Use the load config partial command to copy a section of a configuration file in XML. The configuration can be:
A saved configuration file from a Palo Alto Networks firewall or from Panorama A local configuration (for example, running-confg.xml or candidate-config.xml) An imported configuration file from a firewall or Panorama
To load a partial configuration, you must identify the configuration file you want to copy from and, if it is not local, import it onto the device (see Use Secure Copy to Import and Export Files for an example of how to import a saved configuration).
If you are managing more than two or three firewalls, consider using Panorama for central management and monitoring of your firewalls.
To specify what part of the configuration to load, you must find the xpath location, which specifies the XML node in the configuration file you are loading from and the node in the local candidate configuration you are loading to.
The format of the command is:
admin@PA-3060# load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace]
Use the information in the following topics to determine the appropriate Xpath location formats and use them to load a configuration object from one configuration to another:
Xpath Location Formats Determined by Device Configuration
You specify the source and destination of the load partial command using xpath locations, which specify the XML node in the configuration you are copying from ( from-xpath ) and the XML node in the candidate configuration you are copying to ( to-xpath ). Determining the correct xpath is a critical part of using this command. The following table shows the format for the from-xpath and to-xpath on different types of devices. Notice that the from-xpath begins at devices or shared , whereas the to-xpath begins with /config .
Type of Device Configuration Xpath Formats
Multi-vsys Firewall from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys-ID']/<object>
to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys-ID']/<object>
Single-vsys Firewall from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/<object>
to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/<object>
Panorama Shared Object from-xpath shared/<object>
to-xpath /config/shared/<object>
Panorama Device Group Object from-xpath /devices/entry[@name='localhost.localdomain']/device-group/entry[@name='device-group-name']/ <object>
to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name=' device-group- name ']/<object>
Load a Partial Configuration into Another Configuration Using Xpath Values
Load a Partial Configuration
Find the xpath values to use to load the partial configuration. Log in to the web interface on the device and go to the following URL: https://<device-ip-address>/api Select Configuration Commands. Drill down until you find the configuration object you want to load from one configuration to another. For example, to find the application group xpath on a multi-vsys firewall, you would select Configuration Commands > devices > localhost.localdomain > vsys > <vsys-name> > application-group. After you drill down to the node you want to load, make note of the XPath that is displayed in the text box.
You can also find the xpath from the CLI debug mode (use the operational mode command debug mode on to enable this), and then enter the configuration mode show command that shows the object you are interested in copying. For example, to see the xpath for the application object configuration in vsys1, you would use enter the show vsys vsys1 application command. Look for the section of the output that begins with <request cmd="get" obj=" . This signals the beginning of the xpath. In the following example, the highlighted section is the xpath for the application objects in vsys1: admin@PA-3060# show vsys vsys1 application (container-tag: vsys container-tag: entry key-tag: name value: vsys1 container-tag: application) ((eol-matched: . #t) (eol-matched: . #t) (eol-matched: . #t) (xpath-prefix: . /config/devices/entry[@name='localhost.localdomain']) (context-inserted-at-end-p: . #f)) /usr/local/bin/pan_ms_client --config-mode=default --set-prefix='set vsys vsys1 ' --cookie=2588252477840140 <<'EOF' |/usr/bin/less -X -E -M <request cmd="get" obj= "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application" ></request> EOF After you find the xpath for the node you want to load, identify the appropriate from- and to- Xpath Location Formats Determined by Device Configuration to load the partial configuration.
Use the load config partial command to copy sections of the configuration you just imported. For example, you would use the following command to load the application filters you configured on fw1 from a saved configuration file, fw1-config.xml , you imported from fw1 (a single-vsys firewall) to vsys3 on fw2. Notice that even though fw1 does not have multiple virtual system support, the xpath still points to the vsys1 (the default vsys ID on single-vsys firewalls): admin@fw2# load config partial from fw1-config.xml from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-filter to-xpath/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']/application-filter mode merge The quotation marks around the hostname and the vsys name (if applicable) must be neutral. The command will fail if there are opened or closed quotation marks.
Commit Configuration Changes.

Recommended For You