Palo Alto Config Set Commands

By default Palo Alto Networks firewalls export their configuration as an XML file which is great however, I’m more used to set commands such as the ones commonly used in switches. Fortunately, there’s a way to have the best of both worlds.

In this post, I’ll show you step-by-step how to output the Palo Alto running config to set commands and show a way to export it.

The Process

• Connect to the firewall with SSH (I’ll be using PuTTY)
• Run the following command to change the command output from XML to set commands set cli config-output-format set

• Enter the configuration mode by running the following command configure

• Now when you run the show command it will show you the set command versions of the configuration.

Exporting

I wasn’t able to find a way to easily export the running config of PAN-OS in the set format without using paid tools like Kiwi CatTools however, I did find a workaround by using PuTYY logging.

• Configure your PuTTY session for logging

If you aren’t sure how to configure your session for logging my post Log PuTTY Output has all the details.

• Connect to the firewall with SSH
• Enter the following command to tell the firewall not to pause on each page of the output set cli pager off

• Now when you run the show command it will spit out the whole running config with no pauses.

A few things to note with the set command export, it isn’t perfect you can’t just paste the output of the set commands to configure a firewall the same way. For example, the output will list security rules with objects before it lists the set commands to create the objects.

It is a good starting point and I find it easier to read and parse. I’ve used this exact method to format my set commands for several Palo Alto firewall deployments. I still use this method for large changes.

If you want to read more about changing the configuration output here is the Palo Alto Networks official documentation about it.