Introduction to PfSense Configuration Backup
Configuring backups is one of the critical parts of a healthy system environment. PfSense has multiple options to setup configuration backups. Since recent updates pfSense has the option to configure the AutoConfigBackup Service that is build in the software. This is a great and easy way to setup automated backups of your pfSense configuration. There is one caveat with this automated AutoConfigBackup Service. The configuration is stored in the cloud. Altough the configuration is stored encrypted we have no garantuee that the backup is always ready to be restored because we have no control over the storage location. As an alternative Netgate has provided a couple of alternative ways to backup your pfSense configuration. In this blog post we will cover the configuration of automating pfSense configuration backups to your own server/storage via the curl method.
Before we can automate the PfSense Configuration Backup we need to have the curl application installed on the server that will be running the bash script. Curl is the utility for command lines to transfer data. We will use this to download the backup configuration XML from your pfSense system to your desired location. The curl utility comes pre installed to most modern Linux operating systems.
To install curl on the different Linux systems we can use the commands below:
sudo apt -y install curl
RHEL / CentOS / Fedora / Alma Linux / Rocky Linux
sudo dnf install curl
Verify that curl is installed:
Automating PfSense Configuration Backup
Netgate has provided basic steps to download the configuration backup XML from your pfSense in their documentation.
Firstly we create the bash script and store it somewhere safe for example the root home directory:
#First switch to the root user sudo su - or su - #Then we create the directory for the script mkdir /root/backups #Create the bash script and edit it with nano nano /root/backups/backup-pfsense.sh #Copy in the following script #!/bin/bash host_ip=$pfsense-host-ip username="$pfsense admin username" password="$pfsense admin password" backup_location=$location to store the backup rm -rf $backup_location/cookies.txt rm -rf $backup_location/csrf.txt cd $backup_location curl -L -k --cookie-jar $backup_location/cookies.txt \ https://$host_ip/ \ | grep "name='__csrf_magic'" \ | sed 's/.*value="\(.*\)".*/\1/' > $backup_location/csrf.txt curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \ --data-urlencode "login=Login" \ --data-urlencode "usernamefld=$username" \ --data-urlencode "passwordfld=$password" \ --data-urlencode "__csrf_magic=$(cat csrf.txt)" \ https://$host_ip/ > /dev/null curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \ https://$host_ip/diag_backup.php \ | grep "name='__csrf_magic'" \ | sed 's/.*value="\(.*\)".*/\1/' > $backup_location/csrf.txt curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \ --data-urlencode "download=download" \ --data-urlencode "donotbackuprrd=yes" \ --data-urlencode "backupdata=yes" \ --data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \ https://$host_ip/diag_backup.php > $backup_location/config-router-`date +%Y%m%d%H%M%S`.xml
Secondly the script above needs to following information filled in:
username="$pfsense admin username"
password="$pfsense admin password"
backup_location=$location to store the backup
After filling in the above information open up the crontab via:
After editing the shell script we need to paste in the following line to automate the execution of the script daily on 08:00:
0 8 * * * /bin/bash /root/backups/backup-pfsense.sh
To sum up you should now have a daily generated configuration XML backup of your pfSense device in you desired location. Always make sure you test the restore procedure. You only have a workiny backup if you verify the restore.