Feature Request - Automatic Configuration Backup

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Hi,

I have Panorama 4.0.1 and the Palo Alto devices are on the Pan OS 3.1.4.

Is it still possible to get the PA device backups using Panorama daily config backup schedule option?

I am trying to configure it but I dont see any backups happening. Neither can I see any activity in the system logs for the schedule backup?

Highlighted
L1 Bithead

Will be implemented this feature in PAN directly instead of Panorama, I think that would be great to have a feature like this, many customers ask for this indeed.

Highlighted
Not applicable

We would like to have this on shell, not panorama.

on others we do with ssh and authorized_keys (eg. f5, juniper, ...)

Highlighted
L3 Networker

Agree that a scheduler on-box would be nice. However, ssh-key auth is available from 4.1. This means that you can automate backups by adding a cron job on an external box. Simple enough.

Highlighted
L0 Member

Have you any success with ssh-key method? We're attempting to do this, but when issuing commands from the remote box, it does not appear the remote shell is not receiving the command.  If logging in using regular ssh, it works. Does PA's ssh daemon prevent remote execution? Or am I missing something that can be configured to accomplish this?

Highlighted
L1 Bithead

Hi, any update here and suggestion?

Where is the running-config.xml path in PANOS?

I use scp in Linux server, but it fail:

scp abc@paloaltofirewall:/opt/pancfg/mgmt/device-state /home/paloalto_cfg_backup

Highlighted
L5 Sessionator

here is the path for running config:

/opt/pancfg/mgmt/factory/running-config.xml

Highlighted
L1 Bithead

Try it but seems still not working, here is the result:

................

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /home/cpcnet/.ssh/identity

debug1: Trying private key: /home/cpcnet/.ssh/id_rsa

debug1: Offering public key: /home/cpcnet/.ssh/id_dsa

debug1: Server accepts key: pkalg ssh-dss blen 434

debug1: read PEM private key done: type DSA

debug1: Authentication succeeded (publickey).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending command: scp -v -f /opt/pancfg/mgmt/factory/running-config.xml

It hang after "debug1: Sending command: scp -v -f /opt/pancfg/mgmt/factory/running-config.xml"

Any idea?

Highlighted
L4 Transporter

Hello,

If you install panxapi (part of the PAN-perl package, PAN-perl-20121110.tar.gz) you can do a backup of the configuration this way:

(From 'man panxapi')

Generate an API key.

          $ panxapi -l admin:admin -h 172.29.9.122 -k

          keygen: success

          API key: "0RgWc42Oi0vDx2WRUIUM6A=="

       Create a .panrc file with the API key.

          $ echo 'hostname=172.29.9.122' >.panrc

          $ echo 'api_key=0RgWc42Oi0vDx2WRUIUM6A==' >>.panrc

       Retrieve the active configuration and write it to a file.

          $ panxapi -srx >fw-backup.xml

          show: success

Of course this can then be put into a crontab job which automatically does a backup every day.

If you put it into a script you can also script it to put timestamps on the backup files.

This should also work (if you don't want to use .panrc): panxapi -l admin:password -h 172.29.9.122 -srx > fw-backup.xml

Jo Christian

/Jo Christian
Highlighted
Not applicable

Hi Christian,

Thanks for your suggestion, I will try it today.

By the way, my PAN is 5.0 and where can I download the version you suggested(PAN-perl-20121110.tar.gz)? I can only download older version.

Thanks,

Paul

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!