When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not that obvious. There are several commands that must be used to achieve the same.
However, I tested this procedure a few times and it did NOT work. :( So, the short version is: If you want to replace a Palo Alto firewall, move your configuration files (xml) through the GUI or tftp/scp. But do not use the mere CLI.
The most common way to save a Palo Alto config is via the GUI at Device -> Setup -> Operations -> Export xyz. And even on the CLI, the running-config can be transferred via scp or tftp, such as scp export configuration from running-config.xml to username@host:path . This configuration file can be loaded into a new device, again, via the GUI (Import) or the CLI ( scp import configuration from username@host:path ).
However, to save the complete configuration in the “set” format, the following CLI commands must be used. The first one is used to output the configuration in single “set” lines (instead of XML blocks), and the second one switches the output to not stop after a few lines on the terminal. To capture long lines without a “carriage return”, the terminal width should be adjusted to the maximum of 500. Then, the “configure” command enters the configuration mode, while the “show” command displays the whole running configuration.
> set cli config-output-format set
> set cli pager off
> set cli terminal width 500
To load the config into a new device, a few commands must be used before. At first, the terminal width should be adjusted again. Furthermore, the scripting-mode must be enabled in order to send a bulk of CLI commands without an error. The reason for that is, that several objects are referenced in the configuration before they are added to the device. E.g., the set commands for the “security rules” are before the set commands for the “application groups”. That is, an application group is used by a security rule before it is added to the config. :(
Finally, the whole bunch of set commands from above can be pasted into the CLI session.
> set cli terminal width 500
> set cli scripting-mode on
# set ...
Errors, Errors, Errors
I wanted to load a complete configuration from a firewall to another. (Both firewalls were of the same type, OS version (6.0.x) and license.) I used the console port on the device. But even with the aforementioned commands that should make this procedure possible, I got only errors, such as: “Invalid syntax.” or “Unknown command: …”.
Furthermore, the terminal session looked like a complete chaos:
Server error : -> from 'trustL3' is not an allowed keyword
-> from 'trustL3' is not a valid reference
ir-update firefox-update google-update java-upd
Server error : -> to 'untrustL3' is not an allowed keyword
-> to 'untrustL3' is not a valid reference
ate ms-update ]
set application-group test-shar
admin@PA-5050# ed-appgroup [ 2ch-posting 4shared ]
Only use the complete XML-based configuration files and not the set commands!
Featured image “Fail” by Phanatic is licensed under CC BY-NC 2.0.
16 thoughts on “Palo Alto: Save & Load Config through CLI”
A wise alternative is the use of Panorama :)
Of course, there are some more options. However, the basic question was “how to configure a PA if ONLY the serial connection is present”. E.g., after an RMA case, the PA is naked in the rack without any Ethernet connection, but only with the serial port to the console/terminal server.
Nice article. Several of such errors are cause could be due to the ‘app and threat’ version being different (although you may have the same PANOS and license on it).
I was looking for the CLI command to load a previous version of the config and bumped into this article.
load config version ?
405 2016/10/10 22:57:26
406 2016/10/10 23:03:32
407 2016/10/11 13:50:41
408 2016/10/13 10:53:49
409 2016/10/13 11:18:56
load config version 406
I use a cluster of PA-2050’s.
I want to hard reset the passive one and reload the configuration on it.
Will the configuration files remain on the firewall after the hard reset?
Uh, sorry, but I am not quite sure. To my mind, they should be deleted when you are doing a real factory reset. (Via “maint” mode.) You should definitely save them first. ;)
We just got a new PA-820 at my office and I’m learning the ropes and so far I really like the PA platform. I do wonder though, coming from a Cisco ASA, does PA have a “reload in” command? If I’m working remotely, I don’t want to accidentally lock myself out. Cisco’s “reload in” was a handy safeguard. Thanks!
yes, that would be a really great feature. Unfortunately I am not aware of such a command. ;(
Just need to know how to restore configuration via CLI from .conf file. Do share any KB articles if any is present showing exact configuration from scratch.
Any way to convert .txt format to .xml and upload it on the firewall as it sometime shows some issue when we try to upload it
we have made good experiences when using the save/export options in the GUI (Device -> Setup -> Operations) for saving the xml configurtion, and load/import vice versa. Since loading another configuration into the firewall does not make the changes active immediately (you must commit them), you can easily review them.
I don’t know what you mean with “.conf” or “.txt” since these are suffixes that you have given and that are not coming from the Palo.
If you want to use the CLI you must use SCP such as shown here: https://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/ (at Export/Import Files). Loading configurations merely via CLI is really hard as depicted in this blogpost already…
Hope that helps?
Thanks for the excellent article. What could be the ideal format to be used for taking configs backup and restoration. Is it .tgz format o .xml one. And is there any difference between these two when restoring the configs.
I am always using the .xml ones, mostly through the GUI since it works perfectly. And you can edit the XMLs in a notepad before loading them back into the Palos. Works quite good.
I am not aware of the .tgz format when talking about config backups. Where have you found them?
Anyone has done a PA cluster hardware migration from PA 5020 to 5220 and is there a specific process I need to follow?