Saucepan

User Tools

Site Tools

Trace: firewall_config_backup
paloaltonetworks:api:scripts:firewall_config_backup

Table of Contents

PAN-OS API Backup Firewall Configuration

Palo Alto Networks has a document on configuration export here.

Windows Batch File

:: This is a Windows Batch script that can be used to extract a backup of the configuration file from a Palo Alto Networks firewall.

::For this script to work, you will need an API key the firewall. Generate the API key with the following commands.
::  https://FIREWALL_1_IP/api/?type=keygen&user=XML_USERNAME_HERE&password=XML_PASSWORD_HERE

@echo off

SET FW_KEY=API_KEY

:: Firewall IP or FQDN
SET FIREWALL_NAME=10.1.1.1
SET FILENAME=FW_1.xml

:: Set CURL URL
SET URL=https://%FIREWALL_NAME%/api/?type=export^&key^=%FW_KEY%^&category=^configuration

:: Set CURL Command
SET CURL_COMMAND=curl --insecure -o %FILENAME% -g -s -X GET "%URL%"

ECHO Starting configuration export from %FIREWALL_NAME% ...

%CURL_COMMAND%

ECHO Finished configuration export from %FIREWALL_NAME%

PowerShell Scripting

The template I used for starting PowerShell scripting came from James Preston of ANSecurity (https://www.ansecurity.com)

His scripts can be found here.

Reddit user alphaxion has posted an excellent PowerShell script for backing up Palo Alto Networks firewalls that are not in Panorama.

The original post can be found here. 

# Define some base variables

$fwHost = "IP address here"

$apiKey = "API key here"

$ageLimit = (Get-Date).AddDays(-90)

# Configure cipher suite to avoid protocol downgrade

add-type @"

using System.Net;

using System.Security.Cryptography.X509Certificates;

public class TrustAllCertsPolicy : ICertificatePolicy {

public bool CheckValidationResult(

ServicePoint srvPoint, X509Certificate certificate,

WebRequest request, int certificateProblem) {

return true; } } "@

$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

# Bag the current running configuration

$configURI = "https://" + $fwHost + "/api/?type=export&category=configuration&key=" + $apiKey

$configExport = Invoke-WebRequest -Uri $configURI

# Generate time stamp

$timeStamp = Get-Date -UFormat "%Y%m%d-%H%M"

# Output file

$configExport.Content | Out-File -FilePath "C:\PaloBackups\config-$timeStamp.xml"

# Delete configs older than the defined number of days

Get-ChildItem -Path "C:\PaloBackups" -Exclude *.txt | Where-Object {$_.CreationTime -lt $ageLimit} | Remove-Item -Force
paloaltonetworks/api/scripts/firewall_config_backup.txt · Last modified: by 127.0.0.1