PaloAlto Automated

Configuration Backup
Document
Table of Contents
Overview...............................................................................................................................................2
Access the firewall using XML API:...............................................................................................3
Retrieve the running config file using a HTTPS GET:...............................................................3
Automate the log export process:..................................................................................................5
Run a batch file at a specific time in Windows 8 and 10...........................................................6
Run a batch file at a specific time in Windows Vista and 7......................................................6
This document can be very helpful to export and backup the config file to an external
location for safe keeping.

Overview

1. Access the firewall using XML API:

 Setup the firewall for API access by generating API Key
 Save the API key and then add that to HTTPs query in the next step
2. Retrieve the running config file using a HTTPS GET:
 To run HTTPS GET from command prompt, use CURL for windows. For Linux
hosts, it might be built-in.
 Then save the retrieved config to a file.
3. Automate the log export process:
 Add the commands from the above steps to batch file (or a script for Linux
hosts).
 Then run the batch file on a server which will be always-on.
 Create a job in Windows Scheduler (or CRON job if Linux server) to call that
batch file periodically.

Access the firewall using XML API:

For accessing the firewall using XML API, we need to generate the API key first. To
generate, see the following:

https://<firewall-ip>/api/?type=keygen&user=<username>&password=<password>

The response for that should be in form of an XML with the API Key printed as below:
Save the API key somewhere safe. It is like a password.

Retrieve the running config file using a HTTPS GET:

Since windows command line does not support HTTPS requests, we have to use CURL
for windows to do a HTTPS GET to fetch the running configuration.

Note: CURL for Windows can be downloaded from:

https://curl.haxx.se/download.html

(OR)

http://winampplugins.co.uk/curl/

Download and extract CURL to a folder. If CURL command should be

accessible universally, then add the extract CURL folder to PATH under Environment
variables.

The site shown below, explains how to add a folder to PATH in detail:

https://java.com/en/download/help/path.xml

Now for the HTTPS request to retrieve the running config from the firewall.

The URL below, should print the config file if ran from a browser: 

https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>

To capture the Config XML to a file, we have to retrieve the HTTPS URL using CURL.
The command is as below (this should be run from the server):
> curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>"
> running-config.xml

The above command, when run from command line, will create a file named running-
config.xml in the folder from which the command was run.

Note: If CURL's extracted path isn't added to the PATH, then it should be run from the
folder where CURL was extracted.

Automate the log export process:

Now that we have the command to fetch the running config in XML format, we can
create a batch file and then call that in Windows Scheduler. Scheduling it on a server
which is always on would be a good idea.

Contents of the batch file:

cd\

cd curl\bin

curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" >

c:\running-config.xml

To Append Date to the Config File Name:

curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" >

c:\running-config_%date%.xml

Note:

 This is assuming that CURL has been extracted to C drive's root.

 And the config file will be saved to the C drive itself.
 Change the <api_key> with the key obtained in the previous step.
Follow the instruction as per to run the batch file periodically (like every night 1 A,M.).

Often, batch files are created to perform specific tasks, such as cleaning up a directory,
copying certain files, etc. You may need to run a batch file at a specific time or at a
certain time every day. Below is additional information about how to do this.

Run a batch file at a specific time in Windows 8 and 10

1. Click Start
2. Type Task and then click Task
Scheduler

Once the Task Scheduler is open, you can create a custom task by clicking Create
Basic Task, opening a wizard that walks you through the process. Select the program to
execute, how often to run it, and when.
Run a batch file at a specific time in Windows Vista and 7
Starting with Windows Vista, Microsoft has included the Task Scheduler, a software
program designed to run any program, including batch files, at any time or any schedule
you desire. To run Task Scheduler, follow the steps below.

1. Click Start
2. Type Task and then click Task
Scheduler

or

1. Click Start

2. Click All Programs

3. Click Accessories > System
Tools > Task Scheduler
Once the Task Scheduler is open, you can create a custom task by clicking Create
Basic Task, opening a wizard that walks you through the process. Select the program to
execute, how often to run it, and when.