Network Configuration Backup (NCB) is the process of saving your existing network configuration files. It enables quick recovery of devices from configuration failures, store configuration data centrally, and receive alerts. The most critical application to backup configuration is to restore network functions in times of a network disaster. Faulty configuration changes can cause network disasters like a data breach or even a network outage.

Configuration backup files

Configuration files are categorised into the following types:

Startup configuration

The startup configuration is the configuration your devices run on when they reboot or power up. Startup configuration files are used during system startup to configure the software.

Running configuration

Running configuration files contain the current configuration of the software. The running configuration file and startup configuration may not always be the same. There may be a case when you want to change the configuration for a short period of time, then you update the running configuration but you do not save the changes to the startup configuration file.

Permission-Based Access

For security reasons, a new permission-based access feature has been introduced for the Configuration Backup option for network devices:

  • By default, the Configuration Backup option will not be visible unless the user has the necessary permissions.
  • The Network Configuration tab under the resource will only be accessible to users with NCM View permissions or higher.
  • The Set as Baseline option will only be available to users with NCM Manage permissions or higher.

Supported protocols

The gateway uses the following protocols to connect to end devices:

  • SSH 2.x and higher
  • Telnet

Prerequisites

Before running a Network Configuration Backup job:

  • Network Configuration Backup is supported for network switches and routers.
  • The device must be accessible from the gateway using either SSH or Telnet.
  • Ensure that all required protocols are supported and enabled on the device.
  • Create the job from Automation → Jobs v2 and select Network Configuration Backup as the job type.
  • Apply a credential of type Network Configuration Backup to the device. Only one credential set of this type should be assigned per device.

Creating credentials

Follow these steps to create a credential:

  1. Click Setup → Account.
  2. From Account Details screen, click Credentials tile.
  3. Click +ADD. The ADD CREDENTIAL screen is displayed.
  4. From ADD CREDENTIAL, enter the name and description for credential.
  5. Select credential type as Network Configuration Backup.
  6. Enter username and configure the credential details:
Field NameField TypeDescription
Credential TypeDropdownSelect credential type as NETWORK_BACKUP.
NameStringProvide a name for the credential.
DescriptionStringProvide a brief description about the credential.
User NameStringEnter the User Name.
Password Vault (Optional)CheckboxSelect the checkbox to enable password vault options.
The Integrations and Policy Mapping dropdowns are displayed.
All installed Password Management integrations appear in the Integrations dropdown.
Select an integration from the Integration dropdown.
Select a vault policy from the Policy Mapping dropdown.
PasswordStringEnter a strong password.
Confirm PasswordStringReenter the password.
PortIntegerEnter the port number to establish an SSH or Telnet connection.
Transport TypeStringDetermines the data transmission type: SSH or Telnet.
Auto Enable ModeCheckboxIf enabled, an additional field appears to enter the enable password.
Enable PasswordStringEnter the password required to execute the enable command after logging in.
Connection Timeout (ms)IntegerEnter the connection timeout. Default is 10000 milliseconds.
  1. Click Save.


Configuration backup job options

When creating a Network Configuration Backup job, the following options are available:

Startup Configuration: Enable this option to collect the device’s startup configuration.

Running Configuration: Enable this option to collect the device’s running configuration.

Version Saved

  • All versions: Enable this option to save every configuration backup snapshot, regardless of whether changes have occurred.
  • Save versions with changes only: Enable this option to save a configuration backup snapshot only when a change is detected in the device configuration.

Generate Alerts

These options are available only when their respective configuration backups are enabled:

  • On changes to startup configuration: Enable this option to trigger an alert whenever a difference is detected between the newly collected startup configuration and the previously stored version.
  • On changes to running configuration: Enable this option to trigger an alert whenever a difference is detected between the newly collected running configuration and the previously stored version.

Backup Trigger: Enable this option to automatically initiate a configuration backup when a configuration-change SNMP trap is received.

Retry Failed Devices: If enabled, the retry mechanism automatically retries configuration backups for devices that fail during the initial execution.

  • Retry Count: The number of additional backup attempts.
  • Retry Interval (mins): The time gap between each retry attempt.

For more information, see Network Configuration Backup Retry.

Resources: Add the resources from which configuration backup data needs to be collected.

Schedule

Choose how often the configuration backup job should run. The available scheduling options include:

  • One Time: Executes the backup job only once at the specified date and time.
  • Daily: Runs the backup job every day at the configured time.
  • Weekly: Runs the backup job on the selected day(s) of the week at the specified time.
  • Monthly: Runs the backup job on the selected date(s) each month at the specified time.


