Grabbing Devices Configuration Using Expect

Command Line Just a small post about an Expect script I quickly wrote to solve a backup issue. I already blogged about the “Expect” tool one year ago. I won’t explain again the basics of Expect, just read my previous post.

This time, Expect is used to perform an automatic backup of a PaloAlto firewall. Why Expect? The target device is only available remotely via SSH (it’s not possible to use the standard backup procedure). And more annoying, the configuration is displayed using via the command line interface in a local pager (The space-bar must be pressed to display the next screen).

Why use this procedure to backup the firewall will you ask? For several reasons:

  • Backup automation (the script can be executed from a crontab)
  • SSH increases the security by encrypting all the data
  • The configuration in a flat file can be easily re-used to define a baseline and check for changes between two different backups (audit & change management)

Basically, the script opens a SSH session to the device, sends the required command (“show config running“) to dump the running configuration, simulates a key press at every pause and saves the results to a local file.

#!/usr/bin/expect -f
# backup.expect
# Expect script to backup a PaloAlto firewall via a SSH admin session
# Usage: pa_backup.expect  <host|ip> <login> <password> <prompt> <output>


set firewall	[ lrange $argv 0 0 ]
set username	[ lrange $argv 1 1 ]
set password	[ lrange $argv 2 2 ]
set prompt	[ lrange $argv 3 3 ]
set filename	[ lrange $argv 4 4 ]
match_max 50000

spawn ssh -l $username $firewall
expect "yes/no" { send "yes\r" }
expect "assword:"
send "$password\r"
expect -timeout 10 "$prompt>"
set output [open "$filename" "w"]
set running 1
send "show config running\r"
expect "\n"
expect "\[K"
while { $running  > 0 } {
	expect {
		"\n"	{ puts -nonewline $output "$expect_out(buffer)" }
		"lines *-* " { send " " }
		"$prompt>"   { set running 0 }
		eof		{ set running 0 }
		timeout		{ set running 0 }
send "exit\r"

The script is available: backup.expect (Of course provided “as is” without any warranty).


  1. Just one question: why are you trying to achieve? If you’re working with PaloAlto firewalls, they provide a very nice REST API that can be used to automate almost everything…

  2. Hi Xavier,

    My script like this :

    set usernamenya [lindex $argv 0]
    set passwordnya [lindex $argv 1]
    set hostnamenya [lindex $argv 2]

    send_user “\n==\n===\n====StartOFExpectSession\n===\n==\n”

    spawn ssh “$usernamenya@$hostnamenya”
    expect “Pass” {send “$passwordnya\r”}
    send “show clock\r”
    expect “EHS>”
    send “exit\r”
    send_user “\n==\n===\n====EndOFExpectSession\n===\n==\n”

    There is no quote (“) on send “show clock\r”

  3. Anybody could help me with this problem?
    please wait…
    send: spawn id exp6 not open
    while executing
    “send “show clock\r””
    (file “/usr/script/expectTemplate_PaloAlto” line 27)
    Job finished
    Result Filename: /home/ade/PaloAltoCloudciti_20170420.141543.tar.gz
    Log added in : /usr/script/getConfig.log

    I just tested it with command send “show clock\r, but it shows error like that.
    What’s wrong with my cronjob?
    Thanks before


    Hi, I found a issue with this great script and crontab, this is who I solved it. Incluiding an sleep inside while loop and without output to a file, just with …/ > …/PaloAlto1.conf inside crontab.

    while { $running > 0 } {
    expect {
    “\n” { send ” ” }
    “lines *-* ” { send ” ” }
    “admin@PA-3050_HIBU1(active)>” { set running 0 }
    eof { set running 0 }
    timeout { set running 0 }
    sleep 1 <<<<<<<<<<<<<<<<<<

  5. To properly backup a PA firewall **managed by Panorama** you have to download the “device state” using the api. ( type=export category=configuration ).

  6. log_file $device-$filesave.cfg
    send “show running-config\r”
    expect -ex “–More–” {send ” “;exp_continue}

    I have the following code for looping between the pages, but it finally ends with the # prompt and hangs. I have to stop it using Ctrl Z. Any solution to exit the code properly.

  7. You can also send the command “set cli pager off” to the palo alto to disable paging in the shell

  8. You’re right, I already heard good things about this product a few years ago! Completely forgot it.
    Thanks for the feedback!

  9. I advise you to check the opensource tool RANCID [] which does precisely that: backup regularly every network config and keep an history with csv/svn. It allows also to alert if there is some changes to check if it was correctly approved.
    It’s more appropriate if you have many systems but could be use on small infrastructure too. It could probably be adapted to save some unix /etc in csv/svn.

    Else, thanks for all your interesting posts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.