Palo Alto: Save & Load Config through CLI

When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not that obvious. There are several commands that must be used to achieve the same.

However, I tested this procedure a few times and it did NOT work. 🙁 So, the short version is: If you want to replace a Palo Alto firewall, move your configuration files (xml) through the GUI or tftp/scp. But do not use the mere CLI.

The most common way to save a Palo Alto config is via the GUI at Device -> Setup -> Operations ->  Export xyz. And even on the CLI, the running-config can be transferred via scp or tftp, such as scp export configuration from running-config.xml to username@host:path . This configuration file can be loaded into a new device, again, via the GUI (Import) or the CLI ( scp import configuration from username@host:path ).

Save

However, to save the complete configuration in the “set” format, the following CLI commands must be used. The first one is used to output the configuration in single “set” lines (instead of XML blocks), and the second one switches the output to not stop after a few lines on the terminal. To capture long lines without a “carriage return”, the terminal width should be adjusted to the maximum of 500. Then, the “configure” command enters the configuration mode, while the “show” command displays the whole running configuration.

 

And Load

To load the config into a new device, a few commands must be used before. At first, the terminal width should be adjusted again. Furthermore, the scripting-mode must be enabled in order to send a bulk of CLI commands without an error. The reason for that is, that several objects are referenced in the configuration before they are added to the device. E.g., the set commands for the “security rules” are before the set commands for the “application groups”. That is, an application group is used by a security rule before it is added to the config. 🙁

Finally, the whole bunch of set commands from above can be pasted into the CLI session.

 

Errors, Errors, Errors

I wanted to load a complete configuration from a firewall to another. (Both firewalls were of the same type, OS version (6.0.x) and license.) I used the console port on the device. But even with the aforementioned commands that should make this procedure possible, I got only errors, such as: “Invalid syntax.” or “Unknown command: …”.

Furthermore, the terminal session looked like a complete chaos:

 

Conclusion

Only use the complete XML-based configuration files and not the set commands!

6 thoughts on “Palo Alto: Save & Load Config through CLI

    1. Of course, there are some more options. However, the basic question was “how to configure a PA if ONLY the serial connection is present”. E.g., after an RMA case, the PA is naked in the rack without any Ethernet connection, but only with the serial port to the console/terminal server.

  1. Nice article. Several of such errors are cause could be due to the ‘app and threat’ version being different (although you may have the same PANOS and license on it).

  2. I was looking for the CLI command to load a previous version of the config and bumped into this article.

    configure
    load config version ?
    405 2016/10/10 22:57:26
    406 2016/10/10 23:03:32
    407 2016/10/11 13:50:41
    408 2016/10/13 10:53:49
    409 2016/10/13 11:18:56

    load config version 406
    commit

Leave a Reply

Your email address will not be published. Required fields are marked *