pfSense Backup and Configuration Recovery
pfSense backup is built around exporting the config.xml configuration file, which contains all system parameters. A properly organized backup process enables restoring the firewall within minutes after a hardware failure, administrator error, or system compromise. This guide covers all backup methods, restoration procedures, and best practices for ensuring configuration preservation.
config.xml Structure
The config.xml file resides in the /cf/conf/ directory and contains the complete pfSense configuration in XML format.
What config.xml Includes
| Component | Description |
|---|---|
| Network interfaces | Assignments, IP addresses, VLANs, bridges |
| Firewall rules | All filtering rules, NAT, floating rules |
| VPN configurations | OpenVPN, IPsec, WireGuard - all tunnel parameters |
| Users and groups | Local user accounts , privileges |
| Certificates | CAs, server and client certificates , CRLs |
| Authentication servers | LDAP and RADIUS settings |
| DHCP and DNS | DHCP server configuration, DNS resolver/forwarder |
| Routing | Static routes, gateways, gateway groups |
| Package settings | Configuration for installed packages (HAProxy, Snort, etc.) |
| System parameters | Timezone, hostname, DNS servers, NTP |
What config.xml Does NOT Include
| Component | Description | Backup Method |
|---|---|---|
| Installed packages | Package binary files | Reinstall after restore (package list is saved in config.xml) |
| RRD data | Monitoring graphs (traffic, load) | Separate export via Diagnostics > Backup & Restore |
| Custom files | Changes to /boot/loader.conf.local, scripts | Backup package or manual copy |
| System logs | Event journals | Configure remote syslog |
| DHCP leases | Current DHCP leases | Does not require backup |
| Firewall state | State table | Does not require backup |
Warning:
The list of installed packages is saved in config.xml, but the packages themselves must be reinstalled after restoration. pfSense will automatically offer to install missing packages when it detects them in the configuration.
Manual Backup
Manual backup creation is performed through the web interface and takes only a few seconds.
Backup Procedure
- Navigate to Diagnostics > Backup & Restore
- Ensure the Backup & Restore tab is selected
- Configure export parameters:
| Parameter | Description |
|---|---|
| Backup area | Backup scope (ALL for complete backup or a specific section) |
| Skip packages | Exclude package configuration from the backup |
| Skip RRD data | Exclude graph data (significantly reduces file size) |
| Encryption | Encrypt the backup file with a password |
| Password | Encryption password (when Encryption is enabled) |
- Click Download configuration as XML
- Store the file in a secure location
Backup Areas
The Backup area dropdown provides the following options:
| Area | Contents |
|---|---|
| ALL | Complete system configuration |
| Aliases | Firewall aliases only |
| Captive Portal | Captive Portal settings |
| DHCP Server | DHCP configuration |
| DNS Server | DNS settings |
| Firewall Rules | Firewall rules |
| Interfaces | Network interface configuration |
| IPsec | IPsec VPN settings |
| NAT | NAT rules |
| OpenVPN | OpenVPN configuration |
| SNMP | SNMP settings |
| Static Routes | Static routing |
Partial backup is useful for transferring individual sections between devices without replacing the entire configuration.
Backup Encryption
Encrypting backups is strongly recommended because config.xml contains:
- User passwords (hashed)
- Certificate private keys (in plaintext)
- VPN tunnel pre-shared keys
- Authentication server shared secrets
- LDAP bind account passwords
When encryption is enabled, the file is protected with a password using AES-256-CBC. The password must be stored separately from the backup file - recovery is impossible without it.
Backup File Naming
pfSense generates file names in the format: config-<hostname>-<YYYY><MM><DD><HH><MM><SS>.xml
Consider adding the backup reason when manually renaming:
config-fw01-20260406-before-vpn-changes.xml
config-fw01-20260406-after-upgrade-2.7.2.xmlAutomatic Backup
Built-in Automatic Backup
pfSense automatically creates a configuration backup on every change made through the web interface. The change history is stored locally and accessible from Diagnostics > Backup & Restore, tab Config History.
| Parameter | Default Value |
|---|---|
| Number of stored versions | 30 |
| Location | /cf/conf/backup/ |
| Name format | config- |
The number of stored versions is configurable under Diagnostics > Backup & Restore, tab Config History, field Backup Count.
