 Tom here from warn systems and I did a video the other day discussing the backup and restore and is essentially the disaster recovery model from recovering a PF sent system and restoring the XML and just how easy that is to do. Everything is stored in that config.xml file. And then of course, the next question is how do you automate the backup of it? Because I had mentioned in that video that anytime I make a change to my firewall firewall at the office firewalls that we manage for clients, we always are sure to make a backup is just part of our process and procedure of maintaining firewalls. And someone says, well, why don't you script it to have it do it all the time? There's actually a facility within PF since we're going to talk about today that allows you to have automated backups. And we'll talk about, you know, how that system works, how you can recover from it, and how you can accidentally forget something and mess it all up. It's actually something easy to do, but anything easy to do can also be a little bit easy to screw up. So I want to make sure that if you decide to do this, that you understand how it works. So you aren't backing up and then potentially losing the things you do. So we're going to cover the details of how that works. Before we get into those details, if you'd like to learn more about me and my company, head over to LawrenceSystems.com, click to hire a short project, there's a hires button right at the top. If you'd like to support this channel a little bit, there's affiliate links down below to get you deals and discounts for products and services we talk about on this channel. Now the first place I want to start is using auto configuration backup service. This is a free service from Netgate. This is something they include with both PF Sense CE and PF Sense Plus. It's really simple to do. It's really easy. They haven't documented it in case you're curious about how it works, but one of the things they have in here that's really highlighted and we're going to go over is making sure you understand where that backup is, how it's encrypted, and how to recover it. And that's what they cover in here, but we're actually just going to cover it functionally in this demo. So we're going to go here to our cleanly loaded setup PF Sense system, and we're going to go to services, auto config backup. What I want to show you, and we'll notice that I can click the backup, but I can't click the restore page because it keeps bringing me back to here. This is that device ID key. And this over here is where we set the password. This service will not work without a password. This is one of the things that they have documented in here in case you're wondering is PF Sense able to see my configuration files, they are encrypted prior to leaving PF Sense. End of story. That's where it stops. So they cannot recover this file for you. They cannot view this file. This file is protected by the strength of the encryption password to use. We're going to use a really weak password though, just for demonstration purposes, but you can use a weak password. I highly recommend using a good one, but you also have to remember what this password is to be part of your PF Sense setup process. When you're doing this is go here and enable automatic config, create a password, and we'll just use password. We'll put it in again. Password and is password really strong in here, manual backups to keep it may be useful to specify how many manual backups are retained on the server. So automatic backups not overwrite them a maximum of 50 retained for manual backups and out of the 100 backups total permitted. So they give you a pretty good amount of storage. They offer 100 of them here. Now backup here under backup frequency, I'm leaving this at default. This is where I've seen a lot of people suggest just automating backups and we'll talk later about other ways to automate this. But the problem is if you're backing up all the time, you're just kind of wasting cycles, not that it's a huge chore to back this up, but it really only matters to backup on change. This is the manual backup process that we follow as I said, whenever we're changing something, we make sure we make a backup. So I leave this on configuration change, because if you're not changing configuration, your firewall from day to day, or from hour to hour, why have it back up hour to hour, it doesn't make too much sense to me, but maybe someone has a use case and leave the comments down below. We're going to head and hit keeping 10 manual backups hit save. And now we can go to backup now. We'll say YouTube. I should play YouTube right you tube demo is harder to type when you're on the camera. YouTube demo, there we go. And there's our key. And then we're just going to do this manual backup. So let's make a configuration change real quick. And we can even do something simple, like just go to the dashboard. And maybe we want to list the services on the dashboard. So service status. Alright, now that's down here, drag it up here, because it looks cooler if it's at the top, hit the little save button. Now we've made a couple configuration changes. So now we can go back over here, those are going to be queued, go to the service, it's got a queuing system in the background that kind of kicks this process off to do these backups. And now we can see that there's a few automatic backups here. So admin access setting saved auto config backup saved installed this tool to run in the background. And because we made these other changes, if we waited a second, those are queued, we'll probably see these changes show up as well. Right only took maybe about another 3040 seconds for these to show up, I just jumped ahead real quick. And now you can see there's that widget configuration has been updated widget configuration has been updated. This is really the same as your backup and restore over here. And your config history. So on change, it has these different config histories that you can revert to. And in here, it's backing those same changes up. Now, the question really is what happens when you want to do a restore, that's where things get a little bit not complicated, but something you need to understand how this works. You need this device key, and you need the password you use. And because I use the word password when password, if you were to try to get this config right here, if you were to screenshot this and grab it and use password, you can get it. But let's actually go and change the password to something more complicated. Password 123 and hit save. And I want to show you what happens now because we've made a configuration change to the system. We've changed it to password 123. But the backups for this key will keep showing. So after a few moments, it's going to back these up again. And then I can go through and submit this key and see things from it. But here's where it gets interesting. Let's go ahead and look at one of these backups. And we're