====== PAN-OS API Backup Firewall Configuration======
Palo Alto Networks has a document on configuration export [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7yCAC|here]].
=====Windows Batch File=====
<code>:: This is a Windows Batch script that can be used to extract a backup of the configuration file from a Palo Alto Networks firewall.

::For this script to work, you will need an API key the firewall. Generate the API key with the following commands.
::  https://FIREWALL_1_IP/api/?type=keygen&user=XML_USERNAME_HERE&password=XML_PASSWORD_HERE

@echo off

SET FW_KEY=API_KEY

:: Firewall IP or FQDN
SET FIREWALL_NAME=10.1.1.1
SET FILENAME=FW_1.xml

:: Set CURL URL
SET URL=https://%FIREWALL_NAME%/api/?type=export^&key^=%FW_KEY%^&category=^configuration

:: Set CURL Command
SET CURL_COMMAND=curl --insecure -o %FILENAME% -g -s -X GET "%URL%"

ECHO Starting configuration export from %FIREWALL_NAME% ...

%CURL_COMMAND%

ECHO Finished configuration export from %FIREWALL_NAME%</code>

=====PowerShell Scripting=====
The template I used for starting PowerShell scripting came from James Preston of ANSecurity (https://www.ansecurity.com)

His scripts can be found [[https://github.com/jamesfed/BackupPANNGFWConfig|here]].

Reddit user alphaxion has posted an excellent PowerShell script for backing up Palo Alto Networks firewalls that are not in Panorama.

The original post can be found [[https://www.reddit.com/r/paloaltonetworks/comments/ag7xoh/tips_and_tricks_for_nonpanorama_users/|here]].

<code># Define some base variables

$fwHost = "IP address here"

$apiKey = "API key here"

$ageLimit = (Get-Date).AddDays(-90)

# Configure cipher suite to avoid protocol downgrade

add-type @"

using System.Net;

using System.Security.Cryptography.X509Certificates;

public class TrustAllCertsPolicy : ICertificatePolicy {

public bool CheckValidationResult(

ServicePoint srvPoint, X509Certificate certificate,

WebRequest request, int certificateProblem) {

return true; } } "@

$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

# Bag the current running configuration

$configURI = "https://" + $fwHost + "/api/?type=export&category=configuration&key=" + $apiKey

$configExport = Invoke-WebRequest -Uri $configURI

# Generate time stamp

$timeStamp = Get-Date -UFormat "%Y%m%d-%H%M"

# Output file

$configExport.Content | Out-File -FilePath "C:\PaloBackups\config-$timeStamp.xml"

# Delete configs older than the defined number of days

Get-ChildItem -Path "C:\PaloBackups" -Exclude *.txt | Where-Object {$_.CreationTime -lt $ageLimit} | Remove-Item -Force</code>