Comparing Configuration Versions in the New UI

You can compare the changes or differences between two versions of a configuration.

  1. Go to Infrastructure > Search > Others > Network Device, select the resource for which a network configuration backup job is configured.
  2. Click the resource and then click on Related info and then go to the Configuration Backup tab.
  3. Select the type of configuration Startup Config or Running Config.
  4. Select any two dates to compare the configuration between the dates and click Compare. You can view the difference between the two configurations between the selected dates.

Scenarios

A user wants to save every snapshot of configurations

Every snapshot of configuration can be saved by selecting the option All Versions for the job type Network Backup Configuration while creating a job.

A user wants to save snapshot only when configurations change

Snapshot of configuration change can be saved by selecting the option Save Versions with changes only for the job type Network Backup Configuration while creating a job.

A user wants to get alerts on configuration changes

User gets alerts when there is a change in configuration. Select Generate Alerts while creating a job to get the alerts on changes to the Startup configuration or on changes to the Running configuration.

A user wants to take a backup of a device

In this case, there is a configuration change trap (SNMP) generated on the device

A resource backup is done when you create the job. During job creation:

  1. Select the Network Backup Configuration job type.
  2. Select the Backup Trigger option.

Network Configuration Backup Retry

If enabled, the retry mechanism automatically retries configuration backups for devices that fail during the initial execution. You can configure the following.

  • Retry count: The number of additional backup attempts.
  • Retry interval: The time gap between each retry attempt.
  • If a device backup fails, the system will retry based on the configured count and interval.
  • Alerts are generated only after all retry attempts are exhausted. If any devices still fail after the final retry, an alert is triggered for those devices.
  • If the retry mechanism is not configured, alerts are triggered immediately after the initial job attempt, following the standard alerting process.

Example 1:
If the retry count is set to 1 and the retry interval to 30 minutes, and the original job is scheduled for 10:00 AM, then:
- Initial backup runs at 10:00 AM.
- Retry for failed devices runs at 10:30 AM.
- If devices still fail after the retry, an alert is generated for those devices.

Example 2:
If the retry count is set to 2, the system will make two additional backup attempts after the initial failure, with each attempt spaced according to the configured interval at the time of job creation. Alerts will be sent only for the devices that are failed to collect the backup, in the final retry.

Retention policy

Rolling history of network configuration backup for each resource will be retained for 365 days.

From the first release of 2025, a copy of the latest network configuration for each resource is retained, if there are no recent backups from the last one year.

Supporting OS and Model Devices

Click here to view the supporting OS and Model devices
OSModel
WL-IOS
Note: Added support from 16.1.0 version gateway		AIR-CT2504-K9 / 2500 WLC
WL-IOS
FORTIOS
SB-IOS (or) SBIOS
XR-IOS
XE-IOSFIREPOWER 3140 (or) FPR-3140-K9
XE-IOS
Note: Added support from 19.1.0 GW version.		ISR4 (or) ISR 4
IOSCSS11503 (or) SG500
IOS
ASAASAV (or) IPS (or) ASA (or) Adaptive Security Appliance
MLNX-OS
NXOS (or) NX-OSUCS
NXOS (or) NX-OS
CISCO UCS FIRMWARE (or) CISCO UCSUCS
NOS
FOSACCESS GATEWAY (or) CONVERGE SWITCH
FOS
MSS
JUNOS (or) JUNIPER OS
CATOS
PIXOS
PROCURVEGBE2C (or) OFFICECONNECT SWITCH 1920S 24G 2SFP PPOE+ (185W) JL384A
PROCURVE
SCREENOS
EOS (or)
ADEOS (or) ADE-OS
FORCE10 (or) FORCE 10
VYATTA
NETSCALER
IRONWAREICX7150-24-POE (or) ICX7150-C12-POE (or) ICX7150-48-POEF
IRONWARE
Note: Added support from 17.1.0 version gateway.		ICX 6430 (or) ICX 6610-48
IRONWARE
PAN-OS (or) PANOS
VXWORKS10/100/1000 GIGABIT SWITCH
VXWORKS
WAAS
AOS-CX
Note: Added support from 17.2.0 GW version.
ARUBAOSR0X25A 6410 (or) IAP-VC (or) JL076A (or) JL322A (or) JL320A (or) JL357A (or) JL558A (or) JL356A
ARUBAOS
ACOS
AEROZOS
EXTREMEXOSB5 (or) C2 (or) C3 (or) C5 (or) D2 (or) BONDED SSA-T1068-0652A (or) 1440 (or) 1480
EXTREMEXOS
SONICOS
COS
CISCOACSW
DELLPC
F5TMOS
MERUOS
ADTRANOS
COMWARE1910 (or) 1920 (or) 1950 (or) JG937A (or) FLEXNETWORK 5130-48G-POE+-4SFP+ (370W) EI
COMWARE
VIPTELAOS
Note: Added support from 20.1.0 GW version.		VEDGE
VIPTELAOS
BCF CONTROLLER OS
FXOSFPR-2110, FIRE POWER 1140TD, FIREPOWER 2130 SECURITY APPLIANCE, FIREPOWER 4110 SECURITY MODULE 12, FIREPOWER 2120, FIRE POWER 1120TD, FPR4K-SM-36, FIREPOWER 9000 SECURITY MODULE 44, FIREPOWER 4120 SECURITY MODULE 24, FPR-1140-TD, FPR-1150TD, FPR-3120
FXOS
NGOS
LINUXCBS350-48FP-4G (or) MEDIANT 2600 E-SBC (or) STEELHEAD CX7055 (CX7055M)
FIREWARE (or) FIREWARE XTM
MRV-OD
LINUXIM7200 and make = OpenGear
OS10
YAMAHA OS
AUDIOCODES (LINUX)M800B
VOSS
CUMULUS LINUX
ONYX-OS
DNOS

