Palo Alto scheduled backups - without Panorama

Fri 08 January 2016

Recently we deployed a Palo Alto VM-200 firewall. It was a stand-alone deployment on a remote site. We were going to deploy a pair, but we didn't see how much value it added as the VM-series firewalls do support HA but not stateful HA.

As it was stand-alone, it wasn't managed by Panorama. And without Panorama management, it is seemingly not very straightforward to enable scheduled automated backups. This seems odd to me - in my paranoid world of engineering, I want things backing up somewhere regularly. Maybe it's just something to make you buy Panorama.

Anyway, there is a way to do it. We used a general purpose management Linux box, and set up a cron job to download the config using the XML API. Here are the details.

First, if you don't use the API already, you need to generate an API key. This is basically your "password" for using the API. Go to the following URL:

Obviously swapping your IP, username and password in.

That should give you an XML response like this:

<response status="success">

Now you can get a full config backup via the API, by visiting the following URL:

This will dump out an XML configuration file.

So now we have a means to get the config file, we just need to schedule it. To do that, we set up a cron job on a linux server to run the following command:

curl -o /backups/`date +%Y%m%d`-my_firewall_backup.xml  -k -H "Accept: application/xml" -H "Content-Type: application/xml" -X GET ""

Set it to run whenever you like - I think we went for weekly as we don't change it very much.

Share this post

  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to LinkedIn
  • Share by Email