Introduction to PfSense Configuration Backup
Configuring backups is one of the critical parts of a healthy system environment. PfSense has multiple options to setup configuration backups. Since recent updates pfSense has the option to configure the AutoConfigBackup Service that is build in the software. This is a great and easy way to setup automated backups of your pfSense configuration. There is one caveat with this automated AutoConfigBackup Service. The configuration is stored in the cloud. Altough the configuration is stored encrypted we have no garantuee that the backup is always ready to be restored because we have no control over the storage location. As an alternative Netgate has provided a couple of alternative ways to backup your pfSense configuration. In this blog post we will cover the configuration of automating pfSense configuration backups to your own server/storage via the curl method.
Curl
Before we can automate the PfSense Configuration Backup we need to have the curl application installed on the server that will be running the bash script. Curl is the utility for command lines to transfer data. We will use this to download the backup configuration XML from your pfSense system to your desired location. The curl utility comes pre installed to most modern Linux operating systems.
To install curl on the different Linux systems we can use the commands below:
Ubuntu/Debian
sudo apt -y install curl
RHEL / CentOS / Fedora / Alma Linux / Rocky Linux
sudo dnf install curl
Verify that curl is installed:
curl --version
Automating PfSense Configuration Backup
Netgate has provided basic steps to download the configuration backup XML from your pfSense in their documentation.
Firstly we create the bash script and store it somewhere safe for example the root home directory:
#First switch to the root user
sudo su -
or
su -
#Then we create the directory for the script
mkdir /root/backups
#Create the bash script and edit it with nano
nano /root/backups/backup-pfsense.sh
#Copy in the following script
#!/bin/bash
host_ip=$pfsense-host-ip
username="$pfsense admin username"
password="$pfsense admin password"
backup_location=$location to store the backup
rm -rf $backup_location/cookies.txt
rm -rf $backup_location/csrf.txt
cd $backup_location
curl -L -k --cookie-jar $backup_location/cookies.txt \
https://$host_ip/ \
| grep "name='__csrf_magic'" \
| sed 's/.*value="\(.*\)".*/\1/' > $backup_location/csrf.txt
curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \
--data-urlencode "login=Login" \
--data-urlencode "usernamefld=$username" \
--data-urlencode "passwordfld=$password" \
--data-urlencode "__csrf_magic=$(cat csrf.txt)" \
https://$host_ip/ > /dev/null
curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \
https://$host_ip/diag_backup.php \
| grep "name='__csrf_magic'" \
| sed 's/.*value="\(.*\)".*/\1/' > $backup_location/csrf.txt
curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \
--data-urlencode "download=download" \
--data-urlencode "donotbackuprrd=yes" \
--data-urlencode "backupdata=yes" \
--data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \
https://$host_ip/diag_backup.php > $backup_location/config-router-`date +%Y%m%d%H%M%S`.xml
Secondly the script above needs to following information filled in:
host_ip=$pfsense-host-ip
username="$pfsense admin username"
password="$pfsense admin password"
backup_location=$location to store the backup
After filling in the above information open up the crontab via:
crontab -e
After editing the shell script we need to paste in the following line to automate the execution of the script daily on 08:00:
0 8 * * * /bin/bash /root/backups/backup-pfsense.sh
Conclusion
To sum up you should now have a daily generated configuration XML backup of your pfSense device in you desired location. Always make sure you test the restore procedure. You only have a workiny backup if you verify the restore.