backup

Backup management commands for NDCLI. These commands allow you to configure, enable, and monitor device configuration backups to S3-compatible storage.

Commands

Command	Description
backup status	List all device backup statuses
backup show	Show specific device backup status
backup enable	Enable backup for a device
backup disable	Disable backup for a device
backup config show	Show backup configuration
backup config set	Create or update backup configuration
backup config enable	Enable backup configuration
backup config disable	Disable backup configuration
backup config delete	Delete backup configuration
backup config test	Test S3 connection
backup encryption-key set	Set device-specific encryption key
backup encryption-key remove	Remove device encryption key override

---

backup status

List backup status for all devices in the organization.

ndcli backup status [flags]

Flags

Flag	Type	Default	Description
--status	string		Filter by backup status: SUCCESS, FAILED, IN_PROGRESS
--enabled-only	bool	false	Show only devices with backup enabled
--page	int	1	Page number
--per-page	int	30	Items per page (1–100)

Examples

ndcli backup status

ndcli backup status --enabled-only

ndcli backup status --status FAILED

ndcli backup status -f json

---

backup show

Show backup status for a specific device.

ndcli backup show [device]

Arguments

Argument	Required	Description
device	Yes	Device name

Examples

ndcli backup show my-firewall

ndcli backup show my-firewall -f json

---

backup enable

Enable backup for a specific device. The device will be included in future backup runs according to the organization backup schedule.

ndcli backup enable [device]

Arguments

Argument	Required	Description
device	Yes	Device name

Examples

ndcli backup enable my-firewall

Note

A backup configuration must be set at the organization level before enabling backup on individual devices. See backup config set.

---

backup disable

Disable backup for a specific device. The device will be excluded from future backup runs.

ndcli backup disable [device]

Arguments

Argument	Required	Description
device	Yes	Device name

Examples

ndcli backup disable my-firewall

---

backup config show

Show the current organization-level backup configuration.

ndcli backup config show

Examples

ndcli backup config show

ndcli backup config show -f json

---

backup config set

Create or update the organization-level backup configuration. Sensitive values (S3 secret key, encryption key) are prompted interactively if not provided as flags.

ndcli backup config set [flags]

Flags

Flag	Type	Default	Description
--s3-endpoint	string		S3 endpoint URL
--s3-bucket	string		S3 bucket name
--s3-folder	string		Folder path (prefix) within the bucket
--s3-key-id	string		S3 access key ID
--s3-access-key	string		S3 secret access key (prompts if not provided)
--schedule	string		Cron schedule expression (e.g., 0 2 * * *)
--encryption-key	string		Encryption key (prompts if not provided)

Examples

# Interactive setup (sensitive values prompted)
ndcli backup config set \
  --s3-endpoint https://s3.example.com \
  --s3-bucket my-backups \
  --s3-folder netdefense \
  --s3-key-id AKIAIOSFODNN7EXAMPLE \
  --schedule "0 2 * * *"

Tip

After setting the configuration, use ndcli backup config test to verify the S3 connection before enabling backups on devices.

---

backup config enable

Enable the organization-level backup configuration. Backups will run on schedule for all enabled devices.

ndcli backup config enable

Examples

ndcli backup config enable

---

backup config disable

Disable the organization-level backup configuration. No backups will run while disabled.

ndcli backup config disable

Examples

ndcli backup config disable

---

backup config delete

Delete the organization-level backup configuration entirely.

ndcli backup config delete

Examples

ndcli backup config delete

Danger

This permanently deletes the backup configuration including S3 credentials. Device backup statuses are preserved but no new backups will run until a new configuration is created.

---

backup config test

Test the S3 connection using the current backup configuration. Verifies connectivity and write permissions without creating an actual backup.

ndcli backup config test

Examples

ndcli backup config test

---

backup encryption-key set

Set a device-specific encryption key, overriding the organization default for that device.

ndcli backup encryption-key set [device]

Arguments

Argument	Required	Description
device	Yes	Device name

Examples

ndcli backup encryption-key set my-firewall

Note

The encryption key is prompted interactively and never passed as a command-line argument to avoid exposure in shell history.

---

backup encryption-key remove

Remove a device-specific encryption key override. The device will revert to using the organization-level encryption key.

ndcli backup encryption-key remove [device]

Arguments

Argument	Required	Description
device	Yes	Device name

Examples

ndcli backup encryption-key remove my-firewall