How To Backup of Config Files Periodically From Palo Alto Networks firewalls:
The configuration file of any firewall is extremely important since it holds all the customizations made by the user. In the event of hardware failure, if the config files aren't backed up to an external location, the configs will have to be built up from scratch. So it's a good practice to back up and export the config files regularly, especially to external locations.
Panorama can do this automatically. But in case Panorama isn't managing the firewalls, this document can be very helpful to export and backup the config file to an external location for safekeeping.
Steps to Follow
Access the firewall using XML API:
Setup the firewall for API access by generating API Key
Save the API key and then add that to HTTPs query in the next step
Retrieve the running config file using an HTTPS GET:
To run HTTPS GET from command prompt, use CURL for windows. For Linux hosts, it might be built-in.
Then save the retrieved config to a file.
Automate the log export process:
Add the commands from the above steps to batch file (or a script for Linux hosts).
Then run the batch file on a server which will be always-on.
Create a job in Windows Scheduler (or CRON job if Linux server) to call that batch file periodically.
1. Access the firewall using XML API:
For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following:
Download and extract CURL to a folder. If the CURL command should be accessible universally, then add the extract CURL folder to PATH under Environment variables. The site shown below, explains how to add a folder to PATH in detail:
The above command, when run from command line, will create a file named running-config.xml in the folder from which the command was run.
Note: If CURL's extracted path isn't added to the PATH, then it should be run from the folder where CURL was extracted.
3. Automate the log export process:
Now that we have the command to fetch the running config in XML format, we can create a batch file and then call that in Windows Scheduler. Scheduling it on a server which is always on would be a good idea.
Contents of the batch file:
curl -kG "https://<firewall-ip>/api/?type=export&category=configuration&key=<api_key>" > c:\running-config.xml
To Append Date to the Config File Name:
curl -kG "https://<firewall-ip>/api/?type=export&category=configuration&key=<api_key>" > c:\running-config_%date%.xml
This is assuming that CURL has been extracted to C drive's root.
And the config file will be saved to the C drive itself.
Change the <api_key> with the key obtained in the previous step.
Follow the instruction in the below URL to run the batch file periodically (like every night 1 AM.).