Load config partial: Panorama - PaloAltoNetworks/iron-skillet GitHub Wiki
Using load config partial
The configuration file uses the xml format. Therefore each configuration element sits in the xml tree and is referenced by its xpath.
Using this concept, a template configuration file can be imported into Panorama or the firewall with only the referenced elements merged into the existing configuration. This is more modular than loading a full configuration file that replaces the existing configuration.
The syntax used for loading the templates is:
load config partial from {{filename}} from-xpath {{xpath}} to-xpath {{xpath}} mode merge
where {{filename}} is the xml file loaded into the device and {{xpath}} denotes what part of the configuration is being merged from the day one file to the candidate configuration.
Edit the configuration xml file
Load config partial will merge the configuration elements. However, there are parts of the configuration such as the management configuration interface that will be specific to each device.
The template uses {{ text }} markers in the config file to denote values that MUST be changed. During a commit, the device will show an error with the {{ text }} values in the error message.
It is recommended that the configuration elements with the {{ text }} areas be modified to match the desired device settings or are removed from the configuration file before importing.
Import the Day One configuration: GUI
-
Log into Panorama and click on the Device tab
-
Select Setup in the left nav bar
-
Click on the Operations tab
NOTE: You can perform a Save named configuration snapshot as backup prior to loading the new configuration
- Then Import named configuration snapshot choosing the day one config xml file
Load the configuration elements: CLI
-
Log into the Panorama command line interface
-
Enter configure to go into configuration mode
-
Paste in each of the load config partial commands, in order
-
Once complete use the GUI to verify the configuration elements have been loaded then commit
Load config partial commands
Cut-and-paste from the table below into the Panorama command line while in configuration mode.
You can paste multiple items. The system will pause during each load config partial, return a status message, then move to the next load. When complete, ensure the final load is entered and a status message received.
Command line items |
---|
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/deviceconfig/system to-xpath /config/devices/entry[@name='localhost.localdomain']/deviceconfig/system mode merge |
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/deviceconfig/setting to-xpath /config/devices/entry[@name='localhost.localdomain']/deviceconfig/setting mode merge |
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/panorama/log-settings to-xpath /config/panorama/log-settings mode merge |
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/template to-xpath /config/devices/entry[@name='localhost.localdomain']/template mode merge |
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group mode merge |
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/shared to-xpath /config/shared mode merge |
load config partial from panorama_day_one_1.0.0.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/log-collector-group to-xpath /config/devices/entry[@name='localhost.localdomain']/log-collector-group mode merge |
Configuration Elements Load Order Explained
Each xpath in the load config partial gives an indication of each element loaded. Below is a simple explanation of the configuration elements with key items in the xml load.
This uses an aggregate template loading module with multiple configuration elements contained under the template, device-group, and shared parts of the xml tree. The hierarchical nature of Panorama simplifies the configuration loading.
xpath suffix | description |
---|---|
panorama system | panorama specific dynamic updates, dns and ntp server settings |
panorama settings | enable reporting on groups and sharing of unused objects |
panorama log settings | syslog/email profiles and system, configuration logging |
template | test template configuration with device settings and zone profile |
device-group | reports, report groups, and email scheduler |
shared | profile object, rules, and other device-group 'top of tree' items |
log collector | settings for Panorama when used as a log collector |
Specific details about each configuration element in the template is found in the docs folder.