Powershell backup script for PAN OS

PAN OS is the OS used by Palo Alto firewalls as well as Panorama, the script presented here is usable by both products from Palo Alto Networks.

Without Panorama you cannot do schedule backups easily, you need to invoke Palo Alto’s export configuration API to achieve this.

Palo Alto has a tutorial on how to do this with curl, but this can also be achieved using Powershell.

Powershell has commands that can directly work with REST API which is cool!

This post is intended to share with you the steps I used to build the script.

Ignore untrusted certificate
Reference: https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring

I copy and paste the script from this reference, credits go to the author.

A warning though do not use

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;

It works the first time, but subsequent API calling will fail.

Key retrieval API
Palo Alto requires you to have a user key in order to access its API, the API for calling retrieving the key is this:

Powershell has two ways to access the API one is to use Invoke-WebRequest the other is Invoke-RestMethod, the latter has methods to use POST, PUT and GET.

The first thing is I will test what is the output after I invoke the Powershell command:

Invoke-WebRequest -Uri ""

The output as below:

PS C:\WINDOWS\system32> D:\Scripting\PS\PA backup script\pabackup.ps1

StatusCode : 200
StatusDescription : OK
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=360, max=1996
Pragma: no-cache
Content-Length: 144
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Forms : {}
Headers : {[Connection, keep-alive], [Keep-Alive, timeout=360, max=1996], [Pragma, no-cache], [Content-Length, 144]…}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 144

Getting the API key
Powershell has very good support for extracting xml fields, here is how:
I store the output of the webrequest result to an xml type variable:
[xml]$result = Invoke-WebRequest -Uri ""

Test the output for $result.

Store this result into another variable $key: $key = $result.response.result.key

Test the result of $key:

Export config API
Within PAN OS there is an API explorer, by going to https://firewall/api.


From the explorer you will be able to navigate the API to call.

You will require the key previously obtained to export the configuration and output as an xml file using powershell.

For the sake of readability, you can include the date on when the configuration file was extracted by using Get-Date command.

The choose a directory you want to export the file to by using the Out-File command, for this I am copying to the user profile folder.

$date = Get-Date
Invoke-WebRequest -Uri "$($key)" | Out-File "$env:userprofile\config_$($date.ToString('ddMMyy')).xml"

The file as shown in my own profile:

The entire code

#Code reference: https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
#below code ignores untrusted certificate
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

$date = Get-Date
[xml]$result = Invoke-WebRequest -Uri ""
$key = $result.response.result.key

Invoke-WebRequest -Uri "$($key)" | Out-File "$env:userprofile\config_$($date.ToString('ddMMyy')).xml"


3 thoughts on “Powershell backup script for PAN OS

  1. Thanks for this!

    I had a bit to add to it with my own testing however.

    This code doesn’t produce the XML content itself.

    For the content you need something like:

    $config = Invoke-WebRequest -Uri “https://$firewall/api/?type=export&category=configuration&key=$key”

    $config.Content | out-file “c:\whereever\config_$($date.ToString(‘ddMMyy’)).xml”

    This will produce the actual config data. Otherwise you only get the uri information like this:

    StatusCode : 200
    StatusDescription : OK
    Content : REDACTED
    RawContent : HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-store, no-cache, must-revalidate, p…
    Forms : {}
    Headers : {[Transfer-Encoding, chunked], [Connection, keep-alive], [Pragma, no-cache], [Access-Control-Allow-Origin, ]…}
    Images : {}
    InputFields : {}
    Links : {}
    ParsedHtml : mshtml.HTMLDocumentClass
    RawContentLength : 229325

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s