Learn how to backup your Palo Alto configuration with PowerShell (Or another scripting language).
Backing up your firewall configuration is a crucial steps for disaster recovery. Your Palo Alto save its configuration regularly, but the files are still stored on the appliance. So storing the configuration on another system helps your organization to quickly recover from a loss of your Palo Alto hardware.
This tutorial will show you how to backup your config with PowerShell, but it will work with any other scripting language to. All you have to do is to replace the last command with the correct command from your environment (Like curl on Linux systems)
Step 1: Create backup user
The first step is to create a backup user.
Open your administrative interface and logon. Go to Device and then Administrators. Click Add to add another user.
Name it backup or something matching your naming conventions, give it a strong password and assign the type Device administrator (read-only) as this user will not change anything on the device.
Step 2: Generate API key
Open a web browser and open the following URL:
https://My Palo Alto IP or URL/api/?type=keygen&user=Your Backup user&password=password for the backup user
This creates an API key for that user:
Copy it.
Step 3: Test download command
To download the configuration file, you need a command to download a file from a web resource. I will use the Invoke-WebRequest command as the config files should not be too large for this rather slow command.
The example will download the config from your Palo Alto appliance using the API key from step 2 and store it in the file c:\backup\PaloAltoConfig.xml:
Invoke-WebRequest -Uri "https://MyPaloAlto/api/?type=export&category=configuration&key=ABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFG" -OutFile "c:\backup\PaloAltoConfig.xml"
If you are using another language or another OS, just find the correct command to download files from URLs like curl.
Step 4: Enhance and schedule
The last step is to put that test command into a nice script and schedule it. Define a folder where your script (e.g. c:\scripts) and backup files (e.g. d:\backup) will be stored.
If want my configuration to be saved daily with the current date in the file name. So my script looks like:
$Date = Get-Date -format "yyyy-MM-dd"
Invoke-WebRequest -Uri "https://MyPaloAlto/api/?type=export&category=configuration&key=ABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFGHIJKLMOPQRSTUVWXYZABCDEFG" -OutFile "c:\backup\$Date.xml"
Save this script to d:\scripts\Backup-PaloAlto-Config.ps1.
Now add this script to a scheduled task:
Name it so the purpose of your script is clear. I use the name Backup Palo Alto Config. Use a user name with appropriate permissions to access the network and permissions to store files.
The trigger can be daily or any interval you like to use.
As action use Start a program. The program is powershell.exe. For arguments, start with bypassing the execution policy (If you do not sign your scripts) with -ExecutionPolicy Bypass follow by your script path.
Save your task and try running it. You should find a new xml file with the current date in your backup location.