How To Backup of Config Files Periodically without Panorama

How To Backup of Config Files Periodically without Panorama

Created On 09/27/18 07:11 AM - Last Modified 06/08/23 01:49 AM


  • Any Firewall


How To Backup of Config Files Periodically From Palo Alto Networks firewalls:



The configuration file of any firewall is extremely important since it holds all the customizations made by the user. In the event of hardware failure, if the config files aren't backed up to an external location, the configs will have to be built up from scratch. So it's a good practice to back up and export the config files regularly, especially to external locations.


Panorama can do this automatically. But in case Panorama isn't managing the firewalls, this document can be very helpful to export and backup the config file to an external location for safekeeping.


Steps to Follow

  1. Access the firewall using XML API:
    • Setup the firewall for API access by generating API Key
    • Save the API key and then add that to HTTPs query in the next step
  2. Retrieve the running config file using an HTTPS GET:
    • To run HTTPS GET from command prompt, use CURL for windows. For Linux hosts, it might be built-in.
    • Then save the retrieved config to a file.
  3. Automate the log export process:
    • Add the commands from the above steps to batch file (or a script for Linux hosts).
    • Then run the batch file on a server which will be always-on.
    • Create a job in Windows Scheduler (or CRON job if Linux server) to call that batch file periodically.


1. Access the firewall using XML API:

For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following:



The response for that should be in form of an XML with the API Key printed as below:

User-added image

Save the API key somewhere safe. It is like a password.


2. Retrieve the running config file using an HTTPS GET:

Since the Windows command line doesn't support HTTPS requests, we have to use CURL for Windows OS to do an HTTPS GET to fetch the running configuration.
Note: CURL for Windows can be downloaded from:



Download and extract CURL to a folder. If the CURL command should be accessible universally, then add the extract CURL folder to PATH under Environment variables.
The site shown below, explains how to add a folder to PATH in detail: 


Now for the HTTPS request to retrieve the running config from the firewall.

The URL below should print the config file if ran from a browser: 


To capture the Config XML to a file, we have to retrieve the HTTPS URL using CURL. The command is as below (this should be run from the server):

> curl -kG "https://<firewall-ip>/api/?type=export&category=configuration&key=<api_key>" > running-config.xml


The above command, when run from command line, will create a file named running-config.xml in the folder from which the command was run.

Note: If CURL's extracted path isn't added to the PATH, then it should be run from the folder where CURL was extracted.


3. Automate the log export process:

Now that we have the command to fetch the running config in XML format, we can create a batch file and then call that in Windows Scheduler. Scheduling it on a server which is always on would be a good idea.


Contents of the batch file:


cd curl\bin
curl -kG "https://<firewall-ip>/api/?type=export&category=configuration&key=<api_key>" > c:\running-config.xml
To Append Date to the Config File Name:

curl -kG "https://<firewall-ip>/api/?type=export&category=configuration&key=<api_key>" > c:\running-config_%date%.xml



  • This is assuming that CURL has been extracted to C drive's root.
  • And the config file will be saved to the C drive itself.
  • Change the <api_key> with the key obtained in the previous step.

Follow the instruction in the below URL to run the batch file periodically (like every night 1 AM.).  


  • Print
  • Copy Link

Choose Language