How To Backup of Config Files Periodically From Palo Alto Networks firewalls:

Re: API Rest: Generate an API key linked to a specific user So you can assign a custom role to a user, and that will limit what they have access to. But if you're always getting the same API key back, then there is either a problem with your script (maybe using a static variable or something instead of what you specify) or a huge problem with your firewall / PAN-OS. How To Backup of Config Files Periodically From Palo Alto Networks firewalls. Setup the firewall for API access by generating API Key. For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following.


The configuration file of any firewall is extremely important since it holds all the customizations made by the user. In the event of hardware failure, if the config files aren't backed up to an external location, the configs will have to be built up from scratch. So it's a good practice to back up and export the config files regularly especially to external locations.

Panorama can do this automatically. But in case Panorama isn't managing the firewalls, this document can be very helpful to export and backup the config file to an external location for safe keeping.


The Controller monitors the health of Palo Alto Network software by using the VM-series API and performs switch over based on the API return status. The Controller dynamically programs Palo Alto Network route tables for any new propagated new routes discovered both from new Spoke VPCs and new on-premise routes. If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one. Start Inside WebGUI Steps: Go to your Palo Alto Network Firewall or Panorama WebGUI Device Certificate Management Certificate At the.

  1. Access the firewall using XML API:
    • Setup the firewall for API access by generating API Key
    • Save the API key and then add that to HTTPs query in the next step
  2. Retrieve the running config file using a HTTPS GET:
    • To run HTTPS GET from command prompt, use CURL for windows. For Linux hosts, it might be built-in.
    • Then save the retrieved config to a file.
  3. Automate the log export process:
    • Add the commands from the above steps to batch file (or a script for Linux hosts).
    • Then run the batch file on a server which will be always-on.
    • Create a job in Windows Scheduler (or CRON job if Linux server) to call that batch file periodically.

Access the firewall using XML API:

For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following:

The response for that should be in form of an XML with the API Key printed as below:

Save the API key somehwere safe. It is like a password.

Palo Alto Firewall Generate Api Key

Retrieve the running config file using a HTTPS GET:

Since windows command line doesn't support HTTPS requests, we have to use CURL for windows to do a HTTPS GET to fetch the running configuration.

Note: CURL for Windows can be downloaded from:


Download and extract CURL to a folder. If CURL command should be accessible universally, then add the extract CURL folder to PATH under Environment variables.

The site shown below, explains how to add a folder to PATH in detail:

Now for the HTTPS request to retrieve the running config from the firewall.

The URL below, should print the config file if ran from a browser:

To capture the Config XML to a file, we have to retrieve the HTTPS URL using CURL. The command is as below (this should be run from the server):

The above command, when run from command line, will create a file named running-config.xml in the folder from which the command was run.

Note: If CURL's extracted path isn't added to the PATH, then it should be run from the folder where CURL was extracted.

Automate the log export process:

Now that we have the command to fetch the running config in XML format, we can create a batch file and then call that in Windows Scheduler. Scheduling it on a server which is always on would be a good idea.

Contents of the batch file:


  • This is assuming that CURL has been extracted to C drive's root.
  • And the config file will be saved to the C drive itself.
  • Change the <api_key> with the key obtained in the previous step.

Follow the instruction in the below URL to run the batch file periodically (like everynight 1 A,M.).

In the week's Discussion of the Week (DotW), we'll take a look at a question from user 'aguley' about FQDN.

Even though it's not possible to use a wildcard inside an FQDN object, I'll highlight two possible workarounds.

When an FQDN object is committed to the system, the management plane sends out periodic DNS queries to populate this object with IP addresses mapped from the DNS reply. These mapped IP addresses are then be pushed down to the dataplane, where they're used inside the object in the security policy. On the dataplane, this object includes only the IP addresses it receives from the management plane, but no domain information. Each FQDN object on the dataplane is limited to a maximum of 10 IP addresses. No actual URL lookups are performed, which is why a wildcard cannot be used.

If the requirement is to allow web browsing to all possible subdomains of a certain domain, a Security Policy based on a custom URL category in the destination could be useful to fill the gap between an FQDN Object and a URL Filtering Security Profile.

The first step is to create a custom URL category that includes the desired wildcard domains:

Next, a Security Policy where the custom URL category is used in the service/URL category tab.

Note: A URL filtering license or URL Filtering Security Profile is not required for this to work.

This allows outbound web browsing to all subdomains of the domain while all other connections can be blocked.

A slightly more complex workaround that allows for more versatility is to use Dynamic Address Groups and Tags that can be updated by an API call. In this scenario, the DNS resolution must be performed by an external script, but the number of addresses allowed in a Dynamic Address Group is far greater than in an FQDN Object.

First, you'll need to generate an API key:

Where hostname is the firewall IP or hostname, username and password are your username and password.

The output will look somewhat like this:


Next, create a Tag to represent the IP address pool:

Then create a new Dynamic Address Group and add the Tag as Match Criteria:

Finally, create a security policy using the DAG.

This DAG can now be populated with IP addresses from an external script. IPs can be added with a register operation or removed with an unregister operation.

Palo Alto Xml Api

This example was prepared to register 2 new IP addresses to the wildcard1 Tag:

The file can be pushed out with either wget or curl--the example uses wget:

To verify the IP addresses were added, click the more... link in the GUI Address Groups:

Or use the CLI command:

You can also verify the IP addresses are now in use in the Security Policy:

Generate Api Key Palo Alto

To view the original discussion, please follow this link: FQDN policy

All comments or suggestions are encouraged.

Thanks for reading!

Tom Piens

Palo Alto Api Documentation

For additional information:

Generate Api Key Palo Alto Firewall

More information about Dynamic Address Groups:

Coments are closed
Scroll to top