[rancid] Palo Alto (Panorama) configuration

[annie lee]

Hi Chris,

I've made similar chnages on v3.9 but not getting the new 'merged' config
based on yours.
Below are the panw code i added :

panw;script;rancid -t paloalto
panw;login;panlogin
panw;module;panos
panw;inloop;panos::inloop
panw;command;panos::ShowInfo;show system info
panw;command;panos::ShowInventory;show chassis inventory
panw;command;panos::ShowConfig;show config merged

Unfortunately still didnt captured the panorama configs.

On Sat, Jul 13, 2019 at 3:58 AM Gauthier, Chris <cgauthier at comscore.com>
wrote:

> So, if you look at my posting below, I made a rather dumb copy/paste error
> in my ‘panw’ definition.  The first line should read:
>
>
>
> panw;script;rancid -t paloalto
>
>
>
> not:
>
> panw;script;rancid -t paloalto
>
>
>
>
>
> Thanks to Heasley for pointing that out!  I would have not seen that for a
> while.  Having changed the line as shown above, the ‘show config merged’
> now works great on Panorama-managed and non-managed PA devices.
>
>
>
> --Chris
> Chris​  Gauthier  Senior Network Engineer  |  Comscore
> t +1 *(503) 331-2704* <(503)%20331-2704>  |
> *cgauthier at comscore.com* <cgauthier at comscore.com>
> *comscore.com* <http://www.comscore.com/>
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf
> of "Gauthier, Chris" <cgauthier at comscore.com>
> *Date: *Friday, July 12, 2019 at 9:24 AM
> *To: *annie lee <lsy.annie at gmail.com>
> *Cc: *"rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> I’m getting some interesting results in my testing.
>
>
>
> Rancid Version:  3.7
>
>
>
> I have a pair of PA-5050’s managed by Panorama that have been only getting
> the ‘show config running’ output (the limited output).  I made a new device
> type in etc/rancid.types.conf:
>
>
>
> panw;script;rancid -t paloalto
>
> panw;login;panlogin
>
> panw;module;panos
>
> panw;inloop;panos::inloop
>
> panw;command;rancid::RunCommand;set cli scripting-mode on
>
> panw;command;rancid::RunCommand;set cli pager off
>
> panw;command;panos::ShowInfo;show system info
>
> panw;command;panos::ShowConfig;show config merged
>
>
>
> This works well for my test unit (PA-220, unmanaged), but I am having
> problems with the PA-5050’s.
>
>
>
> For reference:  Here is the device type of “paloalto” in
> etc/rancid.types.base:
>
> paloalto;script;rancid -t paloalto
>
> paloalto;login;panlogin
>
> paloalto;module;panos
>
> paloalto;inloop;panos::inloop
>
> paloalto;command;rancid::RunCommand;set cli scripting-mode on
>
> paloalto;command;rancid::RunCommand;set cli pager off
>
> paloalto;command;panos::ShowInfo;show system info
>
> paloalto;command;panos::ShowConfig;show config running
>
>
>
> With the PA-5050’s, started with the following lines in router.db:
>
> pa-1.example.com;paloalto;up;PA-5050 ha pair
>
> pa-2.example.com;paloalto;up;PA-5050 ha pair
>
>
>
> They’ve been getting the limited output because of the show config running
> command and that they’re managed by Panorama.  I altered the router.db file
> to:
>
> pa-1.example.com;panw;up;PA-5050 ha pair
>
> pa-2.example.com;panw;up;PA-5050 ha pair
>
>
>
> I got the email that said the original devices were deleted and the new
> devices were added.
>
>
>
> - pa-1.example.com;paloalto;up;PA-5050
>
> - pa-2.example.com;panw;paloalto;up;PA-5050
>
> + pa-1.example.com;panw;up;PA-5050
>
> + pa-2.example.com;panw;panw;up;PA-5050
>
>
>
> I checked the config files after running rancid again a couple times and
> the config was unchanged.  The output captured doesn’t seem to have
> changed.  Next, I troubleshot it by doing ‘NOPIPE=yes rancid -d -t panw
> pa-1.example.com’ and reviewing the output.  It captured everything
> cleanly, as far as I can tell.  No errors.  It’s like the diff is not
> catching the difference in output?
>
>
>
> What might I try next?
>
>
>
> --Chris
>
>
>
>
>
> *Chris**​*
>
> *Gauthier*
>
>  Senior Network Engineer
>
>  |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
>  |
>
> *cgauthier at comscore.com* <cgauthier at comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *annie lee <lsy.annie at gmail.com>
