Automate PfSense Configuration Backup via curl

Introduction to PfSense Configuration Backup

Configuring backups is one of the critical parts of a healthy system environment. PfSense has multiple options to setup configuration backups. Since recent updates pfSense has the option to configure the AutoConfigBackup Service that is build in the software. This is a great and easy way to setup automated backups of your pfSense configuration. There is one caveat with this automated AutoConfigBackup Service. The configuration is stored in the cloud. Altough the configuration is stored encrypted we have no garantuee that the backup is always ready to be restored because we have no control over the storage location. As an alternative Netgate has provided a couple of alternative ways to backup your pfSense configuration. In this blog post we will cover the configuration of automating pfSense configuration backups to your own server/storage via the curl method.

Curl

Before we can automate the PfSense Configuration Backup we need to have the curl application installed on the server that will be running the bash script. Curl is the utility for command lines to transfer data. We will use this to download the backup configuration XML from your pfSense system to your desired location. The curl utility comes pre installed to most modern Linux operating systems.

To install curl on the different Linux systems we can use the commands below:

Ubuntu/Debian

sudo apt -y install curl

RHEL / CentOS / Fedora / Alma Linux / Rocky Linux

sudo dnf install curl

Verify that curl is installed:

curl --version

Automating PfSense Configuration Backup

Netgate has provided basic steps to download the configuration backup XML from your pfSense in their documentation.

Firstly we create the bash script and store it somewhere safe for example the root home directory:

#First switch to the root user
sudo su -
or
su -

#Then we create the directory for the script
mkdir /root/backups

#Create the bash script and edit it with nano
nano /root/backups/backup-pfsense.sh

#Copy in the following script
#!/bin/bash
host_ip=$pfsense-host-ip
username="$pfsense admin username"
password="$pfsense admin password"
backup_location=$location to store the backup

rm -rf $backup_location/cookies.txt
rm -rf $backup_location/csrf.txt

cd $backup_location

curl -L -k --cookie-jar $backup_location/cookies.txt \
     https://$host_ip/ \
     | grep "name='__csrf_magic'" \
     | sed 's/.*value="\(.*\)".*/\1/' > $backup_location/csrf.txt

curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \
     --data-urlencode "login=Login" \
     --data-urlencode "usernamefld=$username" \
     --data-urlencode "passwordfld=$password" \
     --data-urlencode "__csrf_magic=$(cat csrf.txt)" \
     https://$host_ip/ > /dev/null

curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \
     https://$host_ip/diag_backup.php  \
     | grep "name='__csrf_magic'"   \
     | sed 's/.*value="\(.*\)".*/\1/' > $backup_location/csrf.txt

curl -L -k --cookie $backup_location/cookies.txt --cookie-jar $backup_location/cookies.txt \
     --data-urlencode "download=download" \
     --data-urlencode "donotbackuprrd=yes" \
     --data-urlencode "backupdata=yes" \
     --data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \
     https://$host_ip/diag_backup.php > $backup_location/config-router-`date +%Y%m%d%H%M%S`.xml

Secondly the script above needs to following information filled in:

host_ip=$pfsense-host-ip
username="$pfsense admin username"
password="$pfsense admin password"
backup_location=$location to store the backup

After filling in the above information open up the crontab via:

crontab -e

After editing the shell script we need to paste in the following line to automate the execution of the script daily on 08:00:

0 8 * * * /bin/bash /root/backups/backup-pfsense.sh

Conclusion

To sum up you should now have a daily generated configuration XML backup of your pfSense device in you desired location. Always make sure you test the restore procedure. You only have a workiny backup if you verify the restore.

Leave a Reply

Your email address will not be published.