set/commitLike the Juniper's, the PA's have the idea of entering in changes, saving those changes, checking to make sure those changes will work, and all the while, not having those changes take effect. Then when your ready, you commit the changes and the system then uses the changes as part of its running configs. Entering commands:Use the following commands to enter in new commands to change the current configuration. configure:To make any changes, you first need to enter the configuration mode. admin@PA-500> configure Entering configuration mode [edit] admin@PA-500# edit:Rather then entering all set commands from the root, and only running all show statement from root, you can enter into the config tree and make changes/see configurations from that area, and not affecting the other sections of the config. Batch file import: scripting-modeIf you want to paste a lot of set commands all at once, you can use the "scripting mode" option to allow you to paste a lot of lines into the console without a lot of write-back from the terminal. This also removes syntax checking, tab-completion help and help via the "?" key, so when you are done, you might want to change back to the other method. admin@PA-500> set cli scripting-mode on admin@PA-500> configure Entering configuration mode [edit] admin@PA-500# # blablabla admin@PA-500# quit Exiting configuration mode admin@PA-500> set cli scripting-mode off admin@PA-500> Checking change before submitting:Before committing a change, you can validate it to ensure that there are no issues. admin@PA-500# validate full Validate job enqueued with jobid 2 2 [edit] admin@PA-500# exit Exiting configuration mode admin@PA-500> show jobs id 2 Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2015/10/20 08:22:08 2 Validate FIN FAIL 08:22:13 Warnings: Details:Validation Error: zone -> trust -> network -> virtual-wire 'ethernet1/2' is not a valid reference zone -> trust -> network -> virtual-wire is invalid zone -> trust -> network is invalid Saving / Viewing changes:checkthe check command (in conf mode) will show you all the pending changes admin@PA-500# check pending-changes no [edit] admin@PA-500# commit:Like in JunOS, you commit your changes all at once (rather then one line at a time as you enter them). Viewing Configs:Show config: C-like format:You can view the configs in a JSON/C style admin@PA-500> set cli config-output-format default admin@PA-500> configure admin@PA-500# show deviceconfig { system { ip-address 192.168.1.1; netmask 255.255.255.0; update-server updates.paloaltonetworks.com; update-schedule { threats { recurring { weekly { day-of-week wednesday; at 01:02; action download-only; } } } } timezone US/Pacific; service { disable-telnet yes; disable-http yes; Show config: set format:you can view the configs via the set format, which is the way you would generally input the configs. admin@PA-500> set cli config-output-format set admin@PA-500> configure admin@PA-500# show set deviceconfig system ip-address 192.168.1.1 set deviceconfig system netmask 255.255.255.0 set deviceconfig system update-server updates.paloaltonetworks.com set deviceconfig system update-schedule threats recurring weekly day-of-week wednesday set deviceconfig system update-schedule threats recurring weekly at 01:02 set deviceconfig system update-schedule threats recurring weekly action download-only set deviceconfig system timezone US/Pacific set deviceconfig system service disable-telnet yes set deviceconfig system service disable-http yes set deviceconfig system hostname PA-500 set deviceconfig setting config rematch yes set deviceconfig setting management hostname-type-in-syslog FQDN set network interface ethernet ethernet1/1 virtual-wire set network interface ethernet ethernet1/2 virtual-wire set network interface loopback units set network interface vlan units set network interface tunnel units set network vlan Show config: xml format:you can also view the configs in xml format admin@PA-500> set cli con fig-output-format xmladmin@PA-500> configure
<response status="success" code="19"> <result total-count="1" count="1"> <deviceconfig> <system> <ip-address>192.168.1.1</ip-address> <netmask>255.255.255.0</netmask> <update-server>updates.paloaltonetworks.com</update-server> <update-schedule> <threats> <recurring> <weekly> <day-of-week>wednesday</day-of-week> <at>01:02</at> <action>download-only</action> </weekly> </recurring> </threats> </update-schedule> <timezone>US/Pacific</timezone> <service> Show diff between candidate and running configs:You can view the difference between the config changes that have been entered, and the running config with the diff argument. admin@PA-500> show config diff disable-telnet yes; disable-http yes; } + hostname PA-500; } setting { config { References:
|