Troubleshooting steps

  1. Ensure all prerequisites are met.

  2. Check for backup-related alerts on the device.

  3. After you log in to the device with the assigned credentials, verify the backup commands and confirm they execute correctly.

  1. Confirm that the backup commands work successfully on the device, rerun the network configuration backup job, and review the vprobe logs on the gateway for verification.

    • Run commands on Classic Gateway:

      1. Launch the gateway CLI.
      2. Enter: sudo su.

    • Run commands on Nextgen Gateway:

      1. Login to gateway CLI.
      2. Enter enter sudo su.
      3. Run kubectl exec -it nextgen-gw-0 -c vprobe -n <namespace> -- bash.
        Note: If the namespace is not applicable, run kubectl exec -it nextgen-gw-0 -c vprobe -- bash.

    Execute the following command and re-run the network configuration backup job.
    tail -f /var/log/app/vprobe.log

    Logs analyzation:

    • Success Log: - Retrieved network configuration backup successfully for device IP [<ipaddress> ] and OS [SonicOS].
    • Failed Log: Failed to retrieve network configuration backup for device IP [<ipaddress> ] and OS [SonicOS]. Expected pattern(s) is not found after waiting for 60000 msec com.vistara.gateway.transport.PatternTimeOutException: Expected pattern(s) is not found after waiting for 60000 msec.

Backup Alerts Variations

The following alerts may generate for backup-related issues.

  • Configuration backup failed - Credential set of type ‘Network Backup’ is not mapped to the device.
    Verify that you have assigned a credential set of type “Network Configuration Backup” to the device. If not, assign the appropriate credentials, re-save the configuration backup job, and retry the backup.

  • Configuration backup failed – Config backup for device OS [OS-Name] is not supported currently.
    The device’s operating system is not yet supported for network configuration backup in OpsRamp. Refer to the Supporting OS and Model Devices for the list of supported operating systems and models.
    Contact OpsRamp Support to request adding backup support for your operating system and model.

  • Configuration backup failed - Credential set of type “Network Backup” mapped to the device is incorrect or not working.
    Validate the assigned credentials manually from the gateway using one of the following commands:

    • Telnet: telnet <deviceIpAddress> <port>
      (Example: telnet <ipaddress>)

    • SSH: ssh <userName>@<deviceIpAddress> -p <port>
      (Example: ssh admin@<ipaddress> -p 22)

    If you cannot establish a connection or if the connection closes automatically during login, verify the device or firewall configuration to ensure that access is not being blocked.

  • Configuration backup failed - Session.connect: java.net.SocketException: Connection reset or Configuration backup failed - Connection to device refused or timed-out or key exchange algorithm issue.
    Verify that you can successfully perform SSH or Telnet to the device from the gateway.

  • Configuration backup failed – enable credential set of type ‘Network Backup’ mapped to the device is incorrect or not working.
    This alert may have occured due to one of the following reasons.

    • The enable password configured is incorrect.
    • The device does not support the enable command, but you configured Auto Enable Mode = No and provided an enable password in the credentials.
    • The device returns an error such as “% Error in authentication” and fails to switch to privileged mode.

    Review the device configuration and credential settings to resolve the issue.

  • Unable to execute the following command show running-config because of ERROR: % Invalid input detected at " marker".
    Manually execute the configuration backup command shown in the alert on the device to verify that the command works correctly.

