BACKUP AND RESTORE

Performing a Manual Backup

../_images/image56.png

To perform a backup of the system configuration click on backup and restore in the diagnostics menu.

../_images/image112.png

Make sure the backup area is set to ALL, then click on download configuration This will download an xml file which contains all of the configuration settings stored withinDefenseBolt.

Other Options

Skip packages - I usually leave this box unchecked so I can restore the settings for the packages that are installed. If you need to migrate a configuration to another system without the same packages you might need to use this option.

Encrypt this configuration file - It is always a good idea to enable encryption on the config file. Passwords are stored in plain text within the xml file so be careful! If you enable this setting you will have to set a password for the file.

Skip RRD data - This setting is enabled by default and most users will want keep it turned on so the backup files remain small in size. If you do want to backup the data for the graphs within DefenseBolt disable this setting.

Remote Backups Via SSH

../_images/image92.jpg

If you don’t have a support portal account you can still set up automatic backups.

Every time a change in DefenseBolt is made a backup of the config file is stored in /cf/conf/backup.

You could create a script to run as a cron job on the DefenseBolt system to push the files in this directory to a remote server or network attached storage device.

../_images/image131.png

Or you could also run a script on a remote system which could download the files in the config directory using SSH/SCP.

Performing a Restore

Config files can be restored from the same page you create the backups on. You have the option of selecing a specific area of the config to restore, or ALL for a full restoration.

Choosing an individual area is useful in situations where a firewall or nat rule has been deleted but the rest of the system is still fine.

After the config file is restored DefenseBolt will reboot automatically.

AutoConfigBackup Package

Defensbolt Gold Subscription users have access to the Automatic Configuration Backup Service viathe AutoConfig Backup package. The most up to date information on AutoConfigBackup can be found on the DefenseBolt documentation page for the AutoConfigBackup package.

Functionality and Benefits

When a firewall configuration change is made, it is automatically encrypted with the passphrase entered in the package configuration and uploaded over HTTPS to the AutoConfigBackup servers. Only encrypted configurations are retained on the AutoConfigBackup servers. This gives instant, secure off-site backup of firewall configuration files with no user intervention once the package is configured.

Defensebolt Version Compatibility

The AutoConfigBackup package works with all supported versions of defensebolt, and many older versions as well.

Installation and Configuration

To install the package:

../_images/image19.png
  • Navigate to System > Package Manager, Available Packages tab
  • Locate AutoConfigBackup in the list
../_images/image212.png
  • Click Install at the end of the AutoConfigBackup entry
../_images/image35.png
  • Click Confirm to confirm the installation
../_images/image56.png

The firewall will then download and install the package. Once installed, the package may be found in the menu under Diagnostics > AutoConfigBackup

Setting the hostname

Make sure to configure a unique hostname and domain on System > General Setup. The configuration entries in AutoConfigBackup are stored by FQDN (Fully Qualified Domain Name, i.e. hostname + domain), so each firewall being backed up must have a unique FQDN, otherwise the system cannot differentiate between multiple installations.

Configuring AutoConfigBackup

../_images/image74.png

The package is configured under Diagnostics > AutoConfigBackup. On the Settings tab, fill in the settings as follows:

Subscription Username The username for the DefenseBolt Gold Subscription account

Subscription Password/Confirm The password for the Defensebolt Gold Subscription account

Encryption Password/Confirm An arbitrary passphrase used to encrypt the configuration before uploading. This should be a long, complex password to ensure the security of the configuration. The AutoConfigBackup servers only hold encrypted copies, which are useless without this Encryption Password

Warning

It is important that the Encryption Password be remembered or stored securely outside of the firewall. Without the Encryption Password, the configuration file cannot be recovered and the Encryption Password is not stored on the server outside of the configuration file.

Testing Backup Functionality

Make a change to force a configuration backup, such as editing and saving a firewall or NAT rule, then click Apply Changes. Visit Diagnostics > AutoConfigBackup, Restore tab, which will list available backups along with the page that made the change (where available).

Manually Backing Up

Manual backups should be made before an upgrade or a series of significant changes, as it will store a backup specifically showing the reason, which then makes it easy to restore if necessary. Since each configuration change triggers a new backup, when a series of changes is made it can be difficult to know where the process started.

To force a manual backup of the configuration:

../_images/image85.png
  • Navigate to Diagnostics > AutoConfigBackup
  • Click the Backup Now tab at the top
  • Enter a Backup Reason
  • Click Backup

Restoring a Configuration

To restore a configuration:

  • Navigate to Diagnostics > AutoConfigBackup
  • Click the Restore tab at the top
  • Locate the desired backup in the list
  • Click refresh to the right of the configuration row The firewall will download the configuration specified from the AutoConfigBackup server, decrypt it with the Encryption Password, and restore it. By default, the package will not initiate a reboot. Depending on the configuration items restored, a reboot may not be necessary. For example, firewall and NAT rules are automatically reloaded after restoring a configuration. After restoring, the user is prompted if they want to reboot. If the restored configuration changes anything other than NAT and firewall rules, choose Yes and allow the firewall to reboot.
Bare Metal Restoration

If the disk in the firewall fails, as of now the following procedure is required to recover on a new installation.

  • Replace the failed disk
  • Install Defensebolt on the new disk
  • Configure LAN and WAN, and assign the hostname and domain exactly the same as previously configured
  • Install the AutoConfigBackup package
  • Configure the AutoConfigBackup package as described above, using the same portal account and the same. Encryption Password used previously.
  • Visit the Restore tab
  • Choose the configuration to restore
  • When prompted to reboot after the restoration, do so

Once the firewall has been rebooted, it will be running with the configuration backed up before the failure.