Using the AutoConfigBackup Package

pfSense Gold Subscription users have access to the Automatic Configuration Backup Service via the AutoConfigBackup package. The most up to date information on AutoConfigBackup can be found on the pfSense documentation page for the AutoConfigBackup package.

Functionality and Benefits

When a firewall configuration change is made, it is automatically encrypted with the passphrase entered in the package configuration and uploaded over HTTPS to the AutoConfigBackup servers. Only encrypted configurations are retained on the AutoConfigBackup servers. This gives instant, secure off-site backup of firewall configuration files with no user intervention once the package is configured.

pfSense Version Compatibility

The AutoConfigBackup package works with all supported versions of pfSense, and many older versions as well.

Installation and Configuration

To install the package:

  • Navigate to System > Package Manager, Available Packages tab
  • Locate AutoConfigBackup in the list
  • Click Install at the end of the AutoConfigBackup entry
  • Click Confirm to confirm the installation

The firewall will then download and install the package. Once installed, the package may be found in the menu under Diagnostics > AutoConfigBackup

Setting the hostname

Make sure to configure a unique hostname and domain on System > General Setup. The configuration entries in AutoConfigBackup are stored by FQDN (Fully Qualified Domain Name, i.e. hostname + domain), so each firewall being backed up must have a unique FQDN, otherwise the system cannot differentiate between multiple installations.

Configuring AutoConfigBackup

The package is configured under Diagnostics > AutoConfigBackup. On the Settings tab, fill in the settings as follows:

Subscription Username:
 The username for the pfSense Gold Subscription account
Subscription Password/Confirm:
 The password for the pfSense Gold Subscription account
Encryption Password/Confirm:
 An arbitrary passphrase used to encrypt the configuration before uploading. This should be a long, complex password to ensure the security of the configuration. The AutoConfigBackup servers only hold encrypted copies, which are useless without this Encryption Password

Warning

It is important that the Encryption Password be remembered or stored securely outside of the firewall. Without the Encryption Password, the configuration file cannot be recovered and the Encryption Password is not stored on the server outside of the configuration file.

Testing Backup Functionality

Make a change to force a configuration backup, such as editing and saving a firewall or NAT rule, then click Apply Changes. Visit Diagnostics > AutoConfigBackup, Restore tab, which will list available backups along with the page that made the change (where available).

Manually Backing Up

Manual backups should be made before an upgrade or a series of significant changes, as it will store a backup specifically showing the reason, which then makes it easy to restore if necessary. Since each configuration change triggers a new backup, when a series of changes is made it can be difficult to know where the process started.

To force a manual backup of the configuration:

  • Navigate to Diagnostics > AutoConfigBackup
  • Click the Backup Now tab at the top
  • Enter a Backup Reason
  • Click Backup

Restoring a Configuration

To restore a configuration:

  • Navigate to Diagnostics > AutoConfigBackup
  • Click the Restore tab at the top
  • Locate the desired backup in the list
  • Click fa-undo to the right of the configuration row

The firewall will download the configuration specified from the AutoConfigBackup server, decrypt it with the Encryption Password, and restore it.

By default, the package will not initiate a reboot. Depending on the configuration items restored, a reboot may not be necessary. For example, firewall and NAT rules are automatically reloaded after restoring a configuration. After restoring, the user is prompted if they want to reboot. If the restored configuration changes anything other than NAT and firewall rules, choose Yes and allow the firewall to reboot.

Bare Metal Restoration

If the disk in the firewall fails, as of now the following procedure is required to recover on a new installation.

  • Replace the failed disk
  • Install pfSense on the new disk
  • Configure LAN and WAN, and assign the hostname and domain exactly the same as previously configured
  • Install the AutoConfigBackup package
  • Configure the AutoConfigBackup package as described above, using the same portal account and the same Encryption Password used previously.
  • Visit the Restore tab
  • Choose the configuration to restore
  • When prompted to reboot after the restoration, do so

Once the firewall has been rebooted, it will be running with the configuration backed up before the failure.

Checking the AutoConfigBackup Status

The status of an AutoConfigBackup run cay be checked by reviewing the list of backups shown on the Restore tab. This list is pulled from the AutoConfigBackup servers. If the backup is listed there, it was successfully created.

If a backup fails, an alert is logged, and it will be visible as a notice in the WebGUI.