  • Configuration backup failed - Algorithm negotiation fail.
    The SSH connection failed due to cryptographic algorithm incompatibility (key exchange, cipher, or host key) between the client and server. Verify the cryptographic algorithms supported on the device and update the connection settings accordingly.

Version History

Click here to view the Gateway Version History
Gateway VersionBug fixes / Enhancements
21.0.0
  • OpsRamp implemented a new backup method for FortiGate firewall configurations to improve restoration reliability. Backups are captured using the sys_config system file over SCP when available.
    If SCP access is not supported, the system automatically falls back to the previous method using the show full-configuration or show commands over the SSH console.
    The following are the requirements for SCP sys_config Access:
    • To use the new FortiGate backup method, you must have an admin account with super_admin privileges.
    • The admin-scp option must be enabled in the system global settings.
    • In addition, the backup system must be able to establish SSH/SCP connectivity to the FortiGate device.
  • OpsRamp Gateway now attempts startup-config backup for F5 devices only when you explicitly select Startup Config in the Network Configuration Backup job. This fix prevents unnecessary backup attempts and alert noise, ensuring backup behavior matches the job options you choose.
    • If Startup Config is selected: The gateway attempts startup-config backup for F5 devices.
    • If Startup Config is not selected (or removed): The gateway does not attempt startup-config backup for F5 devices.
20.1.0
  • Added configuration backup support for Viptela vEdge and cEdge model devices.
  • Network Configuration Backup now automatically retries backups for devices that fail during the initial backup process. You can configure both the number of retries and the interval between each retry attempt. Alerts are generated only after all your configured retry attempts are completed. If any devices remain in a failed state after the final retry, you'll receive an alert for those devices.
  • Configuration backups for DNOS switches are now more dependable. If the device is slow to respond to the initial newline (\n), the gateway waits one minute and then retries, ensuring scheduled backups succeed even with delayed device responses.
20.0.0Network configuration backup support added for Cisco FPR-3120 (FX-OS). Earlier, these devices were not supported by OpsRamp Gateway. With this update, OpsRamp collects configuration backup for FPR-3120 firewall devices.
19.2.0
  • Added configuration backup support for ExtremeOS devices with model names starting with C2, C3, C5, and D2.
  • The configuration comparison process now skips lines starting with "Using" when comparing network configuration backups. This change helps reduce false positives and makes configuration differences easier to interpret.
  • Enhanced configuration backup support for XE-IOS 4K series models by including both Startup and WLAN configurations as part of the startup configuration display.
19.1.0Enabled support to display SD-WAN configuration as startup configuration for devices with OS type XE-IOS and models starting with ISR4 or the ISR 4 series.

Note: If the startup configuration retrieval fails, an alert will be shown. In cases where SD-WAN is not configured on these devices, users should disable the "startup configuration" option in the Network Configuration Backup job to retrieve the running configuration instead.
19.0.0Added support to remove header and footer data from Palo Alto configuration backups.
18.3.0Fixed an issue with Palo Alto configuration backups where certain configurations were not being correctly saved or restored. This has been fixed to ensure that all backup files capture the complete and accurate configuration data.
18.2.0Added XML-based configuration backup support for Palo Alto.
18.0.0
  • Added configuration backup support to FPR-1150TD model device.
  • Enhanced the configuration backup functionality by sending the alert, if configuration backup is more than 15MB.
17.2.0
  • Added configuration backup support to AOS-CX OS.
  • Added fix corner case where not deleting backup job from the gateway database when job has one device and that device deleted.
17.1.0Added configuration backup support for IRONWARE OS ICX 6610-48 model devices.
17.0.0
  • Enhanced configuration backup feature to process large payloads.
  • Enhanced Network configuration backup module to support other ARUBAOS model devices.
16.1.0Added Network backup support for "WL-IOS" OS "AIR-CT2504-K9/ 2500 WLC" model switches.
15.1.0Added fix to configuration backup connection issues.
15.0.0
  • Added new ciphers (chacha20-poly1305@openssh.com) support for ssh login while connecting remote machine when performing the Network Configuration Backup.
  • Fixed the SB-IOS Network Configuration Backup issue by executing this "terminal length 0" command when ever existing "terminal datadump" fails.
14.0.0
  • Customer can take the configuration backup for Riverbed CX7055M and cumulus switches. If any customer has Riverbed CX7055M and Cumulus network devices they can add the devices into Network Configuration Backup Job to collect Network Device Configuration Backup.
  • Added new key Exchange, Host key algorithms and ciphers for ssh login while connecting remote machine when performing the Network Configuration Backup.