In this article we will see how to configure automatic backups of pfSense with the AutoConfigBackup service.
How it works?
AutoConfigBackup (ACB) is a service available as a core component of the pfSense software. No additional package is needed to use it.
When enabled, as soon as a change is made on the firewall, or at regular intervals, AutoConfigBackup extracts the firewall configuration, encrypts it with a passphrase, and then sends it over HTTPS to the backup servers of Netgate (the developing company behind pfSense).
It is also possible to make a manual backup with AutoConfigBackup.
The last 100 backups are stored on the Netgate’s servers. It is therefore possible to restore up to 100 backups backwards.
To ensure the confidentiality of the stored data, the firewall encrypts it using the AES-256-CBC algorithm and a passphrase, and then uploads the encrypted data to Netgate’s servers.
Thus, data uploaded on Netgate’s servers is unusable without this passphrase.
Obviously, we can customize the passphrase.
The passphrase is a secret which is never uploaded directly to the Netgate’s servers.
It is important to make a manual record of this passphrase as it will be necessary in case of a restore.
If this passphrase is lost, there is no way to recover it. Therefore it will not be possible to restore encrypted data with AutoConfigBackup.
Finally, to identify a firewall, AutoConfigBackup uses a SHA256 hash of the SSH public key of the firewall.
This identifier must also be recorded. If this identifier is lost, it will not be possible to restore the encrypted data with AutoConfigBackup.
There are therefore two elements that we must record carefully:
- the passphrase
- the identifier
Let’s move on to the configuration of the AutoConfigBackup service.
Navigate to Services > Auto Config Backup, Settings tab :
The fields to be filled in are the following:
- Enable ACB: check this box to activate the AutoConfigBackup service
- Backup Frequency: 2 options available – Automatically backup on every configuration change (to perform a backup on every configuration change) or Automatically backup on a regular schedule (to perform timed backup of the configuration)
- Schedule: if we choose to make a backup on a regular schedule, we need to specify the hours and days of backup. The format to be used is the cron format
- Encryption Password: our passphrase. Since the backed up data is uploaded to third party servers, it is important that this passphrase is significantly robust. If this passphrase is lost, there is no possibility to restore backup contents
- Hint/Identifier: it is possible to specify an identifier. This identifier will be stored as plain text metadata along with the encrypted configuration. This field could be useful only if you have a support subscrition with Netgate. Please note, however, that Netgate officially warns that they do not guarantee that they can recover backups with this hint.
- Manual backups to keep: the number of manual backups to keep. A maximum of 50 retained manual backups (of the 100 total backups) is permitted. We propose to fix it to 10, that we think is a good compromise.
Example of a result with the “Automatically backup on every configuration change” option:
Example of a result with the “Automatically backup on a regular schedule” option:
Don’t forget to click on the “Save” button in order to save your configuration.
Voilà, the AutoConfigBackup service is configured!
To make sure that the service works well, we still have to make a change on the configuration (like changing a firewall rule, for example), then go to the menu Services > Auto Config Backup, Restore tab to view the automatic backups performed:
In the case where we have chosen to make a backup at regular intervals, rather than at every change, we have to wait for the scheduled backup to take place.
Manually Backing Up
A manual backup can be made at any time. For example, before and after an update or important changes.
To start a manual backup, simply go to Services > Auto Config Backup, Backup Now tab:
Just enter the revision reason. Then click on the “Backup” button.
Restoring a configuration
To restore a configuration, navigate to Services > Auto Config Backup, Restore tab:
We can customize the “Device key” field in order to restore the configuration from another firewall; the right passphrase will also be required.
For each backup, 3 actions can be performed:
- Restore: Restore this revision – restart is recommended after the restore
- Visualize: Show info – displays the config file in xml format
- Delete: Delete config – deletes the backup file
That’s it, your firewall is backed up regularly and you know how to restore from a backup made by AutoConfigBackup.
Limitations of AutoConfigBackup
The AutoConfigBackup service is very convenient because it is directly integrated into pfSense and it can be configured in a few clicks.
With ACB you will have regular backups and you will be peace of mind in case of firewall failure.
However, you should keep in mind that the backups are upload to the servers of a third party company. Even if the files are encrypted, it could be a security flaw in a sensitive network architecture.
By the way, you should be confident in the availability and reliability of Netgate’s servers: if their servers crash, you risk losing some or all of your backups.
For these reasons, if you decide to use AutoConfigBackup, we recommend to couple it, at a minimum, with regular manual backups.
In a next article, we will present a solution to backup your pfSense configuration automatically and autonomously with a bash script.