Introduction:

The configuration file of any firewall is extremely important since it holds all
the customizations made by the user. In the event of hardware failure, if the
config files aren't backed up to an external location, the configs will have to
be built up from scratch. So it's a good practice to back up and export the
config files regularly especially to external locations.
Panorama can do this automatically. But in case, a Panorama isn't managing
the firewalls, this document can be very helpful to export and backup the
config file to an external location for safe keeping.
Overview:
1) Access the firewall using XML API:
1.1) Setup the firewall for API access by generating API Key
1.2) Save the API key and then add that to HTTPs query in the next step
2) Retrieve the running config file using a HTTPS GET:
2.1) To run HTTPS GET from command prompt, use CURL for windows. For
Linux hosts, it might be built-in.
2.2) Then save the retrieved config to a file.
3) Automate the log export process:
3.1) Add the commands from above steps to batch file (or a script for Linux
hosts).
3.2) Then run the batch file on a server which will be always-on.
3.3) Create a job in Windows Scheduler (or CRON job if Linux server) to call
that batch file periodically.
1) Access the firewall using XML API:
For accessing the firewall using XML API, we need to generate the API key
first. To generate it
https://<firewallip>/api/?
type=keygen&user=<username>&password=<password>

The response for that should be in form of an XML with the API Key printed as
below:

Save the API key somehwere safe. It's like a password.

2) Retrieve the running config file using a HTTPS GET:
Since windows command line doesn't support HTTPS requests, we have to use
CURL for windows to do a HTTPS GET to fetch the running configuration.
Note: CURL for Windows can be downloaded from:
https://curl.haxx.se/download.html
(OR)
http://winampplugins.co.uk/curl/
Download and extract CURL to a folder. If CURL command should be
accessible universally, then add the extract CURL folder to PATH under
Environment variables.
The below site explains how to add a folder to PATH in detail:
https://java.com/en/download/help/path.xml

Now for the HTTPS request to retrieve the running config from the firewall.
The below URL, should print the config file if run from a browser:

https://192.168.1.1/api/?
type=export&category=configuration&key=<api_key>

To capture the Config XML to a file, we have to retrieve the HTTPS URL using
CURL. The command is as below (this should be run from the server):
>curlkG"https://192.168.1.1/api/?
type=export&category=configuration&key=<api_key>">running
config.xml

The above command, when run from command line, will create a file named
running-config.xml in the folder from which the command was run.
Note: If CURL's extracted path isn't added to the PATH, then it should be run
from the folder where CURL was extracted.
3) Automate the log export process:
Now that we have the command to fetch the running config in XML format, we
can create a batch file and then call that in Windows Scheduler. Scheduling it
on a server which is always on would be a good idea.
Contents of the batch file:

cd\
cdcurl\bin
curlkG"https://192.168.1.1/api/?
type=export&category=configuration&key=<api_key>">c:\running
config.xml
ToAppendDatetotheConfigFileName:
curlkG"https://192.168.1.1/api/?
type=export&category=configuration&key=<api_key>">c:\running
config_%date%.xml

Note:
>> I am assuming that CURL has been extracted to C drive's root.
>> And the config file will be saved to the C drive itself.
>> Change the <api_key> with the key obtained in the previous step.

Follow the instruction in the below URL to run the batch file periodically (like
everynight 1 AM).
http://www.computerhope.com/issues/ch000785.htm#windows7