I am running Palo Alto firewalls in our environment (PA-5060). I am running an older version of NCM (7.1.1).
All of the templates I found on Thwack for any PaloAlto system seem to be for backing up the device configuration without the "Set" commands.
If you log into a Palo Alto and want to see all the rules you defined, it is my understanding you do the following:
Login to PA and do the following commands (">" and "#" are just showing if you are in config mode or not)
> set cli config-output-format set
> configure
Entering configuration mode
[edit]
#show
###RESPONSE WILL INCLUDE ALL THE SET COMMANDS####
I am new to the PAs and have not done much with NCM templates before, but this is proving to be more challenging than I would expect. I have a support case open, but it seems like a lot of back and forth with little progress.
I think what is happening is NCM is looking to log into an SSH session and automate a request for config via the template variable named ${DownloadConfig}. The problem is that unlike most appliances, you need to be in config mode to run this. I've played some games with it to try and force it to run in config mode and then exit upon completion, but this has proved pointless.
From what I can gather, when NCM is pulling the information from the config request, it starts reading the response from device in sections and writes data to a buffer one line at a time removing any prompt tat is in the response. When it gets through the entire response, it should write it all to file. Because I get out of config mode following the config retrieval, I have the exit command written following the show. My variable then looks like this
configure${CRLF}show${CRLF}exit${CRLF}
I'm assuming that ${CRLF} is a command to the shell that just sends the Keyboard Enter.
Regardless, when the config is downloaded, I get an error saying the config is being discarded or is too short. My suspicion is that all the data collected to the buffer for the show command is overwritten when the exit command is run. When exit is run, you get a one liner saying "Exiting configuraion mode". If this overwrites all the data you just put in the buffer, then the config would be too small and NCM rightfully objects to the commands.
I have been able to get this to work by playing with the template variable named RESET. This variable allows you to set your term length to 0 or for PA, turn off your pager. This is also where you have to run the command to change the format of output to set (set cli config-output-format set). I added an extra part to this to bump you into config mode after setting the format for output. By doing so, I am able to change my variable named DownloadConfg to be simply "show"
This works to capture the set commands as described, but I expect it will break anything else that NCM tries to read from the PA via SSH. Specifically, anything that is recieved outside of config mode (for instance, show version, which on the PA is "show system info").
I have made a lot of assumptions when writing this up and I'm hoping that somebody out there has either run into this before or they can point out where my logic is flawed.
SolarWinds support does have an open case on this and I can post a follow up if a solution is met.