02 Oct pfSense® Backup

Posted at 14:01h in pfSense by Mario

pfSense® Backup

Local Copy - Config History

pfSense® automatically makes an internal backup upon each configuration change. This is useful for reverting to prior configurations after changes that have proven detrimental. These backups can be seen and restored from the WebGUI on Diagnostics -> Backup & Restore -> Config History.

These backups reside on the system itself and not externally. This is not ideal for scenarios where a change renders the system inaccessible or for disaster recovery purposes. Hence, you have the option to backup your configuration either on Netgate servers or your own. The choice is entirely yours.

Remote Copy to Netgate Servers

Netgate provides a free service named AutoConfigBackup. This utility automatically encrypts and saves configurations to Netgate servers without manual intervention. To utilise this, simply go to the WebGUI and choose Services -> Auto Config Backup. More information about this feature is available here.

While this service is quite advantageous, we’ve occasionally encountered challenges. Specifically, it necessitates an active internet connection and the retrieval of both the encryption password and the unique identifier for the firewall for the restore process to complete.

Remote Copy to Your Own Servers

Our team has crafted a script that archives the Config History (automatically generated by pfSense®) to your designated server. Additionally, this script captures a snapshot of the active pfSense® configuration. When executed as a scheduled task, it establishes a remote configuration repository. This repository becomes a valuable resource, enabling the restoration of your pfSense® server or appliance in the event of hardware malfunctions. Essentially, this approach provides a comprehensive disaster recovery solution for your pfSense® system.

Method 1 - Pull

Pre-requisite:

Enable Secure Shell Server on System -> Advanced -> Admin Access -> Enable Secure Shell
SSH Key-Based Authentication

Linux shell script to pull the pfsense® config history and current config

#!/bin/bash

CID=$1   # Customer ID
IP=$2    # IP of pfSense
INST=$3  # Instance

# Copy Config History
scp -p admin@${IP}:/cf/conf/backup/* /pfsense_backups/${CID}/${INST}/ 

# Copy Current Configuration
scp -p admin@${IP}:/cf/conf/config.xml /pfsense_backups/${CID}/${INST}/ 

# Update timestamp to see when the script last run
touch /pfsense_backups/${CID}/${INST}/lastrun

Method 2 - Push

Pre-requisite:

Install Cron utility on System -> Package Manager -> Available Packages -> Cron
SSH Key-Based Authentication

Navigate to Services -> Cron

and create two cron jobs to copy the current configuration and the config history.

Utilities

Additionally, our team has created a user-friendly tool that display, on your server, the specific configuration changes that prompted an automatic backup in pfSense® and the resulting files generated. This becomes particularly beneficial when an erroneous change made your system inaccessible. This help you identify and reinstate the configuration that was operational right before the undesired alteration.

Perl script to list the History Config .xml files on your server and the configuration change that triggered its creation in pfSense®

#!/usr/bin/perl
use warnings;
use strict;
use POSIX qw( strftime );

my ($customer, $instance) = @ARGV;
my $filename = "/pfsense_backups/$customer/$instance/backup.cache";
my @fields = ();

open(FH, '<', $filename) or die $!;
	<FH> =~ /^a:30:\{(.*)\}$/;
	my $data = $1;
	$data =~ s/i:(\d{10})/ts:$1/g;
	@fields = split(/ts:/, $data);
close(FH);

foreach (@fields) {
	my @val = split(/;\w+:\d+:/, $_);
	if ( defined($val[0])) { 
		print "File config-$val[0].xml -> ";
		print strftime('%Y-%m-%d %H:%M:%S', gmtime($val[0]));
		print " Version: " . substr $val[4], 1, -1;
		print " - " . substr $val[2], 1, -1;
		print "\n";
	};
}

Output example:

pfSense Display Configuration Change backup

Please note, this backup script is based upon the “Alternate Remote Backup Techniques” published by Netgate here. The copy of historical configuration change is not listed by Netgate as an officially way to access the configuration history so watch out in case Netgate change the directory where historical configurations are kept.

Also, be wary of the risks implications of using SSH Key-Based Authentication. Ensure the remote server is well protected and the user running the script is isolated and has little to no privileges on the server.

If you wish to hire us to implement this DR solution, to keep it current and secure, please contact us here.

Get help with your pfSense® backup or project