[rancid] Palo Alto (Panorama) configuration
annie lee
lsy.annie at gmail.com
Wed Jul 10 23:23:20 UTC 2019
Hi John,
Thanks for your reply and apology for the typo on the paloalto type.
(1.1.1.1;paloalto;up)
Below are the sample config for one of the firewall configs (removed all
the ip addresses).
Basically there are heaps more configs (routing, policy, NAT, virtual
router and etc...) i can see from the Panorama.
Not sure its similar to F5 tweak that we need to add the partition to grab
the full configs.
Rgds
On Thu, Jul 11, 2019 at 7:42 AM john heasley <heas at shrubbery.net> wrote:
> Wed, Jul 10, 2019 at 11:53:42AM +1000, annie lee:
> > Hi All,
> >
> > Another question, just added a new PaloAlto to rancid (3.9) but not much
> > configurations being backup (not even interfaces addresses)
> > Anything need to be changed/added to backup the entire configuration ?
> >
> > 1.1.1.1;palo-alto;up
>
> Please use the built-in type for PAN: paloalto. if that is still lacking,
> please be more specific about what commands are missing. it collects
>
> show system info;show chassis inventory;show config running
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20190711/4976c988/attachment.html>
-------------- next part --------------
!RANCID-CONTENT-TYPE: paloalto
!
#
#hostname: palo-fw01
#ip-address: 1.1.1.1
#public-ip-address: unknown
#netmask: 255.255.255.0
#default-gateway: 1.1.1.254
#ip-assignment: static
#ipv6-address: unknown
#ipv6-link-local-address:
#ipv6-default-gateway:
#mac-address:
#family: 3000
#model: PA-3055
#serial:
#cloud-mode: non-cloud
#sw-version: 8.1.6
#global-protect-client-package-version: 5.0.1
#url-db: paloaltonetworks
#global-protect-clientless-vpn-version: 0
#global-protect-clientless-vpn-release-date:
#logdb-version: 8.1.8
#platform-family: 3000
#vpn-disable-mode: off
#multi-vsys: off
#operational-mode: normal
#
#
#
config {
mgt-config {
users;
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
authentication-profile;
local-user-database {
user;
}
server-profile {
ldap;
}
authentication-sequence;
content-preview {
application-type {
technology;
category;
}
application;
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet;
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
gateway;
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
}
}
tunnel {
ipsec;
global-protect-gateway;
global-protect-site-to-site;
}
}
deviceconfig {
system {
ip-address 172.1.0.9;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
service {
disable-telnet yes;
disable-http yes;
}
default-gateway 172.1.0.1;
panorama-server pan.fw.int;
hostname m1-edge-pa01;
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
high-availability {
interface {
ha1 {
ip-address 192.168.0.7;
netmask 255.255.255.252;
link-speed auto;
link-duplex auto;
}
ha2 {
link-speed auto;
link-duplex auto;
}
ha1-backup {
port ethernet1/11;
ip-address 192.168.0.3;
netmask 255.255.255.252;
}
ha2-backup {
port ethernet1/12;
ip-address 192.168.1.3;
netmask 255.255.255.252;
}
}
group {
group-id 5;
description palo-fw;
peer-ip 1.1.1.88;
monitoring {
path-monitoring {
enabled no;
}
link-monitoring {
enabled no;
}
}
configuration-synchronization {
enabled yes;
}
mode {
active-passive {
passive-link-state auto;
}
}
peer-ip-backup 1.1.1.8;
election-option {
heartbeat-backup yes;
timers {
recommended;
}
}
}
enabled yes;
}
}
vsys {
vsys1 {
application;
application-group;
zone {
trust {
network {
virtual-wire;
}
}
untrust {
network {
virtual-wire;
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules;
}
}
group-mapping;
import {
network {
interface;
}
}
global-protect {
global-protect-portal;
}
}
}
}
}
More information about the Rancid-discuss
mailing list