Reddit user alphaxion has posted an excellent PowerShell script for backing up Palo Alto Networks firewalls that are not in Panorama
The original post can be found here.
# Define some base variables
$fwHost = "IP address here"
$apiKey = "API key here"
$ageLimit = (Get-Date).AddDays(-90)
# Configure cipher suite to avoid protocol downgrade
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true; } } "@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
# Bag the current running configuration
$configURI = "https://" + $fwHost + "/api/?type=export&category=configuration&key=" + $apiKey
$configExport = Invoke-WebRequest -Uri $configURI
# Generate time stamp
$timeStamp = Get-Date -UFormat "%Y%m%d-%H%M"
# Output file
$configExport.Content | Out-File -FilePath "C:\PaloBackups\config-$timeStamp.xml"
# Delete configs older than the defined number of days
Get-ChildItem -Path "C:\PaloBackups" -Exclude *.txt | Where-Object {$_.CreationTime -lt $ageLimit} | Remove-Item -Force