Using Netsight to backup Palo Alto firewalls configuration

  • 0
  • 2
  • Question
  • Updated 3 years ago
  • Answered
Has anyone used Netsight to setup the automatic backup of Palo Alto firewalls configuration files? If so would you be willing to provide setup instructions?

Thanks
Photo of Ben Parker

Ben Parker

  • 842 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 2
Photo of Thomas, Frank

Thomas, Frank, Employee

  • 1,902 Points 1k badge 2x thumb
Official Response
Hi,
We use Inventory Manager to backup PA Firewalls here in corporate.

This is the script we use copy and paste this into a text. Take these script files save them in a text file and place them in the following path (if using linux based Netsight)
/NetSight/appdata/InventoryMgr/properties/devicefiles.



- This script shows how the pre-script and post-script sections of the DeviceFamilyDefinition file can be used.
-- This is only an example and not intended for use beyond that.
--
name="Palo Alto"
desc="Palo Alto SCP Script"
separator=UNIX_FILE_SEPARATOR
--
-----BEGIN PRE-SCRIPT "Configuration Upload"-----
Create /root/firmware/images/
-----END PRE-SCRIPT-----
-----BEGIN SCRIPT "Configuration Upload"-----
scp export configuration from running-config.xml to root@IpAddressOfServer:/root/configs/tmp
@receive 30
%SCP_PSWD%
@receive 60
exit
-----END SCRIPT-----
-----BEGIN SUCCESS "Configuration Upload"-----
100%
-----END SUCCESS-----
-----BEGIN POST-SCRIPT "Configuration Upload"-----
copy /root/configs/tmp/running-config.xml %ABSOLUTE_TARGET_FILE_PATH%
-----END POST-SCRIPT-----


At Remote Sites where we do not have a management cable in the P.A Box we use this script.

name="Palo Alto SCP Remote Site"
desc="Palo Alto SCP Script for Rmt Site no management"
separator=UNIX_FILE_SEPARATOR
--
-----BEGIN PRE-SCRIPT "Configuration Upload"-----
Create /root/firmware/images/
-----END PRE-SCRIPT-----
-----BEGIN SCRIPT "Configuration Upload"-----
scp export configuration source-ip %DEVICEIP% to root@IpAddressOfServer:/root/configs/tmp from running-config.xml
@receive 30
%SCP_PSWD%
@receive 60
exit
-----END SCRIPT-----
-----BEGIN SUCCESS "Configuration Upload"-----
100%
-----END SUCCESS-----
-----BEGIN POST-SCRIPT "Configuration Upload"-----
copy /root/configs/tmp/running-config.xml %ABSOLUTE_TARGET_FILE_PATH%
-----END POST-SCRIPT-----


Configure Device to use SCP as a backup


Then Select Applicable script


Unfortunately, the P.A. backup command doesn't give a way to name the output file. So Each P.A Box will need it's own archive and separate the archives by 5 minutes or so, not to overwrite the filenames. You can view the config file in inventory manager or oneview after the backup.


Hope this helps you. If any of it was unclear please let me know and I can elaborate a bit more.