cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Palo Alto FW config backups on NCM 7.1.1

Jump to solution

I am running Palo Alto firewalls in our environment (PA-5060).  I am running an older version of NCM (7.1.1).

All of the templates I found on Thwack for any PaloAlto system seem to be for backing up the device configuration without the "Set" commands.

If you log into a Palo Alto and want to see all the rules you defined, it is my understanding you do the following:

Login to PA and do the following commands (">" and "#" are just showing if you are in config mode or not)

> set cli config-output-format set

> configure

Entering configuration mode

[edit]

#show

###RESPONSE WILL INCLUDE ALL THE SET COMMANDS####

I am new to the PAs and have not done much with NCM templates before, but this is proving to be more challenging than I would expect.  I have a support case open, but it seems like a lot of back and forth with little progress.

I think what is happening is NCM is looking to log into an SSH session and automate a request for config via the template variable named ${DownloadConfig}.  The problem is that unlike most appliances, you need to be in config mode to run this.  I've played some games with it to try and force it to run in config mode and then exit upon completion, but this has proved pointless.

From what I can gather, when NCM is pulling the information from the config request, it starts reading the response from device in sections and writes data to a buffer one line at a time removing any prompt tat is in the response.  When it gets through the entire response, it should write it all to file.  Because I get out of config mode following the config retrieval, I have the exit command written following the show.  My variable then looks like this

configure${CRLF}show${CRLF}exit${CRLF}

I'm assuming that ${CRLF} is a  command to the shell that just sends the Keyboard Enter.

Regardless, when the config is downloaded, I get an error saying the config is being discarded or is too short.  My suspicion is that all the data collected to the buffer for the show command is overwritten when the exit command is run.  When exit is run, you get a one liner saying "Exiting configuraion mode".  If this overwrites all the data you just put in the buffer, then the config would be too small and NCM rightfully objects to the commands.

I have been able to get this to work by playing with the template variable named RESET.  This variable allows you to set your term length to 0 or for PA, turn off your pager.  This is also where you have to run the command to change the format of output to set (set cli config-output-format set).  I added an extra part to this to bump you into config mode after setting the format for output.  By doing so, I am able to change my variable named DownloadConfg to be simply "show"

This works to capture the set commands as described, but I expect it will break anything else that NCM tries to read from the PA via SSH.  Specifically, anything that is recieved outside of config mode (for instance, show version, which on the PA is "show system info").

I have made a lot of assumptions when writing this up and I'm hoping that somebody out there has either run into this before or they can point out where my logic is flawed.

SolarWinds support does have an open case on this and I can post a follow up if a solution is met.

Labels (2)
1 Solution
Level 9

According to SolarWinds Support, the version of NCM I am running is limited to how it can use the template to access the Palo Alto.  The support rep stated that this is a limitation to the logic NCM has at version 7.1.  Without upgrading to a later release (i.e. 7.4), there is no ability to go into configuration mode to gather information and then respond appropriately with the config backup.  The suggested work around was to change the variables named RESET and DownloadConfig to the following:

<Command Name="RESET" Value="set cli pager off${CRLF}set cli config-output-format set${CRLF}configure" />

<Command Name="DownloadConfig" Value="show "/>

The problem with using the above is that other commands that NCM can run will not work properly.  For instance, if you wanted to run a script, it may fail if anything within the script is run in a mode other than configuration mode.  Something as simple as the "show system information" command fails because the RESET causes you to start in configuration mode.

Seems like a big oversight, but I can't complain too much.  I am at least a year behind in updates.

View solution in original post

0 Kudos
7 Replies
Level 12

I have updated an existing device template for Palo Alto 200 that do work successfully with show "set commands" in NCM here: Palo Alto_2050_200_250 - SET-1.3.6.1.4.1.25461.2.3.ConfigMgmt-Commands

0 Kudos
Level 9

According to SolarWinds Support, the version of NCM I am running is limited to how it can use the template to access the Palo Alto.  The support rep stated that this is a limitation to the logic NCM has at version 7.1.  Without upgrading to a later release (i.e. 7.4), there is no ability to go into configuration mode to gather information and then respond appropriately with the config backup.  The suggested work around was to change the variables named RESET and DownloadConfig to the following:

<Command Name="RESET" Value="set cli pager off${CRLF}set cli config-output-format set${CRLF}configure" />

<Command Name="DownloadConfig" Value="show "/>

The problem with using the above is that other commands that NCM can run will not work properly.  For instance, if you wanted to run a script, it may fail if anything within the script is run in a mode other than configuration mode.  Something as simple as the "show system information" command fails because the RESET causes you to start in configuration mode.

Seems like a big oversight, but I can't complain too much.  I am at least a year behind in updates.

View solution in original post

0 Kudos

I hope that the upgrade resolves the issue. NCM 7.1.1 was released about three years ago.

Jiri

0 Kudos
Level 9

Well, after a bit of research on this, I found that my understanding of the CLI output format of set was a bit flawed.  Downloading the configuration from the Palo Alto via the standard commands of "show config running" or "show config candidate" within the non-config mode is a valid way of getting the same information that is in the method I described above, however, you do not get the same format.  The "set" method will give you commands you can cut and paste into the Palo Alto directly.  The "show config" method will give you the XML output of the configuration file.  The later is a little less friendly if you want to copy paste into a CLI.

Regardless, the problem I have is still a problem.   I want to be able to get the "set" commands from a config backup.

On a side note, we are using Palo Alto Panorama on our FW deployments.  We can backup the config for Panorama as if it were another fw tied to NCM.  This allows us to capture anything pushed out via templates or policies.

0 Kudos

I know it may be a mute point, but have you thought about upgrading to NCM 7.4.  I have used Palo Altos in a previous position in Solarwinds and did not have to many issues with them.  Granted I was not using Solarwinds to do everything for me, but was able to automate some things. 

0 Kudos

At some point I will upgrade NCM, but we have an FOE deployment that causes upgrades to be a 'not-so-friendly' process.  The more I read about FOE deployments, the more anxious I am becoming to get rid of it.  We have not had a lot of luck with the product and it seems to overcomplicate minor efforts like upgrading modules.  It is a shame that one of SolarWinds products can cause this level of grief.  We are multiple versions behind on all of our modules and the number 1 reason is a fear of how FOE will handle the upgrade.

Thanks for the suggestion though.

If you look at your config backups, are you seeing XML format or the SET commands?

0 Kudos

mbrison‌ I do not have access to the Palo Alto's any more.  Old job.... new job we used ASA....uuugggghhhhhh!

0 Kudos