Palo Alto Networks Panorama provides you to export the scheduled backup. However, sometimes, it is required to configure an automatic backup from Palo Alto Firewall directly.
In this article, I will explain scheduling a backup job to export the running configuration & device state from Palo Alto Firewall. I am using a CentOS machine with curl, and crond packages. We will use the Palo Alto XML API connection to retrieve the required files.
Let’s start!
Step 1: Export the API Key from Palo Alto Networks Firewall
First of all, we need an API key to make the connection from the CentOS to the Palo Alto Networks Firewall. You can execute the below URL to get an API key on any of your favorite web browsers.
1 |
https://<paloalto-firewall-ip>/api/?type=keygen&user=<username>&password=<password> |
Tip: Please ensure you are having either superuser or XML API previlledges.
Replace the username and password, with your actual username and password. You will get an output similar to the below text.
1 2 3 4 5 |
<response status="success"> <result> <key>LUFRPT03MCs3bTJ0WHJSOWptRlNicllZaWM2UVFSb2c9VzFycHNvU2RXMzg3ZlI4TVJyQTZqM2MwZE16bFk5Y3hIZzB4ZkF4OTMyYjh6RHlBOG1yekRMd1RnTGZRTEVZaQ==</key> </result> </response> |
Copy the API key as mentioned below:
1 |
LUFRPT03MCs3bTJ0WHJSOWptRlNicllZaWM2UVFSb2c9VzFycHNvU2RXMzg3ZlI4TVJyQTZqM2MwZE16bFk5Y3hIZzB4ZkF4OTMyYjh6RHlBOG1yekRMd1RnTGZRTEVZaQ== |
Step 2: Retrieving the running configuration & device state of Palo Alto Networks Firewall using the curl utility
Now, we will use the curl command to retrieve the running configuration and device state from Palo Alto Networks Firewall. Create a directory for Palo Alto Networks backup. You can create a directory as per your requirements.
1 |
[root@IPTrainer ~]# mkdir /root/paloalto_backup/ |
Finally, execute the below command to retrieve the running configuration from the Firewall.
1 |
curl -k "https://xx.xx.xx.xx/api/?type=export&category=configuration&key=API-KEY" > /root/paloalto_backup/running-config-$(date +%s).xml |
Now, execute the below command to retrieve the device state from the Palo Alto Networks firewall.
1 |
curl -k "https://xx.xx.xx.xx/api/?type=export&category=device-state&key=API-KEY" > /root/paloalto_backup/device-state-$(date +%s).tgz |
Replace the xx.xx.xx.xx with your firewall IP Address and API-KEY with the API Key you have generated in step 1.
Both the above commands created the running-config.xml and device-state.tgz file in the /root/paloalto_backup/ directory.
1 2 3 4 |
[root@IPTrainer paloalto_backup]# ls -ltr total 8 -rw-r--r--. 1 root root 97 Oct 31 23:32 running-config-1667284321.xml -rw-r--r--. 1 root root 97 Oct 31 23:32 device-state-1667284322.tgz |
Till Now, we have retrieved the required configuration from the Palo Alto Networks Firewall. Now, we will create a simple shell script to call the above two curl commands.
Step 3: Create a Linux shell script for the Palo Alto Networks Firewall backup
In this step, we will just create a Linux shell script to execute both of the commands. We will simply use the touch command to create a file.
1 |
touch /root/paloalto-backup.sh |
After that, copy and modify the IP Address and API KEY in the below lines using the nano or vi editors.
1 |
nano /root/paloalto-backup.sh |
1 2 3 4 |
#!/bin/sh sync; curl -k "https://xx.xx.xx.xx/api/?type=export&category=configuration&key=API-KEY" > /root/paloalto_backup/running-config-$(date +%s).xml curl -k "https://xx.xx.xx.xx/api/?type=export&category=device-state&key=API-KEY" > /root/paloalto_backup/device-state-$(date +%s).tgz |
Now, we need to change the permission of this file to 755 using the below command:
1 |
chmod 755 /root/paloalto-backup.sh |
Finally, execute the shell script, we just created.
1 |
/root/paloalto-backup.sh |
This should create running-config.xml and device state file in the /root/paloalto_backup/ directory.
1 2 3 4 5 6 7 8 9 10 11 |
[root@IPTrainer paloalto_backup]# /root/paloalto-backup.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 97 100 97 0 0 273 0 --:--:-- --:--:-- --:--:-- 274 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 97 100 97 0 0 267 0 --:--:-- --:--:-- --:--:-- 267 [root@MiWiFi-R4CM-srv paloalto_backup]# ls -ltr total 8 -rw-r--r--. 1 root root 97 Oct 31 23:33 running-config-1667284397.xml -rw-r--r--. 1 root root 97 Oct 31 23:33 device-state-1667284397.tgz |
Yeah! This has created the backup files. Now, we just need to create a corn job to automate the whole thing.
