Seeking sample panOS XML file

Get Help
1

We have made some progress on automating our PanOS firewall devices. I am working toward a system where the source of truth about the firewall is an XML file in a git repository. Each time we make a change, we make it as a pull request, then we load the entire XML file of the configuration into the devices.

I’m working in a test device with a minimal set of configuration. I exported the configuration, made some changes, and am trying to load the changed config back into the firewall device. I’ve tried loading the entire file with a panos_loadcfg task. I’ve tried using two tasks, one with panos_import and one with panos_loadcfg. I’ve tried using panos_op with a partial config file and an XML command.

The panos_import task succeeds, but the panos_loadcfg and panos_op tasks fail with the error load -> config -> from is invalid or load -> config -> partial -> from is invalid. I’m not sure what this is telling me. Is the task not finding the file? (My repository has the XML files in the root directory and a playbook in a sub-directory called playbooks. The playbook refers to the files as ../filename.xml.) Or does it find the file but the XML is malformed in some way, and therefore invalid?

I’m sure I’m missing something simple. I’d like to compare my XML file with a valid example of PanOS configuration.

I’m looking for a working example of an XML file (with fake data - full config or partial config) and a task the successfully loads it. I’ve found some sample tasks, but none with matching sample XML files.

All help/pointers/ideas gratefully received!

2

Okay, I’m still not sure how to load a partial config file (if I specify the x-path, do I still include those fields in the XML?), but I did manage to get a working upload of a complete config file.

Here’s how I did it:

  • logged into the PanOS device
  • went to https://my-panos-device.org/api
  • selected Export and then configuration
  • clicked on the URL
  • copied the contents of the resulting XML file, which is formatted the way PanOS expects (no whitespace - I think indentation may have been the issue with my file before) into a file in my playbooks/ directory
  • made some changes to the XML so I could confirm that something had changed (this is in a TEST firewall, the rules aren’t being used at all)
  • updated my playbook to have three tasks: a panos_loadcfg one first, with ignore_errors: true set on it, then a panos_import task with register: result set on it, then another panos_loadcfg task using the registered variable.

The first loadcfg task failed, but the second one worked.