Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Feature Request - Automatic Configuration Backup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Feature Request - Automatic Configuration Backup

L4 Transporter

Hi all,

pls add a feature to allow automatic and scheduled (daily,weekly,monthly) configuration backups to be made to local HD, remote ftp/tftp/scp server.

kind rgds

Roland

21 REPLIES 21

L5 Sessionator

In 4.0 you will have the ability to do a configuration export from Panorama. The feature is a daily export based on a 24hr hour entry using FTP. The archive is a TGZ of all managed devices config in XML format plus Panorama config.

In general, feature requests should be made through your local Sales Engineer who will lobby for their implementation.     

I would like to see this feature on a box level not in panorama. Not all customers have panorama and panorama is not free...

Customers compare features with PAN and what they have right now and automatic backups are missing in PAN.

In that case, you do have the option to use the XML API - with an off box scheduler to get the configuration

Thanks

James

I have been reading about this possibility, but that's too complicated compared to what the competition offers...

Roland

Automatic backup are RELEVANT not optional, especially in an MSP, when there are hundreds of different technologies.

This is the first question a prospect ask me when I go to explain PAN strengths.

XML API cannot be always a solution for any simple and foundamental task that competitors offer as a basic feature.

I hope you consider this as a feature that could be introduced in next (minor) release.

Thanks.

That is correct - configuration back ups are indeed important.  Hence the offer of another alternative in the mean time Smiley Happy

Please contact your local Palo Alto Networks sales team in order to file the feature request.

Many Thanks for your continued feedback

James

I have forwarded the feature request to the local SE. So far no reply.... I hope it's not diverted to /dev/null.... or can I track the feature requests somewhere ?

Roland

Your SE can and will track this and all feature requests and be able to lobby for those most frequently requested by customers.

The REST API is actually pretty simple to implement for getting a copy of the configuration.

#!/bin/sh
#
# Get a copy of the PAN firewall configuration using the REST API.
# This works with curl, but not wget. Create the contents of the key
# file by going to
#   https://${HOST1}/esp/restapi.esp?type=keygen&user=${USER}&password=${PW}
# and using administrator credentials for USER and PW (password).
# The key file just needs the key, not the entire XML output of keygen.
#
HOST1=pafw1.example.com
HOST2=pafw2.example.com
KEY=$(cat pafw.key)
DATE=$(date +%Y%m%d)
#
URL1="https://${HOST1}/esp/restapi.esp?type=config&action=show&key=${KEY}"
URL2="https://${HOST2}/esp/restapi.esp?type=config&action=show&key=${KEY}"
echo $URL
#
curl --output ${HOST1}.${DATE}.xml --insecure $URL1
curl --output ${HOST2}.${DATE}.xml --insecure $URL2

Hi,

I have Panorama 4.0.1 and the Palo Alto devices are on the Pan OS 3.1.4.

Is it still possible to get the PA device backups using Panorama daily config backup schedule option?

I am trying to configure it but I dont see any backups happening. Neither can I see any activity in the system logs for the schedule backup?

Will be implemented this feature in PAN directly instead of Panorama, I think that would be great to have a feature like this, many customers ask for this indeed.

We would like to have this on shell, not panorama.

on others we do with ssh and authorized_keys (eg. f5, juniper, ...)

L3 Networker

Agree that a scheduler on-box would be nice. However, ssh-key auth is available from 4.1. This means that you can automate backups by adding a cron job on an external box. Simple enough.

Have you any success with ssh-key method? We're attempting to do this, but when issuing commands from the remote box, it does not appear the remote shell is not receiving the command.  If logging in using regular ssh, it works. Does PA's ssh daemon prevent remote execution? Or am I missing something that can be configured to accomplish this?

  • 10529 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!