The built-in history allows:
- Viewing a list of changes with dates and descriptions
- Comparing any two configuration versions (diff)
- Restoring any saved version
Warning:
The local backup history is stored on the same disk as the main configuration. If the disk fails, all versions will be lost. Local history does not replace storing backups in an external location.
AutoConfigBackup
AutoConfigBackup (ACB) is a cloud-based automatic backup service provided by Netgate for devices with an active pfSense Plus subscription or Netgate hardware. The service automatically uploads an encrypted configuration copy to the cloud on every change.
Configuring AutoConfigBackup
- Navigate to Services > Auto Config Backup
- Enter Netgate Portal credentials
- Set an encryption password
| Parameter | Description |
|---|---|
| Enable ACB | Enable automatic backup |
| Encryption Password | Password for encrypting backups (stored locally only) |
ACB Characteristics
- Configuration is encrypted locally before transmission - Netgate has no access to the contents
- Up to 100 recent configuration versions are stored
- Restoration is available from the saved version list in the web interface
- If the encryption password is lost, recovery from ACB is impossible
Scheduled Backups via Cron
For automated backups on a schedule with external storage, use the Cron package and a configuration export script.
Setting Up Automatic Backup via SCP
- Install the Cron package through System > Package Manager
- Create a cron job for configuration copying:
0 2 * * * /usr/bin/scp /cf/conf/config.xml backup@storage.example.com:/backups/pfsense/config-$(date +\%Y\%m\%d).xmlFor passwordless SCP, configure SSH key authentication between pfSense and the storage server.
Alternative Automation Methods
| Method | Description |
|---|---|
| SCP/SFTP | Copy to a remote server over SSH |
| Backup Package | Package for backing up files and directories not in config.xml |
| XMLRPC | Programmatic access to configuration via API |
Restoring from Backup
Full Restore
A full restore replaces the entire current configuration with the backup file contents.
- Navigate to Diagnostics > Backup & Restore
- In the Restore Backup section, select the backup file
- Configure restore parameters:
| Parameter | Description |
|---|---|
| Restore area | ALL for full restoration |
| Configuration file | The .xml backup file |
| Encryption | Indicate whether the file is encrypted |
| Password | Decryption password (if the file is encrypted) |
- Click Restore Configuration
- Wait for the system to reboot
After a full restore, pfSense automatically:
- Applies all interface settings
- Restores firewall and NAT rules
- Restarts VPN services
- Offers to install missing packages
Partial Restore
A partial restore replaces only a specific configuration section without affecting other settings.
- In the Restore area field, select the desired section (Firewall Rules, OpenVPN, NAT, etc.)
- Upload the backup file
- Click Restore Configuration
Partial restore is useful for:
- Recovering firewall rules after erroneous changes
- Transferring VPN configuration from another device
- Restoring DHCP settings without modifying the rest of the configuration
Restoring from Local History
- Navigate to Diagnostics > Backup & Restore, tab Config History
- Locate the desired configuration version by date and description
- Click the restore icon next to the selected version
- Confirm the restoration
Recovery After Complete System Loss
In the event of total system loss (disk failure, hardware destruction), the recovery procedure consists of the following steps:
- Install pfSense on new hardware
- Perform initial setup (interface assignment, base IP address)
- Access the web interface
- Navigate to Diagnostics > Backup & Restore
- Restore the configuration from the backup file
- Wait for the reboot
- Install missing packages
- Verify all services are operational
Configuration Migration Between Devices
Migration Between Devices with the Same pfSense Version
When transferring configuration between devices running the same pfSense version, follow the standard backup and restore procedure. Consider the following:
- Interface assignments must correspond to the new hardware
- If network adapters differ, interface reassignment through the console may be required
- CARP VHID and Virtual IP settings require verification after transfer
Migration Between Different pfSense Versions
pfSense supports restoring configurations from earlier versions with automatic format migration.