> *Date: *Thursday, July 11, 2019 at 4:00 PM
> *To: *"Gauthier, Chris" <cgauthier at comscore.com>
> *Cc: *john heasley <heas at shrubbery.net>, "Anderson, Charles R" <
> cra at wpi.edu>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net
> >
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Hi Chris,
>
>
>
> Thats very kind of you to spend time doing that and thanks for that.
>
>
>
> Rgds
>
>
>
> On Fri, Jul 12, 2019 at 8:51 AM Gauthier, Chris <cgauthier at comscore.com>
> wrote:
>
> I’m working through that right now.
>
>
>
> *Chris**​*
>
> *Gauthier*
>
>  Senior Network Engineer
>
>  |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
>  |
>
> *cgauthier at comscore.com* <cgauthier at comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *annie lee <lsy.annie at gmail.com>
> *Date: *Thursday, July 11, 2019 at 2:43 PM
> *To: *"Gauthier, Chris" <cgauthier at comscore.com>
> *Cc: *john heasley <heas at shrubbery.net>, "Anderson, Charles R" <
> cra at wpi.edu>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net
> >
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Thats good to know on the new cli (show config merged will grab everything
> from the firewall and panorama).
>
> How do we add the cli and diff to rancid ??
>
>
>
> On Fri, Jul 12, 2019 at 4:20 AM Gauthier, Chris <cgauthier at comscore.com>
> wrote:
>
> Just validated the ‘show config merged’ command works with any PA
> firewall, managed by Panorama or not.
>
>
>
> *Chris**​*
>
> *Gauthier*
>
>  Senior Network Engineer
>
>  |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
>  |
>
> *cgauthier at comscore.com* <cgauthier at comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> *From: *Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf
> of "Gauthier, Chris" <cgauthier at comscore.com>
> *Date: *Thursday, July 11, 2019 at 11:16 AM
> *To: *john heasley <heas at shrubbery.net>, "Anderson, Charles R" <
> cra at wpi.edu>
> *Cc: *"rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> *Subject: *Re: [rancid] Palo Alto (Panorama) configuration
>
>
>
> Yes, the command "show config merged" gives the locally-managed config
> output AND the configuration that is pushed out by Panorama. I'll make a
> custom device type and see how this works in my environment. If it works,
> I'll post the results here. I will also test with a non-Panorama-managed
> system.
>
> --Chris
>
> *Chris**​*
>
> *Gauthier*
>
>  Senior Network Engineer
>
>  |
>
> Comscore
>
> t +1 *(503) 331-2704* <(503)%20331-2704>
>
>  |
>
> *cgauthier at comscore.com* <cgauthier at comscore.com>
>
> *comscore.com* <http://www.comscore.com/>
>
> ​​​This e-mail (including any attachments) may contain information that is
> private, confidential, or protected by attorney-client or other privilege.
> If you received this e-mail in error, please delete it from your system and
> notify sender.
>
> -----Original Message-----
> From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of
> john heasley <heas at shrubbery.net>
> Date: Thursday, July 11, 2019 at 8:17 AM
> To: "Anderson, Charles R" <cra at wpi.edu>
> Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> Subject: Re: [rancid] Palo Alto (Panorama) configuration
>
> Thu, Jul 11, 2019 at 02:37:51PM +0000, Anderson, Charles R:
> > You can use "show config merged" to see the local device's config merged
> with the templates from Panorama.
>
> Does this work with "non-managed" (better term?) configs? And, was this
> command introduced recently?
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
>
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,ZBO_SpPdPN9F0GTa50thF3JK2iNVO_jcwwSZwho1q8BVBoP9LydezSjLupULi9-PCcBbEWhWi1x-kRvg-KGqTG6CANfUm1cA6XPL5VPANHGtvC7Gc3N4Pg4SarAO&typo=1
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,b9OtvSdQLWGF3DjcWUkFhKodPuOBb_H-orOGNOhTz2MzDBxGXfIWAiLmU3TeKhGgCV_xrl6QC64PCqUb0fm2G6BgUODCvYIZv2uSKsob5YAM-Ycs&typo=1>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20190713/8ac91978/attachment.html>