Step 4: Create a cron job to export the Palo Alto Networks Backup
Finally, here, we will create a cron job to execute this script at a defined time. Simply, edit the cron jobs using the below command:
1 |
cronjob -e |
The above command will open cron jobs in the popular vi editor. You just need to simply define the time on which you need to execute the script. Here are a few examples:
1 2 3 4 5 6 |
# At every minute * * * * * /root/paloalto-backup.sh # At every 5 minutes */5 * * * * /root/paloalto-backup.sh # At 01:00 daily 0 1 * * * /root/paloalto-backup.sh |
That’s it! We are done with the configuration. Below is the output from my lab CentOS device after all of the above configurations:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[root@IPTrainer paloalto_backup]# ls -ltr total 96 -rw-r--r--. 1 root root 97 Oct 31 23:33 running-config-1667284397.xml -rw-r--r--. 1 root root 97 Oct 31 23:33 device-state-1667284397.tgz -rw-r--r--. 1 root root 97 Oct 31 23:34 running-config-1667284442.xml -rw-r--r--. 1 root root 97 Oct 31 23:34 device-state-1667284442.tgz -rw-r--r--. 1 root root 97 Oct 31 23:35 running-config-1667284502.xml -rw-r--r--. 1 root root 97 Oct 31 23:35 device-state-1667284502.tgz -rw-r--r--. 1 root root 97 Oct 31 23:36 running-config-1667284561.xml -rw-r--r--. 1 root root 97 Oct 31 23:36 device-state-1667284562.tgz -rw-r--r--. 1 root root 97 Oct 31 23:37 running-config-1667284621.xml -rw-r--r--. 1 root root 97 Oct 31 23:37 device-state-1667284622.tgz -rw-r--r--. 1 root root 97 Oct 31 23:38 running-config-1667284681.xml -rw-r--r--. 1 root root 97 Oct 31 23:38 device-state-1667284682.tgz -rw-r--r--. 1 root root 97 Oct 31 23:39 running-config-1667284741.xml -rw-r--r--. 1 root root 97 Oct 31 23:39 device-state-1667284742.tgz -rw-r--r--. 1 root root 97 Oct 31 23:40 running-config-1667284801.xml -rw-r--r--. 1 root root 97 Oct 31 23:40 device-state-1667284802.tgz -rw-r--r--. 1 root root 97 Oct 31 23:41 running-config-1667284861.xml -rw-r--r--. 1 root root 97 Oct 31 23:41 device-state-1667284862.tgz -rw-r--r--. 1 root root 97 Oct 31 23:42 running-config-1667284921.xml -rw-r--r--. 1 root root 97 Oct 31 23:42 device-state-1667284921.tgz -rw-r--r--. 1 root root 97 Oct 31 23:43 running-config-1667284981.xml -rw-r--r--. 1 root root 97 Oct 31 23:43 device-state-1667284982.tgz -rw-r--r--. 1 root root 97 Oct 31 23:45 running-config-1667285102.xml -rw-r--r--. 1 root root 97 Oct 31 23:45 device-state-1667285102.tgz |
You will notice that both, running-config.xml and device-state.tgz comes with an additional file name before the extension, i.e., device-state-1667285102.tgz. It’s called Epoch Time, and it’s a UNIX-friendly time. You can get the human-readable time using the below command:
1 2 |
[root@IPTrainer paloalto_backup]# date -s @1667285102 Mon Oct 31 23:45:02 PDT 2022 |
Related Articles
- How to add Palo Alto Networks Firewall into Panorama
- How to configure High Availability in Palo Alto Networks Firewall
- How to install Apache Web Server on CentOS 7
Summary
In this article, we have scheduled the automatic configuration backup from the Palo Alto Networks firewall. At first, we took a CentOS server with Cron and Curl packages. Then, we created the shell script to export the backup from the Palo Alto Firewall. Finally, we created a cron job to export the backup.
Hope you like this article. In case you like this article, request you to please share it on social media platforms! In case you get into error, just comment in the comment box!
Support our work:
If you appreciate what we do and would like to contribute to our efforts, we kindly ask you to consider buying us a coffee. Your small donation can go a long way in helping us cover the costs of hosting, maintenance, and further development.
Please consider buying us a coffee ( or 2 ) as a token of appreciation.
We are always thankful for your never-ending support.