HPE Community
IMC
1753846 Members
8025 Online
108807 Solutions
New Discussion ī„‚

Re: Backup of Palo Alto Networks firewalls

 
RPapaux
Valued Contributor

ā€Ž03-15-2021 07:08 AM

ā€Ž03-15-2021 07:08 AM

Backup of Palo Alto Networks firewalls

Hello,

I'm strugglig to buid an IMC Backup adapter for Palo Alto Networks firewalls (PAN-3220 & PAN-220 with PAN-OS 9.x). I have tried to buld it with both CLI and TFTP, but without success.

If someone in the community has ever try to perform this exercice, I would be gald to receive any guidance or suggestion.

Thanks

Ray

 

1 person had this problem.
0 Kudos
4 REPLIES 4
jguse
HPE Pro

ā€Ž03-17-2021 09:38 AM

ā€Ž03-17-2021 09:38 AM

Re: Backup of Palo Alto Networks firewalls

Hello,

Which existing adapter scripts are you basing your Palo Alto adapter on? I would suggest checking out the existing adapter for F5 Networks, as they should be fairly similar in terms of backing up a file (.gzip) instead of a plaintext configuration.

When you test your adapter on your devices, you should make sure that imccfgbakdm process is set to DEBUG (via System Configuration > Log Configuration page). After the backup fails, you would hopefully be able to see details about why it failed in the respective logfile, under iMC\server\conf\log\imccfgbakdm<current-date>.txt. If iMC was able to log in and then failed at some point, it will generally provide you with the CLI output up until the failure happened, so you have some hint as to what went wrong.

As for guidance on how to build adapters, I guess you are already aware of the section on Customizing iMC in the Administrator Guide. There is also a very helpful third-party doc called "HP iMC 7 customization" that you can find online which may help.

If you are getting some particular error with the backup, you could post it here, and perhaps we can help you out if it's something we've seen before.

Best regards,
Justin

Working @ HPE
Accept or Kudo
0 Kudos
RPapaux
Valued Contributor

ā€Ž04-09-2021 03:12 AM

ā€Ž04-09-2021 03:12 AM

Re: Backup of Palo Alto Networks firewalls

Thanks for the advice and sorry for the delay ...

I seems the problem was related the parser, and I took me a while tring to uderstand how this works.

Nervertheless I have rebuild the adapter from scratch and now it seems to work fine, despite ERRORs in the log (see extract below):

<------------------------------------------------------------------------------------------------------------------------------------------

2021-04-07 14:04:09.046 [WARNING (32)] [THREAD(11364)] [CComponentAdapter::checkAccessTypeMatchTransferProtocol()] transfer protocol does not match access type,iTransferProtocol=3,iAccessType=3

2021-04-07 14:04:09.046 [WARNING (32)] [THREAD(11364)] [CComponentAdapter::isDevSupportServiceAction()] transfer protocol does not match access type,ServiceName = ConfigBackup,commandName=Custom,iTransferProtocol=3,iAccessType=3

2021-04-07 14:04:09.046 [DEBUG (0)] [THREAD(11364)] [CScriptProcessor::exec()] Don't support method: custom + snmp, DevID: 399, ServiceName: ConfigBackup, ActionName: backup_running_config, TransferProtocol: 3

2021-04-07 14:04:09.048 [WARNING (2023)] [THREAD(11364)] [CScriptTool::getDevAdapterNameFromDB()] reader no data, sql: select vendor_name,adapter_name,error_code from tbl_dev_adapter where component_name = 'Custom' and dev_id = 399 and adapter_type = 0

2021-04-07 14:04:09.049 [INFO (0)] [THREAD(11364)] [CComponentAdapter::parseVendorAdapter()] Begin to parse ...

2021-04-07 14:04:09.049 [ERROR (21)] [THREAD(11364)] [CComponentAdapter::parserVendorAdapterProcess] get Doc Node error, file: C:\Program Files\iMC\server\bin\..\..\server\conf\adapters\Custom\Palo Alto Networks\adapter-index.xml

2021-04-07 14:04:09.049 [INFO (0)] [THREAD(11364)] [CComponentAdapter::parseVendorAdapter()] Finished to parse!

2021-04-07 14:04:09.049 [WARNING (21)] [THREAD(11364)] [CComponentAdapter::discoverDeviceAdapter()] fail to call parserVendorAdapterIndex()

2021-04-07 14:04:09.049 [ERROR (18)] [THREAD(11364)] [CComponentAdapter::getDevAdapterName()] fail to call discoverDeviceAdapter()

2021-04-07 14:04:09.049 [ERROR (18)] [THREAD(11364)] [CComponentAdapter::isDevSupportServiceAction()] fail to call getDevAdapterName().DevID=399,ServiceName = ConfigBackup

2021-04-07 14:04:09.049 [DEBUG (0)] [THREAD(11364)] [CAdapterMgr::isDevSupportServiceAction] Fail to call isDevSupportServiceAction().Adapter name = N/A,Service name = ConfigBackup,Action name = backup_running_config,AccessType = 2,iTransferProtocol = 3

