Using the AutoConfigBackup Package¶
The most up to date information on AutoConfigBackup can be found on the pfSense® documentation page for the AutoConfigBackup package.
Functionality and Benefits¶
When a firewall configuration change is made, it is automatically encrypted with the passphrase entered in the package configuration and uploaded over HTTPS to the AutoConfigBackup servers. Only encrypted configurations are retained on the AutoConfigBackup servers. This gives instant, secure off-site backup of firewall configuration files with no user intervention once the package is configured.
pfSense Version Compatibility¶
The AutoConfigBackup package works with all supported versions of pfSense, and many older versions as well.
Installation and Configuration¶
To install the package:
Navigate to System > Package Manager, Available Packages tab
Locate AutoConfigBackup in the list
Click Install at the end of the AutoConfigBackup entry
Click Confirm to confirm the installation
The firewall will then download and install the package. Once installed, the package may be found in the menu under Diagnostics > AutoConfigBackup
Setting the hostname¶
Make sure to configure a unique hostname and domain on System > General Setup. The configuration entries in AutoConfigBackup are stored by FQDN (Fully Qualified Domain Name, i.e. hostname + domain), so each firewall being backed up must have a unique FQDN, otherwise the system cannot differentiate between multiple installations.
The package is configured under Diagnostics > AutoConfigBackup. On the Settings tab, fill in the settings as follows:
- Subscription Username
The username for the pfSense Gold Subscription account
- Subscription Password/Confirm
The password for the pfSense Gold Subscription account
- Encryption Password/Confirm
An arbitrary passphrase used to encrypt the configuration before uploading. This should be a long, complex password to ensure the security of the configuration. The AutoConfigBackup servers only hold encrypted copies, which are useless without this Encryption Password
It is important that the Encryption Password be remembered or stored securely outside of the firewall. Without the Encryption Password, the configuration file cannot be recovered and the Encryption Password is not stored on the server outside of the configuration file.
Testing Backup Functionality¶
Make a change to force a configuration backup, such as editing and saving a firewall or NAT rule, then click Apply Changes. Visit Diagnostics > AutoConfigBackup, Restore tab, which will list available backups along with the page that made the change (where available).
Manually Backing Up¶
Manual backups should be made before an upgrade or a series of significant changes, as it will store a backup specifically showing the reason, which then makes it easy to restore if necessary. Since each configuration change triggers a new backup, when a series of changes is made it can be difficult to know where the process started.
To force a manual backup of the configuration:
Navigate to Diagnostics > AutoConfigBackup
Click the Backup Now tab at the top
Enter a Backup Reason
Restoring a Configuration¶
To restore a configuration:
Navigate to Diagnostics > AutoConfigBackup
Click the Restore tab at the top
Locate the desired backup in the list
Click to the right of the configuration row
The firewall will download the configuration specified from the AutoConfigBackup server, decrypt it with the Encryption Password, and restore it.
By default, the package will not initiate a reboot. Depending on the configuration items restored, a reboot may not be necessary. For example, firewall and NAT rules are automatically reloaded after restoring a configuration. After restoring, the user is prompted if they want to reboot. If the restored configuration changes anything other than NAT and firewall rules, choose Yes and allow the firewall to reboot.
Bare Metal Restoration¶
If the disk in the firewall fails, as of now the following procedure is required to recover on a new installation.
Replace the failed disk
Install pfSense on the new disk
Configure LAN and WAN, and assign the hostname and domain exactly the same as previously configured
Install the AutoConfigBackup package
Configure the AutoConfigBackup package as described above, using the same portal account and the same Encryption Password used previously.
Visit the Restore tab
Choose the configuration to restore
When prompted to reboot after the restoration, do so
Once the firewall has been rebooted, it will be running with the configuration backed up before the failure.
Checking the AutoConfigBackup Status¶
The status of an AutoConfigBackup run cay be checked by reviewing the list of backups shown on the Restore tab. This list is pulled from the AutoConfigBackup servers. If the backup is listed there, it was successfully created.
If a backup fails, an alert is logged, and it will be visible as a notice in the WebGUI.