I have Panorama 4.0.1 and the Palo Alto devices are on the Pan OS 3.1.4.
Is it still possible to get the PA device backups using Panorama daily config backup schedule option?
I am trying to configure it but I dont see any backups happening. Neither can I see any activity in the system logs for the schedule backup?
Agree that a scheduler on-box would be nice. However, ssh-key auth is available from 4.1. This means that you can automate backups by adding a cron job on an external box. Simple enough.
Have you any success with ssh-key method? We're attempting to do this, but when issuing commands from the remote box, it does not appear the remote shell is not receiving the command. If logging in using regular ssh, it works. Does PA's ssh daemon prevent remote execution? Or am I missing something that can be configured to accomplish this?
Hi, any update here and suggestion?
Where is the running-config.xml path in PANOS?
I use scp in Linux server, but it fail:
scp abc@paloaltofirewall:/opt/pancfg/mgmt/device-state /home/paloalto_cfg_backup
Try it but seems still not working, here is the result:
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/cpcnet/.ssh/identity
debug1: Trying private key: /home/cpcnet/.ssh/id_rsa
debug1: Offering public key: /home/cpcnet/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: scp -v -f /opt/pancfg/mgmt/factory/running-config.xml
It hang after "debug1: Sending command: scp -v -f /opt/pancfg/mgmt/factory/running-config.xml"
If you install panxapi (part of the PAN-perl package, PAN-perl-20121110.tar.gz) you can do a backup of the configuration this way:
(From 'man panxapi')
Generate an API key.
$ panxapi -l admin:admin -h 172.29.9.122 -k
API key: "0RgWc42Oi0vDx2WRUIUM6A=="
Create a .panrc file with the API key.
$ echo 'hostname=172.29.9.122' >.panrc
$ echo 'api_key=0RgWc42Oi0vDx2WRUIUM6A==' >>.panrc
Retrieve the active configuration and write it to a file.
$ panxapi -srx >fw-backup.xml
Of course this can then be put into a crontab job which automatically does a backup every day.
If you put it into a script you can also script it to put timestamps on the backup files.
This should also work (if you don't want to use .panrc): panxapi -l admin:password -h 172.29.9.122 -srx > fw-backup.xml
Thanks for your suggestion, I will try it today.
By the way, my PAN is 5.0 and where can I download the version you suggested(PAN-perl-20121110.tar.gz)? I can only download older version.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!