Palo Alto has put out a helpful article on this topic, but I wanted to add a few additional details. This is necessary when you don’t have Panorama or some other 3rd party tool that doesn’t already have an integrated solution for pulling backup configs from the firewall.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7yCAC
As the article above mentions, the first step is to generate the API key using this format in a browser. Record and maintain this API key once generated.
https://<firewall-ip>/api/?type=keygen&user=<username>&password=<password>
Next, if you are using a Windows machine, download Curl here: https://curl.se/windows/
I extracted this then took the contents and put it in a folder named “Curl” in the C:\ directory. Next, I created a folder for the backup configs named “FirewallBackups” also in the C:\ directory.
Next, I created the following Batch script below. Replace 192.168.1.1 with the firewall management IP and the actual API key. Also, you can change the directory where the backups are stored as well as the filename.
cd c:\Curl\bin\
curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=API-KEY-HERE" > c:\FirewallBackups\PaloAltoFilename-01_Backup%DATE:~10,4%_%DATE:~4,2%_%DATE:~7,2%_%TIME:~0,2%_%TIME:~3,2%.xml
In this script, it is switching to the directory where the Curl executable is. You can also follow instructions to add Curl to the system path so it runs without having to switch to that specific directory. At the end of the filename, this script will automatically insert the timestamp to differentiate file names and prevent the file from being overwritten each time the backup runs. The formatting around this is necessary because the timestamp by default has the “:” symbol in it which isn’t supported in the Windows filename so it replaces that with “_” instead.
Finally, you can schedule this Batch script to run on a schedule basis using the Windows Scheduler or a third party tool.