2021-04-07 14:04:09.049 [DEBUG (0)] [THREAD(11364)] [CScriptProcessor::exec()] Don't support method: custom + cli, DevID: 399, ServiceName: ConfigBackup, ActionName: backup_running_config, TransferProtocol: 3

2021-04-07 14:04:09.050 [WARNING (32)] [THREAD(11364)] [CComponentAdapter::checkAccessTypeMatchTransferProtocol()] transfer protocol does not match access type,iTransferProtocol=3,iAccessType=3

2021-04-07 14:04:09.050 [WARNING (32)] [THREAD(11364)] [CComponentAdapter::isDevSupportServiceAction()] transfer protocol does not match access type,ServiceName = ConfigBackup,commandName=ICC,iTransferProtocol=3,iAccessType=3

2021-04-07 14:04:09.050 [DEBUG (0)] [THREAD(11364)] [CScriptProcessor::exec()] Don't support method: SNMP, DevID: 399, ServiceName: ConfigBackup, ActionName: backup_running_config, TransferProtocol: 3

2021-04-07 14:04:09.051 [INFO (0)] [THREAD(11364)] [CComponentAdapter::isDevSupportServiceAction] dev_id: 399, adapter_name: PANOS

2021-04-07 14:04:09.051 [INFO (0)] [THREAD(11364)] [CScriptProcessor::exec()] Begin to execute by cli.

2021-04-07 14:04:09.051 [INFO (0)] [THREAD(11364)] [CScriptProcessor::exec()] Case_no: 5124_3293068603, service_name: ConfigBackup, action_name: backup_running_config, input_vars: DevName=srvpifw201peb?_?TFTPFile=C:/Program Files/iMC/server/tmp/running_3293068602.cfg?_?TFTPServer=10.10.99.52?_?UnitList=?_?VpnName=

2021-04-07 14:04:09.054 [INFO (0)] [THREAD(11364)] [CScriptProcessor::exec()] Success to spawn process, pid: 15156

2021-04-07 14:04:13.864 [DEBUG (0)] [THREAD(8628)] [CCfgFileMgrMainTaskMgr::createTask] cmd_code = 1062

2021-04-07 14:04:15.188 [DEBUG (0)] [THREAD(15216)] [CCfgFileMgrMainTaskMgr::createTask] cmd_code = 1062

2021-04-07 14:04:20.557 [INFO (0)] [THREAD(11364)] [CScriptProcessor::exec()] Success to execute process, pid: 15156

2021-04-07 14:04:20.557 [INFO (0)] [THREAD(11364)] [CScriptProcessor::exec()] Check result file: C:\Program Files\iMC\server\bin\..\..\server/tmp/scripttool_5124_3293068603.cfg

2021-04-07 14:04:21.622 [INFO (0)] [THREAD(11364)] [CScriptProcessor::processLog] File :C:\Program Files\iMC\server\bin\..\..\server\conf\log\imcscripttool_ICC_10.1.253.201.2021-04-07.txt is deleted

----------------------------------------------------------------------------------------------------------------------------------------->

It looks like the system is looking for a ... adapter\Custom ... directory that I do not have.

Is there something wrong with my setup, or can I just ignore therse errors.

Regards

Ray

0 Kudos
jguse
HPE Pro

ā€Ž04-15-2021 12:30 AM - last edited on ā€Ž06-28-2021 09:24 PM by

ā€Ž04-15-2021 12:30 AM - last edited on ā€Ž06-28-2021 09:24 PM by

Re: Backup of Palo Alto Networks firewalls

Hello Ray,

Sorry for the delayed response here as well. I think you could generally ignore such errors - though you may need to delete and re-add your Palo Alto device to iMC after making changes to adapter-index.xml SysOIDs for Palo Alto. I've seen some issue where iMC does not automatically re-detect the adapter to use when such changes are made.

Looking through that log extract, it seems the backup process does start with the CLI method - Begin to run by cli. - so I wonder if there may be more relevant errors further along in the log? If the iMC backup fails at some point after logging in to the device, it will generally provide the CLI output up to the point where it failed/timed out in the log. Do you see anything like this?

Best regards,
Justin

Working @ HPE
Accept or Kudo
0 Kudos
RPapaux
Valued Contributor

ā€Ž04-15-2021 04:38 AM

ā€Ž04-15-2021 04:38 AM

Re: Backup of Palo Alto Networks firewalls

Thanks for your reply.

 

As I said currently it works fine, but it took me a while to make it work.

I had to rebuild the adapter, delete and re-insert the device.

The original adapter version from IMC did not work with my version of FW (PAN-OS 9.x), and thatā€™s the reason why Iā€™m using a new adapter with CLI exclusively.

Concerning the errors I posted, I have already seen those with a number of working adapters.

As it is always nasty to have useless errors, especially when you troubleshoot something and are not aware of a correct behavior, I was just asking if there is clean way to remove them.

So as it seems not possible, we will just continue to live with them.

Thanks

Ray

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.