Fixing Palo Alto Firewall Support in RANCID Version 3.2

RANCID is a simple but useful utility for backing up configuration files from network devices.  I’ve worked with RANCID for many years and for the most part it tends to work well but occasionally I encounter problems when adding devices from new vendors.

I recently ran into an issue while attempting to add some Palo Alto firewalls into RANCID.  I added the devices to the router.db file (firewall01;paloalto;up) but RANCID failed to  retrieve the configs with the error messages

loadtype: device type paloalto
loadtype: found device type paloalto in /usr/local/rancid/etc/rancid.types.base
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" firewall01
firewall01: missed cmd(s): all commands
firewall01: End of run not found
firewall01: End of run not found

The strange thing was that when I manually ran the panlogin command it would successfully log into the device and show the running configuration.

panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" firewall01

It turns out that this behavior is due to a bug in version 3.2 of RANCID.  This bug is particularly annoying since it completely breaks support for Palo Alto devices.

Fixing the issue manually

Fortunately this issue can be easily fixed by editing the file.  In my installation this file was located in /usr/local/rancid/lib/rancid/ but the exactly location may vary depending on your environment.

All you need to do is change the first line of from package ios; to package panos;

After making this change you should be able to manually run rancid to confirm the issue is fixed.

/usr/local/rancid/bin/rancid -t paloalto -d firewall01

If the command above complains that it can’t fine panlogin then make sure that the rancid bin directory is in your path.

panlogin: command not found

You can update the path for your current terminal session by using the export command.

export PATH=$PATH:/usr/local/rancid/bin/

Applying the unified patch

Alternatively you can apply the 3.2.p5 patch file which addresses this issue but the easiest method is to simply edit the file manually.

The patch file doesn’t apply very cleanly but essentially you would extract the patch file from the archive and place it in /usr/local/rancid/lib/rancid (or the directory your file is located in)

Run patch -p0 < rancid-3.2.p5

It will first try to locate the CHANGES file, you can point it toward /usr/local/rancid/share/rancid/CHANGES but it will probably still fail, either way the next step where it edits should complete successfully.

References to this issue:

Red Hat Bugzilla – Bug 1225977 RANCID bugs cause failures on JunOS and Palo Alto gear

Reddit discussion of the problem – RANCID with Palo Alto Networks?

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *