig system hostname Lab196-118-PA-VM1 set deviceconfig system default-gateway 10.46.196.65 set deviceconfig system ssh ciphers mgmt aes128-cbc set deviceconfig system service disable-telnet yes set deviceconfig system service disable-icmp no ...
- In this example, we will be removing a security policy called "No-facebook-app"
set rulebase security rules No-facebook-app to L3-Untrust set rulebase security rules No-facebook-app from L3-Trust set rulebase security rules No-facebook-app source any set rulebase security rules No-facebook-app destination any set rulebase security rules No-facebook-app source-user any set rulebase security rules No-facebook-app category any set rulebase security rules No-facebook-app application facebook set rulebase security rules No-facebook-app service any set rulebase security rules No-facebook-app hip-profiles any set rulebase security rules No-facebook-app action deny set rulebase security rules No-facebook-app disabled yes
- Copy the configuration to a notepad and replace the word set with delete (recommend the find and replace feature in notepad)
delete rulebase security rules No-facebook-app to L3-Untrust delete rulebase security rules No-facebook-app from L3-Trust delete rulebase security rules No-facebook-app source any delete rulebase security rules No-facebook-app destination any delete rulebase security rules No-facebook-app source-user any delete rulebase security rules No-facebook-app category any delete rulebase security rules No-facebook-app application facebook delete rulebase security rules No-facebook-app service any delete rulebase security rules No-facebook-app hip-profiles any delete rulebase security rules No-facebook-app action deny delete rulebase security rules No-facebook-app disabled yes
- Run the delete command to remove the security rule
[edit] admin@Lab196-118-PA-VM1# delete rulebase security rules No-facebook-appNote: Running each command may not be necessary. In this example, running the base of the command will work.
- Commit the configuration and confirm the security rule no longer exists
admin@Lab196-118-PA-VM1# commit Commit job 24795 is in progress. Use Ctrl+C to return to command prompt ......55%70%99%......100% Configuration committed successfully [edit] admin@Lab196-118-PA-VM1# show | match No-facebook-app [edit] admin@Lab196-118-PA-VM1#
Additional Information
At step 5, if the commands being pasted in exceed longer than 20 lines, recommend switching to scripting mode. Scripting mode allows copying and pasting commands from a text file directly into the CLI without the commands being truncated
admin@Lab196-118-PA-VM1> set cli scripting-mode onIn scripting-mode, you cannot use Tab to complete commands or use ? to get help on command syntax. When you are done pasting commands, switch back to regular mode
admin@Lab196-118-PA-VM1> set cli scripting-mode off
Additional resources for reference:
Viewing the configuration in set and XML format
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHoCAK
How to view, create and delete security policies on the CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaCCAS
How to delete the interface configuration from the CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClM5CAK
*Please also see the CLI Quick Start guide for more information