Palo FW backup for configuration and device state

General discussion of anything Unimus
Post Reply
sdave
Posts: 3
Joined: Tue Nov 14, 2023 3:04 pm

Tue Nov 14, 2023 8:35 pm

Hello,

Two quick questions on Palo FW backups:

1. Is there are target date for XML file format support for the Palo config backups? I saw in a previous post that it was planned but at that time there wasn't an ETA.

2. Does Unimus have an option to backup the Palo FW device state files in addition to configurations?

https://knowledgebase.paloaltonetworks. ... 000ClJ9CAK


Thanks,
User avatar
Tomas
Posts: 1220
Joined: Sat Jun 25, 2016 12:33 pm

Tue Nov 21, 2023 2:12 am

Hi, a few questions regarding your questions:
sdave wrote:
Tue Nov 14, 2023 8:35 pm

1. Is there are target date for XML file format support for the Palo config backups? I saw in a previous post that it was planned but at that time there wasn't an ETA.
We have had requests to get PA backups in the XML format a few times. We however struggle to understand why this is wanted. The XML exports on the PA CLI are actually different than the exports from their GUI, and can't be used to restore through the GUI (no idea why PA does it like this).

So for GUI-based restore, the XMLs from the CLI are not useful. And for Unimus purposes (diffs, change management, and CLI restore), the "set" commands are much more useful. Both for visualizing changes (diffs) over time, for CLI-based restore, and for things like Config Search.
sdave wrote:
Tue Nov 14, 2023 8:35 pm

2. Does Unimus have an option to backup the Palo FW device state files in addition to configurations?
As far as I am aware, the device state file is binary, and therefore can't be output to the CLI. Can only be retrieved by file transfer protocols. So we can't retrieve it using SSH.

You could definitely get it to Unimus tho, we describe setups like that in this article: https://blog.unimus.net/backing-up-the-unbackupable/

In general, both of the things you ask for can be accomplished using a scheduled Config Push in Unimus, and the "push-to-unimus" script in the article above.
Post Reply