Automated backup from Palo Alto Networks Firewall without Panorama

Palo Alto Networks Panorama allows you to export the scheduled backup. However, sometimes, it is required to configure an automatic backup from the Palo Alto Firewall directly.

New: Download our Free tool for Palo Alto Networks backup (OVF)

In this article, I will explain scheduling a backup job to export the running configuration & device state from the Palo Alto Firewall. I am using a CentOS machine with curl and crond packages. We will use the Palo Alto XML API connection to retrieve the required files. Let’s start!

configure-automatic-backup-from-palo-alto-networks-firewall

Step 1: Export the API Key from Palo Alto Networks Firewall

First, we need an API key to make the connection from the CentOS to the Palo Alto Networks Firewall. You can execute the below URL to get an API key on any of your favorite web browsers.

https://<paloalto-firewall-ip>/api/?type=keygen&user=<username>&password=<password>

Tip: Please ensure you are having either superuser or XML API previlledges.

Replace the username and password with your actual username and password. You will get an output similar to the below text.

<response status="success">
<result>
<key>LUFRPT03MCs3bTJ0WHJSOWptRlNicllZaWM2UVFSb2c9VzFycHNvU2RXMzg3ZlI4TVJyQTZqM2MwZE16bFk5Y3hIZzB4ZkF4OTMyYjh6RHlBOG1yekRMd1RnTGZRTEVZaQ==</key>
</result>
</response>

Copy the API key as mentioned below:

LUFRPT03MCs3bTJ0WHJSOWptRlNicllZaWM2UVFSb2c9VzFycHNvU2RXMzg3ZlI4TVJyQTZqM2MwZE16bFk5Y3hIZzB4ZkF4OTMyYjh6RHlBOG1yekRMd1RnTGZRTEVZaQ==

Step 2: Retrieving the running configuration & device state of Palo Alto Networks Firewall using the curl utility

Now, we will use the curl command to retrieve the running configuration and device state from Palo Alto Networks Firewall. Create a directory for Palo Alto Networks backup. You can create a directory as per your requirements.

[root@firewallbuddy ~]# mkdir /root/paloalto_backup/

Finally, execute the below command to retrieve the running configuration from the Firewall.

curl -k "https://xx.xx.xx.xx/api/?type=export&category=configuration&key=API-KEY" > /root/paloalto_backup/running-config-$(date +%s).xml

Now, execute the below command to retrieve the device state from the Palo Alto Networks firewall.

curl -k "https://xx.xx.xx.xx/api/?type=export&category=device-state&key=API-KEY" > /root/paloalto_backup/device-state-$(date +%s).tgz

Replace the xx.xx.xx.xx with your firewall IP Address and API-KEY with the API Key you have generated in step 1.

The above commands created the running-config.xml and device-state.tgz file in the /root/paloalto_backup/ directory.

[root@firewallbuddy paloalto_backup]# ls -ltr
total 8
-rw-r--r--. 1 root root 97 Oct 31 23:32 running-config-1667284321.xml
-rw-r--r--. 1 root root 97 Oct 31 23:32 device-state-1667284322.tgz

We have retrieved the required configuration from the Palo Alto Networks Firewall. Let’s create a simple shell script to call the above two curl commands.

Step 3: Create a Linux shell script for the Palo Alto Networks Firewall backup

In this step, we will create a Linux shell script to execute both commands. We will use the touch command to create a file.

touch /root/paloalto-backup.sh

After that, copy and modify the IP Address and API KEY in the below lines using the nano or vi editors.

nano /root/paloalto-backup.sh
#!/bin/sh
sync;
curl -k "https://xx.xx.xx.xx/api/?type=export&category=configuration&key=API-KEY" > /root/paloalto_backup/running-config-$(date +%s).xml
curl -k "https://xx.xx.xx.xx/api/?type=export&category=device-state&key=API-KEY" > /root/paloalto_backup/device-state-$(date +%s).tgz

Now, we need to change the permission of this file to 755 using the below command:

chmod 755 /root/paloalto-backup.sh

Finally, execute the shell script we just created.

