New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAN OS - Backing up through XML API #440
Comments
It shouldn't be very hard to add Essentially to get this working, we'd add If we need to do per model ones, and same model must support
This isn't novel request, we've added Also as I don't have any PanOS devices, maybe @rixxxx wants to chime in too. |
What is the status here? |
bump -- would also like this feature. As FTBZ mentioned, the PanOS method is a single URL containing an API key which returns the whole config as xml. Details can be found here: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Backup-of-Config-Files-Periodically-wiithout-Panorama/ta-p/77312 Thanks for oxidized! :) |
(There's somewhat good news buried halfway through this. Keep reading!) This probably isn't the best place to document this, but I can't find a really good spot, so, here we go. On my PA7050 (PANOS v9.1.6) XML output can theoretically also be accomplished by first sending "set cli config-output-format xml", at which point "show config running" is supposed to give you a dump of the XML config file. Unfortunately, this appears to simply not work for "show config running" which continues to emit JSON-format config.
I'd be happy to report the fact that In any case, this approach is also suboptimal because the userid used must have global configuration rights in order to enter "configure" mode in the root (non-vsys) context, and that's really bad practice. The good news is that there is a command that DOES affect the output of With that enabled:
I do not know what version of PANOS introduced Lastly, while my output looks sane, there's this in the 10.0 release notes:
so... ???? I think it's probably worth putting into PANOS-specific notes, at the very least, and possibly adding a config flag that toggles it on if desired. It's much more difficult for humans to read than the JSON or SET-style output, so some people may prefer the default json formatting. |
Cool find! That's definitely some impressively creative abuse of the functionality PanOS offers. :-) Ultimately though, my (biased) opinion is that just backing up through the HTTPS API is probably a better, more sustainable method long term, as per PR #2360 that I put in just a few days ago. (That said, if you had posted this a week ago I probably wouldn't have bothered with my other solution.) |
Oh, you're right about that - the API is a cleaner way to do it, for sure, esp. long term, given that CLIs make notoriously unstable APIs. There's a reason Ansible, e.g., is pushing the API route hard. However, there are various people (including me, in some spots) who can't do the HTTP APIs for one reason or another, so I think it's still worth documenting. There's documentation on how a user can extend the standard functionality, for example, on IOS, I think something similar would be appropriate. But... perl, no problem, python, maybe, ruby? forget it. I can do the text, but not code. |
There is a PR #2360 |
@athompson-merlin (or anyone else finding this) below is a CLI based approach for pulling an XML config from PAN-OS using the workaround you found. require 'nokogiri'
class PanOSXML < Oxidized::Model
prompt /^[\w.@:()-]+>\s?$/
cmd 'show config running' do |cfg|
"<?xml version=\"1.0\"?>\n" +
Nokogiri::XML(
cfg.split("\n")[2..-2].join("\n")
).at('/response/result/config').to_xml(indent: 2)
end
cfg :ssh do
post_login 'set cli pager off'
post_login 'set cli op-command-xml-output on'
pre_logout 'quit'
end
end |
I would love to try this! |
No go, I'm consistently getting Apr 05 17:23:57 oxidized.merlinoffice.local oxidized[1745319]: node {:name=>"XXXX", :model=>"panosxml", :username=>"XXXX", :password=>"XXXX", :vars=>{:enable=>nil, :ssh_kex=>nil, :ssh_host_key=>nil, :ssh_hmac=>nil, :ssh_encryption=>nil}} raised Oxidized::ModelNotFound with message 'panosxml not found for node 99.99.99.99' for a router.db entry of: I've tried putting panosxml.rb in both /etc/oxidized/modules/ and in /usr/local/share/gems/gems/oxidized-0.28.0/lib/oxidized/model/ (just to see if it would work at all). Clearly I've missed something trivial but vital in enabling new models... |
Ah, the problem is my Ruby is too old for nokogiri. And now begins the quest to fully reinstall Oxidized using a slightly newer Ruby, yay. |
It needs to go in |
I've found that panosxml.rb works on some of my devices but not others.
which... I'm guessing means there was a prior, uncaught XML parsing error??? The XML output does NOT work correctly from the CLI in v9.1.3 - that's the PA bug I discussed above, AFAICT - so I tried this slightly modified model that does it from require 'nokogiri'
class PanOSXMLcfg < Oxidized::Model
prompt /^[\w.@:()-]+[#>]\s?$/
cmd 'show' do |cfg|
"<?xml version=\"1.0\"?>\n" +
Nokogiri::XML(
cfg.split("\n")[2..-2].join("\n")
).at('/response/result/config').to_xml(indent: 2)
end
cfg :ssh do
post_login 'set cli pager off'
post_login 'set cli op-command-xml-output on'
post_login 'set cli config-output-format xml'
post_login 'configure'
pre_logout 'exit'
pre_logout 'quit'
end
end ...but with the exact same result. I've confirmed that the XML generated is well-formed, but I don't know enough about ruby to further diagnose why "to_xml" works on other targets but fails with a bizarre (to me) error on this one. Any suggestions? |
FWIW, |
The error occurs when calling to_xml. The only place that's done is here:
It's complaining because you can't call to_xml on nil. That suggests that What that's trying to do is to try to dig out the configuration which is merely part of the larger XML API response. For example:
So, whatever's happening, it's likely that the layout of the XML response is somehow different and no longer like the example skeleton below. To get further, you'd have to take a closer look at the structure of the XML being captured. |
Ah, found the problem. The Panorama deployment of PAN-OS v10 lacks the <response>
<result>
<device-group>
...
</device-group>
</result>
</response>
<response>
<result>
<deviceconfig>
etc... it's a completely different XML structure than what PAN-OS on a firewall produces. I'll see if I can hack together a working model that accepts Panorama output. |
Will this be included in oxidized?, Would this method be preferred over the included logic for PANOS? |
PAN OS comes with an excellent API that allow an extraction of the configuration in XML format. The XML format is the only good way to backup a PAN OS device. The panos.rb is good to know when a device was modified, but can't be used to restore a device from scratch.
It will be great to add a generic device type that allow a backup from an URL and not standard ssh/telnet. The only needed variable in the case of PAN OS is the URL to download. The security is provided by key gen that needs to be included in the URL.
The text was updated successfully, but these errors were encountered: