Powershell backup script for PAN OS

Background
PAN OS is the OS used by Palo Alto firewalls as well as Panorama, the script presented here is usable by both products from Palo Alto Networks.

Without Panorama you cannot do schedule backups easily, you need to invoke Palo Alto’s export configuration API to achieve this.

Palo Alto has a tutorial on how to do this with curl, but this can also be achieved using Powershell.

Powershell has commands that can directly work with REST API which is cool!

This post is intended to share with you the steps I used to build the script.

Ignore untrusted certificate
Reference: https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring

I copy and paste the script from this reference, credits go to the author.

A warning though do not use

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;

It works the first time, but subsequent API calling will fail.

Key retrieval API
Reference:https://www.geekynick.co.uk/palo-alto-scheduled-backups-without-panorama/
Palo Alto requires you to have a user key in order to access its API, the API for calling retrieving the key is this:
https://firewall/api/?type=keygen&user=username&password=password

Powershell has two ways to access the API one is to use Invoke-WebRequest the other is Invoke-RestMethod, the latter has methods to use POST, PUT and GET.

The first thing is I will test what is the output after I invoke the Powershell command:

Invoke-WebRequest -Uri "https://192.168.1.12/api/?type=keygen&user=admin&password=admin"

The output as below:

PS C:\WINDOWS\system32> D:\Scripting\PS\PA backup script\pabackup.ps1

StatusCode : 200
StatusDescription : OK
Content : LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNER
UQT09
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=360, max=1996
Pragma: no-cache
Content-Length: 144
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Conten…
Forms : {}
Headers : {[Connection, keep-alive], [Keep-Alive, timeout=360, max=1996], [Pragma, no-cache], [Content-Length, 144]…}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 144

Getting the API key
Powershell has very good support for extracting xml fields, here is how:
I store the output of the webrequest result to an xml type variable:
[xml]$result = Invoke-WebRequest -Uri "https://192.168.1.12/api/?type=keygen&user=admin&password=admin"

Test the output for $result.
ps3

Store this result into another variable $key: $key = $result.response.result.key

Test the result of $key:
ps4

Export config API
Within PAN OS there is an API explorer, by going to https://firewall/api.

ps5

From the explorer you will be able to navigate the API to call.

ps6
You will require the key previously obtained to export the configuration and output as an xml file using powershell.

For the sake of readability, you can include the date on when the configuration file was extracted by using Get-Date command.

The choose a directory you want to export the file to by using the Out-File command, for this I am copying to the user profile folder.


$date = Get-Date
Invoke-WebRequest -Uri "https://192.168.1.12/api/?type=export&category=configuration&key=$($key)" | Out-File "$env:userprofile\config_$($date.ToString('ddMMyy')).xml"

The file as shown in my own profile:
ps7

The entire code

#Code reference: https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
#below code ignores untrusted certificate
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

$date = Get-Date
[xml]$result = Invoke-WebRequest -Uri "https://192.168.1.12/api/?type=keygen&user=admin&password=admin"
$key = $result.response.result.key

Invoke-WebRequest -Uri "https://192.168.1.12/api/?type=export&category=configuration&key=$($key)" | Out-File "$env:userprofile\config_$($date.ToString('ddMMyy')).xml"

Advertisements
This entry was posted in Powershell, Scripting and tagged , , . Bookmark the permalink.

One Response to Powershell backup script for PAN OS

  1. cyruslab says:

    Use the Windows Task schedule to run the script with fixed schedule date.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s