/root/paloalto-backup.sh

This should generate running-config.xml and device state files in the /root/paloalto_backup/ directory.

[root@firewallbuddy paloalto_backup]# /root/paloalto-backup.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    97  100    97    0     0    273      0 --:--:-- --:--:-- --:--:--   274
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    97  100    97    0     0    267      0 --:--:-- --:--:-- --:--:--   267
[root@firewallbuddy paloalto_backup]# ls -ltr
total 8
-rw-r--r--. 1 root root 97 Oct 31 23:33 running-config-1667284397.xml
-rw-r--r--. 1 root root 97 Oct 31 23:33 device-state-1667284397.tgz

Yeah! This has created the backup files. Now, we will create a corn job to automate the whole thing.

Step 4: Create a cron job to export the Palo Alto Networks Backup

Finally, we will create a cron job to execute this script at a defined time. Edit the cron jobs using the below command:

cronjob -e

The above command will open cron jobs in the vi editor. Now, define the different times to execute the script. Here are a few examples:

# At every minute
* * * * * /root/paloalto-backup.sh
# At every 5 minutes
*/5 * * * * /root/paloalto-backup.sh
# At 01:00 daily
0 1 * * * /root/paloalto-backup.sh

That’s it! We are done with the configuration. Below is the output from my lab CentOS device after all of the above configurations:

[root@firewallbuddy paloalto_backup]# ls -ltr
total 96
-rw-r--r--. 1 root root 97 Oct 31 23:33 running-config-1667284397.xml
-rw-r--r--. 1 root root 97 Oct 31 23:33 device-state-1667284397.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:34 running-config-1667284442.xml
-rw-r--r--. 1 root root 97 Oct 31 23:34 device-state-1667284442.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:35 running-config-1667284502.xml
-rw-r--r--. 1 root root 97 Oct 31 23:35 device-state-1667284502.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:36 running-config-1667284561.xml
-rw-r--r--. 1 root root 97 Oct 31 23:36 device-state-1667284562.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:37 running-config-1667284621.xml
-rw-r--r--. 1 root root 97 Oct 31 23:37 device-state-1667284622.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:38 running-config-1667284681.xml
-rw-r--r--. 1 root root 97 Oct 31 23:38 device-state-1667284682.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:39 running-config-1667284741.xml
-rw-r--r--. 1 root root 97 Oct 31 23:39 device-state-1667284742.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:40 running-config-1667284801.xml
-rw-r--r--. 1 root root 97 Oct 31 23:40 device-state-1667284802.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:41 running-config-1667284861.xml
-rw-r--r--. 1 root root 97 Oct 31 23:41 device-state-1667284862.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:42 running-config-1667284921.xml
-rw-r--r--. 1 root root 97 Oct 31 23:42 device-state-1667284921.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:43 running-config-1667284981.xml
-rw-r--r--. 1 root root 97 Oct 31 23:43 device-state-1667284982.tgz
-rw-r--r--. 1 root root 97 Oct 31 23:45 running-config-1667285102.xml
-rw-r--r--. 1 root root 97 Oct 31 23:45 device-state-1667285102.tgz

You will notice that running-config.xml and device-state.tgz come with an additional file name before the extension, i.e., device-state-1667285102.tgz. It’s called Epoch Time, and it’s a UNIX-friendly time. You can get the human-readable time using the below command:

[root@firewallbuddy paloalto_backup]# date -s @1667285102
Mon Oct 31 23:45:02 PDT 2022

Related Articles

Summary

In this article, we have scheduled the automatic configuration backup from the Palo Alto Networks firewall. At first, we took a CentOS server with Cron and Curl packages. Then, we created the shell script to export the backup from the Palo Alto Firewall. Finally, we created a cron job to export the backup.

I hope you like this article. In case you like this article, I request you to please share it on social media platforms! In case you get an error, comment in the comment box!

Leave a Reply

Your email address will not be published. Required fields are marked *