Automated backup from Palo Alto Networks Firewall without Panorama

Palo Alto Networks Panorama provides you to export the scheduled backup. However, sometimes, it is required to configure an automatic backup from Palo Alto Firewall directly.


In this article, I will explain scheduling a backup job to export the running configuration & device state from Palo Alto Firewall. I am using a CentOS machine with curl, and crond packages. We will use the Palo Alto XML API connection to retrieve the required files.

Let’s start!

Step 1: Export the API Key from Palo Alto Networks Firewall

First of all, we need an API key to make the connection from the CentOS to the Palo Alto Networks Firewall. You can execute the below URL to get an API key on any of your favorite web browsers.

Tip: Please ensure you are having either superuser or XML API previlledges.

Replace the username and password, with your actual username and password. You will get an output similar to the below text.

Copy the API key as mentioned below:

Step 2: Retrieving the running configuration & device state of Palo Alto Networks Firewall using the curl utility

Now, we will use the curl command to retrieve the running configuration and device state from Palo Alto Networks Firewall. Create a directory for Palo Alto Networks backup. You can create a directory as per your requirements.

Finally, execute the below command to retrieve the running configuration from the Firewall.

Now, execute the below command to retrieve the device state from the Palo Alto Networks firewall.

Replace the xx.xx.xx.xx with your firewall IP Address and API-KEY with the API Key you have generated in step 1.

Both the above commands created the running-config.xml and device-state.tgz file in the /root/paloalto_backup/ directory.

Till Now, we have retrieved the required configuration from the Palo Alto Networks Firewall. Now, we will create a simple shell script to call the above two curl commands.

Step 3: Create a Linux shell script for the Palo Alto Networks Firewall backup

In this step, we will just create a Linux shell script to execute both of the commands. We will simply use the touch command to create a file.

After that, copy and modify the IP Address and API KEY in the below lines using the nano or vi editors.

Now, we need to change the permission of this file to 755 using the below command:

Finally, execute the shell script, we just created.

This should create running-config.xml and device state file in the /root/paloalto_backup/ directory.

Yeah! This has created the backup files. Now, we just need to create a corn job to automate the whole thing.

Step 4: Create a cron job to export the Palo Alto Networks Backup

Finally, here, we will create a cron job to execute this script at a defined time. Simply, edit the cron jobs using the below command:

The above command will open cron jobs in the popular vi editor. You just need to simply define the time on which you need to execute the script. Here are a few examples:

That’s it! We are done with the configuration. Below is the output from my lab CentOS device after all of the above configurations:

You will notice that both, running-config.xml and device-state.tgz comes with an additional file name before the extension, i.e., device-state-1667285102.tgz. It’s called Epoch Time, and it’s a UNIX-friendly time. You can get the human-readable time using the below command:

Related Articles


In this article, we have scheduled the automatic configuration backup from the Palo Alto Networks firewall. At first, we took a CentOS server with Cron and Curl packages. Then, we created the shell script to export the backup from the Palo Alto Firewall. Finally, we created a cron job to export the backup.

Hope you like this article. In case you like this article, request you to please share it on social media platforms! In case you get into error, just comment in the comment box!

Leave a Reply

Your email address will not be published. Required fields are marked *