Palo Alto: Save & Load Config through CLI

When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not that obvious. There are several commands that must be used to achieve the same.

However, I tested this procedure a few times and it did NOT work. So, the short version is: If you want to replace a Palo Alto firewall, move your configuration files (xml) through the GUI or tftp/scp. But do not use the mere CLI.

The most common way to save a Palo Alto config is via the GUI at Device -> Setup -> Operations ->  Export xyz. And even on the CLI, the running-config can be transferred via scp or tftp, such as

scp export configuration from running-config.xml to username@host:path

scp import configuration from username@host:path

Save

However, to save the complete configuration in the “set” format, the following CLI commands must be used. The first one is used to output the configuration in single “set” lines (instead of XML blocks), and the second one switches the output to not stop after a few lines on the terminal. Then, the “configure” command enters the configuration mode, while the “show” command displays the whole running configuration.

> set cli config-output-format set
> set cli pager off
> configure
# show

And Load

To load the config into a new device, a few commands must be used before. At first, the terminal width should be adjusted to capture long lines without a “carriage return” on the terminal. Furthermore, the scripting-mode must be enabled in order to send a bulk of CLI commands without an error. The reason for that is, that several objects are referenced in the configuration before they are added to the device. E.g., the set commands for the “security rules” are before the set commands for the “application groups”. That is, an application group is used by a security rule before it is added to the config.

Finally, the whole bunch of set commands from above can be pasted into the CLI session.

> set cli terminal width 500
> set cli scripting-mode on
> configure
# set ...

Errors, Errors, Errors

I wanted to load a complete configuration from a firewall to another. (Both firewalls were of the same type, OS version (6.0.x) and license.) I used the console port on the device. But even with the aforementioned commands that should make this procedure possible, I got only errors, such as: “Invalid syntax.” or “Unknown command: …”.

Furthermore, the terminal session looked like a complete chaos:

admin@PA-5050# 
Server error :  -> from 'trustL3' is not an allowed keyword
 -> from 'trustL3' is not a valid reference
ir-update firefox-update google-update java-upd[edit]                                                                                                                                                                           
admin@PA-5050# 
Server error :  -> to 'untrustL3' is not an allowed keyword
 -> to 'untrustL3' is not a valid reference
ate ms-update ]
set application-group test-shar[edit]                                                                                                                                                                           
admin@PA-5050# ed-appgroup [ 2ch-posting 4shared ]
set appli
[edit]

Conclusion

Only use the complete XML-based configuration files and not the set commands!