Using the AutoConfigBackup Service¶
Automatic Configuration Backup (AutoConfigBackup, ACB) is available as a core component of pfSense® software, no package required.
Functionality and Benefits¶
When a change is made to the configuration on a firewall, AutoConfigBackup automatically encrypts the contents with the passphrase entered in the AutoConfigBackup settings and then uploads the backup over HTTPS to Netgate servers. This gives instant, secure offsite backups of a firewall with no user intervention.
Only the most recent 100 encrypted configurations for each device are retained on Netgate servers.
Before the configuration is transmitted to Netgate servers, the firewall encrypts the backup using the AES-256-CBC algorithm and a password created by the firewall administrator on the Settings tab (Configuration). This password is only used locally by AutoConfigBackup and is not transmitted to remote servers.
When restoring a backup from the list of available remote backups, the contents are downloaded and then decrypted with the configured encryption password.
Keep a careful record of the encryption password!
If the password is lost, the backup contents cannot be recovered. The password is private and only known to the local firewall. Neither Netgate nor anyone else will be able to assist in reading the encrypted backups without the password.
To identify a specific firewall, an unique identifier is required to save or restore a backup configuration. ACB uses the SHA256 hash of the SSH public key on the firewall for this purpose.
The device key is located on the Services > Auto Configuration Backup menu item, under the Restore and Backup now tabs.
Keep a careful record of this Device Key!
If the Device Key of a firewall is lost, there is a chance it can be recovered. The Settings page allows the entry of a Hint which is stored in the data store alongside the encrypted backup entries. If the hint is distinct, the Netgate support team may be able to use it to recover the device key. Do not count on this though!
To adjust the settings navigate to Services > Auto Config Backup, Settings tab.
- Enable ACB
When checked, ACB is active and will make automatic configuration backups.
- Backup Frequency
Select when ACB will create backups
- On Every Configuration Change
When selected, ACB will perform a backup on every significant configuration change.
Some minor configuration changes are safely ignored if they do not impact functionality.
- On a Regular Schedule
Enables Schedule controls to perform timed backups instead of performing a backup on every change. This can be more efficient on systems with many frequent changes.
Controls the Hours of the day, Day of the month, Month of the year, and Day of the week on which backups are performed using the standard cron format.
This control is only visible when Backup Frequency is set to On a Regular Schedule.
- Encryption Password/Confirm
The password used by ACB to encrypt the backup, as described in Encryption Password.
An optional hint which will be stored as plain text metadata along with the encrypted configuration. This hint may allow Netgate TAC to locate the device key if it is lost.
- Manual Backups to Keep
50manual backups may be retained, which are not automatically overwritten by automatic backups. These manual backups still count against the
Testing Backup Functionality¶
Make a change to force a configuration backup, such as editing and saving a firewall or NAT rule.
Click Apply Changes
Navigate to Services > Auto Config Backup, Restore tab
Look for the new backup in the list
Manually Backing Up¶
Manual backups should be made before an upgrade or a series of significant changes, as it will store a backup specifically showing the reason, which then makes it easy to restore if necessary. Since each configuration change triggers a new backup, when a series of changes is made it can be difficult to know where the process started.
To force a manual backup of the configuration:
Navigate to Diagnostics > AutoConfigBackup
Click the Backup Now tab at the top
Enter a Revision Reason
Take a manual backup prior to upgrading to a new pfSense software release, and name the backup so the reason the backup was made is clear.
Restoring a Configuration¶
To restore a configuration:
Navigate to Diagnostics > AutoConfigBackup
Click the Restore tab at the top
Locate the desired backup in the list
Click to the right of the configuration row
The firewall will download the configuration specified from the AutoConfigBackup server, decrypt it with the Encryption Password, and restore it.
By default, the firewall will not initiate a reboot. Depending on the configuration items restored, a reboot may not be necessary. For example, firewall and NAT rules are automatically reloaded after restoring a configuration.
After restoring, a the GUI presents a prompt offering to reboot. If the restored configuration changes anything other than the NAT and firewall rules, choose Yes.
Bare Metal Restoration¶
If the disk in the firewall fails or if the SSH key changes due to a re-installation of pfSense software, the ACB service can restore a backup from the previous installation as long as the Device Key and the Encryption Password of the previous installation are both known.
Replace the failed disk
Install pfSense software on the new disk
Configure LAN and WAN
Navigate to Diagnostics > AutoConfigBackup, Settings tab
Set the Encryption Password to match the previous installation
Navigate to the Restore tab
Paste the old device key into the Device Key field
Click the Submit button
This temporarily allows ACB to display a list of backups for an alternate Device Key.
Click Reset to restore the native ID for this firewall.
Once the firewall has been rebooted, it will be running with the configuration backed up before the failure.
Checking the AutoConfigBackup Status¶
The status of an AutoConfigBackup run cay be checked by reviewing the list of backups shown on the Restore tab. This list is pulled from the AutoConfigBackup servers. If the backup is listed there, it was successfully created.
If a backup fails, an alert is logged, and it will be visible as a notice in the WebGUI.