| Migration Direction | Support |
|---|---|
| Older version to newer | Supported with automatic conversion |
| Newer version to older | Not supported - format errors may occur |
Recommended migration procedure between versions:
- Create a backup on the old device
- Install the new pfSense version on the target hardware
- Restore the configuration from the backup
- Review the migration log for warnings
- Test all critical services
Migration Between Different Hardware
When transferring configuration to hardware with a different set of network interfaces:
- Restore the configuration from the backup
- When prompted, perform interface reassignment through the console
- Map the new hardware physical interfaces to the configuration logical interfaces
- Verify IP address assignment correctness on each interface
Warning:
When the number or types of interfaces differ between old and new hardware, some settings may require manual adjustment. Pay particular attention to firewall rules bound to specific interfaces.
Backup Package for Additional Files
The standard config.xml backup does not include custom files placed outside the configuration. The Backup package is designed for this purpose.
Installation and Configuration
- Install the Backup package via System > Package Manager
- Navigate to Diagnostics > Backup Files/Dirs
- Add files and directories for inclusion in the backup:
| Example Files | Purpose |
|---|---|
| /boot/loader.conf.local | Custom boot parameters |
| /boot/device.hints | Hardware settings |
| /usr/local/etc/custom_scripts/ | Custom scripts |
| /var/db/pkg/ | Installed package information |
Files added through the Backup package are included in the main config.xml backup as base64-encoded content.
Troubleshooting
Restore Failure
| Problem | Cause | Resolution |
|---|---|---|
| XML format error | Corrupted backup file | Check file integrity, try a different version |
| Decryption error | Incorrect password | Verify the encryption password |
| Interfaces not assigned | Hardware differences | Reassign through console |
| Packages not working | Packages not installed | Install via Package Manager |
Version Incompatibility During Restore
If restoring a configuration from a newer pfSense version to an older one produces errors:
- Install the pfSense version matching the backup
- Restore the configuration
- If necessary, perform a version downgrade through the console (not recommended)
Restoring Without Web Interface Access
If the web interface is unavailable, configuration can be restored through the console:
- Connect to the console (physically or via serial)
- Select option 15) Restore recent configuration
- Choose the configuration version to restore
- Confirm the restoration
Alternative method - copying config.xml directly:
# Copy the backup file to a USB drive
# Connect USB to the pfSense device
# Through shell (option 8 in the console):
mount /dev/da0s1 /mnt
cp /mnt/config.xml /cf/conf/config.xml
rebootBest Practices
When to Create a Backup
| Event | Action |
|---|---|
| Before any configuration change | Create a backup |
| After a successful change | Create a backup |
| Before upgrading pfSense | Create a backup and store an external copy |
| Before installing or updating packages | Create a backup |
| On a regular schedule (daily/weekly) | Automated backup via cron |
Backup Storage Strategy
Follow the 3-2-1 principle:
- 3 copies of the configuration (primary + two backups)
- 2 different media types (local disk + remote server)
- 1 copy in a geographically separate location
Backup Security
| Measure | Description |
|---|---|
| Encryption | Always encrypt backup files |
| Access control | Restrict access to the backup storage |
| Secure transfer channels | Use SCP/SFTP instead of unencrypted protocols |
| Separate password storage | Store the encryption password separately from the backup file |
| Access auditing | Maintain access logs for backup files |
Restore Testing
A backup is only useful if it can be successfully restored. Periodically conduct test restorations:
- Deploy a test pfSense instance (virtual machine)
- Restore the configuration from the backup
- Verify all settings are correct
- Confirm all services start properly
- Document the test results
Recommended testing frequency - at least once per quarter.
Procedure Documentation
For each firewall, document:
- Backup file locations and encryption passwords (in a password manager)
- Recovery procedure with designated responsible personnel
- Interface reassignment instructions for migration to spare hardware
- Escalation contacts for recovery issues
Related Sections
- Certificate Management - certificates and keys stored in config.xml
- User Management - user accounts and privileges included in the backup
- High Availability - CARP - configuration synchronization between HA cluster nodes