PIX Firewall Backup

Note: The information on this page is dated. I wrote this script in 2005 and since I no longer have a PIX in my possession, it may or may not work and the statements below are based on my knowledge of the PIX at that time. If someone wants to send me a PIX or give me access to one online I could rev the script. Until that time it’s as-is and I wish you all the luck.

The Cisco PIX┬« firewall is rather common in today’s information security market. Unfortunately there are very few methods to maintain automatic backups of the firewall configuration. This is hampered as well by the fact that PIX has limited support for SSH and no other secure method for maintaining its configuration. (Unless you want to turn to an IPsec tunnel or buy additional product.) This is what prompted the work contained herein. This script will backup multiple PIX firewalls, storing their configurations compressed in seperate directories based on the firewall name.

Basically what follows is a script that wraps around a custom copy of the OpenSSH ssh client. The reasons for this strange setup is as follows:

  1. PIX currently only supports SSH v1.0
    Update: As of the new version, 7.0 PIX now supports SSH v2.0. If you’re using v7.0 and would be willing to test a copy using PHP with SSH v2 bindings (instead of the patched OpenSSH), let me know. I don’t have a v7.0 PIX running at this time to test with myself.
  2. When in a failover state, the firewalls have a tendancy to change their host keys.
  3. The PIX only supports password authentication via SSH which can’t be wrapped in a script.

Based upon these conditions, I built the attached script.

Note that this is not a drop-and-run application though I’ve lately thought of building one in C. You need to add two non-standard flags to your PHP installation (assuming it’s not on by default in your distribution or you compiled your PHP yourself) and you need to add a patched copy of OpenSSH under a new filename. The patch and all the instructions are included in the README.

Attention: I don’t give any warranty to the useability, applicability, quality or safety of using these functions. It’s all up to the person who finally sits down to make it work to … well, make it work. Best try it first with non-production resources when you test your own implementation. Basically, it works like a champ on my system but if you do something wrong, your mileage might vary.


The old version is no longer available since the new version is substantially improved and now more easily packaged and distributed. This is version 1.5 of the PIX backup script along with all necessary instructions and configuration information.

What’s new?

  • The configuration is now stored in one file, /etc/pixbackup.conf (you can change the filename if you like of course.)
  • You can now set unique usernames/passwords/encryption settings for each firewall that is backed up.
  • The script now splits off a child process for each backup so one backup can’t delay or pause another. It also has checks built in should the transfer stall indefinitely. (SIGALRM.)


Leave a Reply

Your email address will not be published. Required fields are marked *