How to Backup and Restore Configurations in pfSense 2.0
I always like to backup the configuration of my pfSense system before I do any major changes to the system. If I ever run into a problem I can always reinistall pfSense from the CD and restore the backup file. This makes the process of recovering from a problem much faster and a lot less of a hassle than the alternative of rebuilding everything from scratch.
Even when I'm not planning a major change such as an upgrade I like to make an occasional backup of the configuration. I tend to make many small tweaks to my pfSense systems over time and I don't always remember everything that I have done.
I've also had instances in the past where the hard drive in my router randomly decided to stop working and I was forced to restore from backups, so it's a good idea to always be prepared.
Performing a Manual Backup
To perform a backup of the system configuration click on backup/restore in the diagnostics menu. Make sure the backup area is set to "ALL", then click on download configuration. This will download an xml file which contains all of the configuration settings stored within pfSense.
- Do not backup package information - I usually leave this box unchecked so I can restore the settings for the packages that are installed. If you need to migrate a configuration to another system without the same packages you might need to use this option.
- Encrypt this configuration file - It is always a good idea to enable encryption on the config file. Passwords are stored in plain text within the xml file so be careful! If you enable this setting you will have to set a password for the file.
- Do not backup RRD data - This setting is enabled by default and most users will want keep it turned on so the backup files remain small in size. If you do want to backup the data for the graphs within pfSense disable this setting.
If you manage several pfSense firewalls you might want to consider using the automatic config backup package. To take advantage of this package you must be a pfSense premium portal subscriber.
Once you install the package you will need to enter your support portal username and password. To access the package settings click on AutoConfigBackup in the diagnostics menu.
After you configure the package it will monitor the system for changes. Any time the pfSense configuration is changed a backup of the configuration will be encrypted and transferred to an off-site backup server.
Remote Backups Via SSH
If you don't have a support portal account you can still set up automatic backups.
Every time a change in pfSense is made a backup of the config file is stored in /cf/conf/backup.
You could create a script to run as a cron job on the pfSense system to push the files in this directory to a remote server or network attached storage device.
Or you could also run a script on a remote system which could download the files in the config directory using SSH/SCP.
Performing a Restore
Config files can be restored from the same page you create the backups on. You have the option of selecing a specific area of the config to restore, or "ALL" for a full restoration.
Choosing an individual area is useful in situations where a firewall or nat rule has been deleted but the rest of the system is still fine.
After the config file is restored pfSense will reboot automatically.
I highly recommend setting up a system for automatically backing up your config files. When backups are automated you don't have to worry about remembering to do them.
Make sure to store your config files in a different physical location than the router or firewall you are backing up. In the event of a fire or flood the backup will be useless if it was destroyed along with the system being backed up.
Dropbox offers 2GB of offsite storage for free, making it a perfect location for storing config files.
© 2011 Sam Kear
More by this Author
Over time the clock on your computer can gain or lose several minutes. Correcting the time manually can be a daunting task, especially on networks with hundreds of computers. NTP allows you to automatically...
Heavy bandwidth users can slow down your entire network. This hub will show you how to use pfSense to set up traffic shaping to prioritize internet traffic.
By default the Squid Proxy has no visibility of encrypted HTTPS traffic. Enabling HTTPS interception will allow you to monitor and log encrypted web traffic passing through the Squid proxy server.