pfSense® Backup

pfSense® Backup

Local Copy - Config History

pfSense® automatically makes an internal backup upon each configuration change. This is useful for reverting to prior configurations after changes that have proven detrimental. These backups can be seen and restored from the WebGUI on Diagnostics -> Backup & Restore -> Config History.

pfSense Backup Configuration History

As these configuration backup are on the system itself and not kept externally they are not good when a change has made the system inaccessible or for disaster recovery. So you can choose to backup your configuration on Netgate servers or your own servers. The choice is yours.

Remote Copy to Netgate Servers

There is a free service from Netgate called AutoConfigBackup which automatically encrypts and saves files to Netgate servers with no user intervention. This service can be enable from the WebGUI on Services -> Auto Config Backup. You can read more about it here

Remote Copy to Your Own Servers

Out team has developed a script to save the Config History (automatically created by pfSense®) onto your own server. The script also takes a copy of the running pfSense® configuration. When this script run as a scheduled job, it creates a remote configuration repository from which your pfSense® server or appliance can be re-build in case of hardware failure. This method delivers, in facts, an effective and complete disaster recovery solution for your pfSense®.

Method 1 - Pull

Pre-requisite:

  • Enable Secure Shell Server on System -> Advanced -> Admin Access -> Enable Secure Shell
  • SSH Key-Based Authentication

Linux shell script to pull the pfsense® config history and current config

#!/bin/bash

CID=$1   # Customer ID
IP=$2    # IP of pfSense
INST=$3  # Instance

# Copy Config History
scp -p admin@${IP}:/cf/conf/backup/* /pfsense_backups/${CID}/${INST}/ 

# Copy Current Configuration
scp -p admin@${IP}:/cf/conf/config.xml /pfsense_backups/${CID}/${INST}/ 

# Update timestamp to see when the script last run
touch /pfsense_backups/${CID}/${INST}/lastrun

Method 2 - Push

Pre-requisite:

  • Install Cron utility on  System -> Package Manager -> Available Packages -> Cron
  • SSH Key-Based Authentication

Navigate to  Services -> Cron

and create two cron jobs to copy the current configuration and the config history.

pfsense config cron

Utilities

Our team has also developed a simple utility to display, on your own server, which configuration change have triggered an automatic back in pfSense® and which file it has generated.  This is particularly useful when a bad change has made your system inaccessible and you want to look through the configuration files that you have pulled to your own server, in order to find and restore the configuration that was running just before the bad change.

Perl script to list the History Config .xml files on your server and the configuration change that triggered its creation in pfSense®

#!/usr/bin/perl
use warnings;
use strict;
use POSIX qw( strftime );

my ($customer, $instance) = @ARGV;
my $filename = "/pfsense_backups/$customer/$instance/backup.cache";
my @fields = ();

open(FH, '<', $filename) or die $!;
	<FH> =~ /^a:30:\{(.*)\}$/;
	my $data = $1;
	$data =~ s/i:(\d{10})/ts:$1/g;
	@fields = split(/ts:/, $data);
close(FH);

foreach (@fields) {
	my @val = split(/;\w+:\d+:/, $_);
	if ( defined($val[0])) { 
		print "File config-$val[0].xml -> ";
		print strftime('%Y-%m-%d %H:%M:%S', gmtime($val[0]));
		print " Version: " . substr $val[4], 1, -1;
		print " - " . substr $val[2], 1, -1;
		print "\n";
	};
}

Output example:

pfSense Display Configuration Change backup

Please note, this backup script is based upon the “Alternate Remote Backup Techniques” published by Netgate here. The copy of historical configuration change is not listed by Netgate as an officially way to access the configuration history so watch out in case Netgate change the directory where historical configurations are kept.

Also, be wary of the risks implications of using SSH Key-Based Authentication. Ensure the remote server is well protected and the user running the script is isolated and has little to no privileges on the server.

If you wish to hire us to implement this DR solution, to keep it current and secure, please contact us here.

Get help with your pfSense® backup or project