Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Using the AutoConfigBackup Service

Automatic Configuration Backup (AutoConfigBackup, ACB) is available as a core component of pfSense software, no package required.

Functionality and Benefits

When a change is made to the configuration on a firewall, AutoConfigBackup automatically encrypts the contents with the passphrase entered in the AutoConfigBackup settings and then uploads the backup over HTTPS to Netgate servers. This gives instant, secure offsite backups of a firewall with no user intervention.

Only the most recent 100 encrypted configurations for each device are retained on Netgate servers.

../_images/acb-service.jpg

Encryption Password

Before the configuration is transmitted to Netgate servers, the firewall encrypts the backup using the AES-256-CBC algorithm and a password that is created by the firewall administrator. This password never leaves the firewall and is never shared.

When restoring a backup from the list of available remote backups, the contents are downloaded and then decrypted with the configured encryption password.

Warning

Keep a careful record of the encryption password!

If the password is lost, the backup contents cannot be recovered. The password is private and only known to the local firewall. Neither Netgate nor anyone else will be able to assist in reading the encrypted backups without the password.

Device Key

To identify a specific firewall, an unique identifier is required to save or restore a backup configuration. ACB uses an SHA256 hash of the SSH public key on the firewall for this purpose.

The device key is located on the Services > Auto Configuration Backup menu item, under the Restore and Backup now tabs.

Warning

Keep a careful record of this Device Key!

If the Device Key of a firewall is lost, there is a chance it can be recovered. The Settings page allows the entry of a Hint which is stored in the data store alongside the encrypted backup entries. If the hint is distinct, the Netgate support team may be able to use it to recover the device key. Do not count on this though!

Configuration

To adjust the settings navigate to Services > Auto Config Backup, Settings tab.

Configuring AutoConfigBackup

Enable ACB

When checked, ACB is active and will make automatic configuration backups.

Backup Frequency

Select when ACB will create backups

On Every Configuration Change

When selected, a backup will be performed on every significant configuration change.

Note

Some minor configuration changes are safely ignored if they do not impact functionality.

On a Regular Schedule

Enables Schedule controls to perform timed backups instead of performing a backup on every change. This can be more efficient on systems with many frequent changes.

Schedule

Controls the Hours of the day, Day of the month, Month of the year, and Day of the week on which backups are performed using the standard cron format.

Note

This control is only visible when Backup Frequency is set to On a Regular Schedule.

Encryption Password/Confirm

The password used by ACB to encrypt the backup, as described in Encryption Password.

Hint/Identifier

An optional hint which will be stored as plain text metadata along with the encrypted configuration. This hint may allow Netgate TAC to locate the device key if it is lost.

Manual Backups to Keep

Up to 50 manual backups may be retained, which are not automatically overwritten by automatic backups. These manual backups still count against the 100 backup limit.

Testing Backup Functionality

  • Make a change to force a configuration backup, such as editing and saving a firewall or NAT rule.

  • Click Apply Changes

  • Navigate to Services > Auto Config Backup, Restore tab

  • Look for the new backup in the list

Manually Backing Up

Manual backups should be made before an upgrade or a series of significant changes, as it will store a backup specifically showing the reason, which then makes it easy to restore if necessary. Since each configuration change triggers a new backup, when a series of changes is made it can be difficult to know where the process started.

To force a manual backup of the configuration:

  • Navigate to Diagnostics > AutoConfigBackup

  • Click the Backup Now tab at the top

  • Enter a Revision Reason

  • Click Backup

Tip

Take a manual backup prior to upgrading to a new pfSense software release, and name the backup so the reason the backup was made is clear.

Restoring a Configuration

To restore a configuration:

  • Navigate to Diagnostics > AutoConfigBackup

  • Click the Restore tab at the top

  • Locate the desired backup in the list

  • Click fa-undo to the right of the configuration row

The firewall will download the configuration specified from the AutoConfigBackup server, decrypt it with the Encryption Password, and restore it.

By default, the firewall will not initiate a reboot. Depending on the configuration items restored, a reboot may not be necessary. For example, firewall and NAT rules are automatically reloaded after restoring a configuration.

After restoring, a the GUI presents a prompt offering to reboot. If the restored configuration changes anything other than the NAT and firewall rules, choose Yes.

Bare Metal Restoration

If the disk in the firewall fails or if the SSH key changes due to a re-installation of pfSense software, the ACB service can restore a backup from the previous installation as long as the Device Key and the Encryption Password of the previous installation are both known.

  • Replace the failed disk

  • Install pfSense on the new disk

  • Configure LAN and WAN

  • Navigate to Diagnostics > AutoConfigBackup, Settings tab

  • Set the Encryption Password to match the previous installation

  • Navigate to the Restore tab

  • Paste the old device key into the Device Key field

  • Click the Submit button

This temporarily allows ACB to display a list of backups for an alternate Device Key.

Click fa-refresh Reset to restore the native ID for this firewall.

Once the firewall has been rebooted, it will be running with the configuration backed up before the failure.

Checking the AutoConfigBackup Status

The status of an AutoConfigBackup run cay be checked by reviewing the list of backups shown on the Restore tab. This list is pulled from the AutoConfigBackup servers. If the backup is listed there, it was successfully created.

If a backup fails, an alert is logged, and it will be visible as a notice in the WebGUI.