Skip to main content

Prisma SD-WAN Config Utility

The Prisma SD-WAN config utility was built using the Prisma SD-WAN SDK to ease export and import of configuration from the Prisma SDD-WAN controller. IT organizations will find this utility can easily be leveraged in their existing Continuous Integration (CI) tools.

This utility can be used to:

  • Replace an ION at site by extracting configuration, replacing the 'serial_number' with the new ION (Note: The replacement device must be online and allocated to the account).
  • Check configurations into a repository (private GIT), and have a CI process system automatically configure site(s).
  • Use configs as a rollback tool after changes.
  • Delete most configurations by simply removing them from the file and/or setting to null.
  • Use configs as a template to deploy 1000s of sites. The cloudgenix_config utility can be downloaded and installed using the pip utility : pip install cloudgenix_config The cloudgenix_config utility has two sub-utilities that can be used for import and export of data:
  • pull_site
  • do_site

pull_site

The pull_site utility is used to extract data from the controller. This utility has the ability to pull data from a single site, a comma separated list of sites or all sites, by using the keyword ALL_SITES. The output form this extraction is stored in a YAML file. By default, this file is named config.yml, unless a specific name has been provided via the CLI attribute - - output

Note: As a best practice when using the ALL_SITES keyword, it is recommended to use the MULTI_OUTPUT option to store each site’s configuration in its own separate file.

Terminal:~ sdkuser$ pull_site -h
usage: pull_site [-h] --sites SITES [--leave-implicit-ids] [--strip-versions]
    [--force-parents] [--no-header] [--normalize]
    [--output OUTPUT | --multi-output MULTI_OUTPUT]
    [--controller CONTROLLER] [--email EMAIL]
    [--password PASSWORD] [--insecure] [--noregion] [--rest]
    [--debug DEBUG]
optional arguments:
  -h, --help    show this help message and exit

Config:
These options change how the configuration is generated.

--sites SITES, -S SITES
        Site name or id. More than one can be specified
separated by comma, or special string "ALL_SITES".
--leave-implicit-ids Preserve implicit IDs in objects ("id" values only,references to other objects will still be names.)
--strip-versions Output non-versioned configuration branches.
--force-parents Force export of parent interface configurations.
--no-header Skip export of Metadata header in config YAML.
--normalize Normalize the site name to filesystem friendly. Only
has effect with --multi-out.
--output OUTPUT Output file name (default './config.yml')
--multi-output MULTI_OUTPUT
    Enable per-site file output. Specify Directory to
place file(s).

API:
These options change how this program connects to the API.

--controller CONTROLLER, -C CONTROLLER
        Controller URI, ex.
        https://api.elcapitan.cloudgenix.com
Login:
   These options allow skipping of interactive login
   --email EMAIL, -E EMAIL
        Use this email as User Name instead of
cloudgenix_settings.py or prompting
--password PASSWORD, -PW PASSWORD
        Use this Password instead of cloudgenix_settings.py or prompting
--insecure, -I  Do not verify SSL certificate
--noregion, -NR Ignore Region-based redirection.
Debug:
  These options enable debugging output

  --rest, -R    Show REST requests
  --debug DEBUG, -D DEBUG
        API Debug info, levels 0-2
Terminal:~ sdkuser$

do_site

The do_site utility is used to export data to the controller. The YAML file obtained from the pull_site can be edited to make site level or global configuration changes. This edited YAML file is used as an input for the do_site utility.

Terminal:~ sdkuser$ do_site -h
usage: do_site [-h] [--timeout-offline TIMEOUT_OFFLINE]
    [--timeout-claim TIMEOUT_CLAIM]
    [--timeout-upgrade TIMEOUT_UPGRADE] [--wait-upgrade]
    [--timeout-state TIMEOUT_STATE]
    [--interval-timeout INTERVAL_TIMEOUT] [--force-update]
    [--site-safety-factor SITE_SAFETY_FACTOR] [--destroy]
    [--controller CONTROLLER] [--email EMAIL] [--password PASSWORD]
    [--insecure] [--noregion] [--verbose VERBOSE]
    [--sdkdebug SDKDEBUG]
    YAML CONFIG FILE
Create or Destroy site from YAML config file.
optional arguments:
  -h, --help        show this help message and exit
Config:
  These options change how the configuration is loaded.
  YAML CONFIG FILE  Path to .yml file containing site config
 --timeout-offline TIMEOUT_OFFLINE
            Default maximum time to wait to claim if an ION is offline.
--timeout-claim TIMEOUT_CLAIM
            Default maximum time to wait for an ION claim to complete
--timeout-upgrade TIMEOUT_UPGRADE
            Default maximum time to wait for.
--wait-upgrade      When upgrading, wait for upgrade to complete.
            Configuration changes for major element version changes require upgrade to finish.
--timeout-state TIMEOUT_STATE
            Default maximum time for an ION to change
state(assign, un-assign).
--interval-timeout INTERVAL_TIMEOUT
            Default timeout recheck interval for all timeouts (10-180 seconds).
--force-update      Force re-submission of configuration items to the API, even if the objects have not changed.
--site-safety-factor SITE_SAFETY_FACTOR
            Maximum number of sites that can be modified at once by this script. This is a safety switch to prevent the
script from inadvertently modifying a large number of
sites.
--destroy       DESTROY site and all connected items (WAN Interfaces,LAN Networks).
API:
These options change how this program connects to the API.
--controller CONTROLLER, -C CONTROLLER
            Controller URI, ex.
            https://api.elcapitan.cloudgenix.com
Login:
These options allow skipping of interactive login
--email EMAIL, -E EMAIL
            Use this email as User Name instead of
cloudgenix_settings.py or prompting
--password PASSWORD, -PW PASSWORD
            Use this Password instead of cloudgenix_settings.py or prompting
--insecure, -I      Do not verify SSL certificate
--noregion, -NR     Ignore Region-based redirection.
Debug:
These options enable debugging output
--verbose VERBOSE,  -V VERBOSE
            Verbosity of script output, levels 0-3
--sdkdebug SDKDEBUG, -D SDKDEBUG
            Enable SDK Debug output, levels 0-2
Terminal:~ sdkuser$

Prisma SD-WAN Config Usage

#Query Single Site
Terminal:~ sdkuser$ pull_site -S Chicago --output chi.yml

#Query Multiple Sites
Terminal:~ sdkuser$ pull_site -S Chicago,Boston,NYC --output chibosnyc.yml

#Query ALL Sites with output in one file
Terminal:~ sdkuser$ pull_site -S ALL_SITES --output allsites.yml

#Query ALL Sites with MULTI_OUTPUT option
Terminal:~ sdkuser$ pull_site -S ALL_SITES –multi-output /tmp/config/
#Upload Changes to Sites
Terminal:~ sdkuser$ do_site chi.yml

#Delete Sites and associated WAN Interfaces and LAN Networks
Terminal:~ sdkuser$ do_site chi.yml --destroy

Want to contribute? See something missing?

Visit our Contributing Guide or look for the "Edit this page" or "Report an Issue" button at the bottom of our docs pages

:::