going to look at the backup and we don't have the right key. This is why the encryption is so important and why NET gate can't see this. So if we try to look at this configuration, and we click the thing, it's taking a second to think and download this. The following errors were detected, could not decrypt config.xml. So as I said, it's encrypted when it leaves here. And that's done prior to it saying a NET gate, and it's stored encrypted on NET gate side. And if you don't have the matching password, so even if someone were to get this device ID key, which is derived from your public SSH key, they would not be able to get the data from it without your password. And of course, if your password is password and someone just wants to guess passwords, well, password seems like a pretty easy guess. So the combination of not letting this be public information. And of course, just trying to guess SSH keys and figuring out how they derive this, it's a pretty long set of characters. So it's not like I can just increment this matter of fact, we can show you, if we increment it by one, do we find someone else's are we going to get lucky here? This is, you know, well, nope, no backups with that one right there. So incrementing it by one didn't do any good. Now, if I went and put the password back in from the previous password I had, I can restore those, but actually new backups have been encrypted with this password here. So now the new backups will be stored and be able to be restored because I have the right password here. Now let's talk about the scenario though, where you completely lose the system and have to reload it and how would you recover from that? And like I said, it's just a matter of putting the password in and having that key. And let me show you how to force it to regenerate a key. So our current key ends in AA10. So we'll go ahead and we're just going to copy that, paste it somewhere for safekeeping. And we're going to go to the command line on this particular PF sense system. And what we want to do here is we're just going to remove the SSH keys. And if we do a RM SSH post star, we want to just get rid of all the SSH keys. Then we go back over to our PF sense system, we're just going to restart the SSH service. If you delete the keys and restart SSH, there's a job that goes in the background that runs and goes, Hey, look, I'm missing keys. And it tells it to regenerate those keys. And here you go. PF sense has completed creating your SSH keys. Great. Actually, we'll mark these as red. And if we go back over to services, auto config backup, we see we have a completely new device key. So now it's going to start backing up under this device key and the passwords the same. But you know, if we were to fresh load a system, this is also what would happen. So how do you restore those settings that you had in your previous system? Because if you have a catastrophic failure, or you're replacing it with a different PF sense, well, that's going to be something that might happen. So we're going to go back over here to restore. And we want to restore that other config. So we paste that one back in. There's that key that ends in a 10, we submit the key. And as long as on the settings page, we put the password to be the same, we can retrieve these and put these back into this particular PF sense. So if we go here, we can see the encrypted config XML and look at the decrypted one in case we're restoring it to a dissimilar system. Obviously, it's the same system. It's really easy. You can just go back and install. But I wanted to view it first to show you right here, where you can make some changes if you need it. If there were some nuances to it. And then we can just say, install this version. Are you sure you want to do it? And then it will put the system back the way it was before whatever failure caused you to have to reload it. Now, the last piece I want to comment on is where the configuration files actually stored inside a PF sense. Now we're at the command line of this particular system. If we look inside of it, we can see the backup and the config.xml. And this is locander slash CF slash C O N F. And this is the backup file you want. And I'm mentioning this because some people come up with their own automation systems. And basically you SSH in and grab this file and copy it to wherever you want for backup. So that is another methodology at which you could do is just grab these config.xml files on some type of process you want. But I find it just fine to go through the backup and restore process when we're using it for clients. We just go back up restore download. Now the question may come up, do we set up auto config for all of our clients? Well, because we have an internal process by which we manage these XML files, it's not really been something that we use all the time. Do we recommend it though? Oh yeah, this is something we recommend to people use. And this is an additional layer to your backups. I don't think it's the only place you should have backups just because they're not in your control, so to speak. And what if there was an outage a downtime at the moment you wanted to restore having that backup in two places seems to make more sense. But because so many people forget things, I'm willing to bet that automated system that that gate has is probably more reliable than the average person doing the backup. Sorry, I'm not trying to associate anyone. Just when you do a lot of consulting, you find a lot of people or you work a lot of internal IT teams that do not have backup procedures for configuration files of their devices, despite, well, constantly reminding them that they should do this. So I think automation is great process and procedure and good discipline goes a long way. But why not use both? That's really the ultimate answer is, hey, set this auto configuration backup, make it part of your documentation, make sure you've kept that device ID key with the system. So you know exactly where that is, don't just, you know, leave it inside of the PF sense, then also have your own configuration backup that you did. If you bet it in your checklist on the earliest stages of your PF set up, if something goes wrong along the way, it's great that you can just reload and pull something back down as needed. I can't tell you how many people we've had to try to and this includes personal friends that lost a whole lot of effort and work because they goofed something up completely and go, oh man, that died because, you know, hardware and things and stuff happened, especially when you're a homelab person doing it. So that's all my little rant on backing up and reminding people to do it. It's a great process to use. I think it's a wonderful addition and something really cool that Decate offers to help keep your PF sense backup safe and secure. All right. And thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to LawrenceSystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.