Вы находитесь на странице: 1из 8

CHAPTER 57

BACKING UP AND RESTORING SYSTEM CONFIGURATIONS

Backups contain the necessary configuration information to restore the SMC to the state it was in when the backup was taken, including the configuration information for the Firewall, IPS, and Layer 2 Firewall engines that the Management Server stores.

The following sections are included:

Getting Started with Backups (page 942) Creating Backups (page 943) Storing Backup Files (page 944) Restoring Backups (page 945) Recovering from a Hardware Failure (page 947)

941

Getting Started with Backups

Prerequisites: None

What Backups Do

Backups allow you to save and restore Management Server and Log Server configurations on the same system or a different physical host.

The Management Server backup contains the policies, elements, and other essential configuration details for all Firewall, IPS, and Layer 2 Firewall components that they manage, as well as the configuration of the Management Server itself.

The Log Server backup contains the Log Server’s local configuration and optionally the logs.

Restoring the backups allows you to restore the SMC configurations to the exact same state as they were when taking the backup even if you restore it on a completely new installation.

Backups are needed to recover from the loss of the system configurations, for example, due to hardware failure. A backup also allows you to relocate the SMC servers onto different hardware.

Limitations

The private keys of engine certificates are stored locally on the engines and are not backed up.

What Do I Need to Know Before I Begin?

The Management Server is the only place that contains usable, complete configuration information for any individual engine component in the system. The engines contain a working copy of the configuration details that allows them to carry out traffic inspection independently, but it is not possible to extract this information from the engines in the event that the Management Server is lost. Regular Management Server backups are therefore essential and must be stored in a safe storage location outside the Management Server host machine.

Always take the backups using the Management Server ’s internal backup tool. External backup applications that back up the host server may not produce usable backups of your SMC servers, especially if the SMC servers are running at the time the backup is taken.

Backups from the previous major version of the SMC can always be restored in the current major version of the SMC. Backups taken from older versions may not always be restorable. Generally, backups can be restored between versions that support direct upgrades between the versions (see the Release Notes for version-specific details).

(see the Release Notes for version-specific details). Note – If your configuration contains elements for TLS

Note – If your configuration contains elements for TLS Inspection, the private keys and certificates of the Server Protection Credentials and Client Protection Certificate Authorities are included as plain text in the Management Server backup. Use the encryption option for the backups when the configuration contains elements for TLS Inspection. For more information, see Setting up TLS Inspection (page 733).

Configuration Overview

1. Backup up the Management Server(s), Log Server(s) and Authentication Server regularly as instructed in Creating Backups (page 943) or schedule backup tasks to run at regular intervals as instructed in Creating Backup Tasks (page 967) and Scheduling Tasks (page 970).

2. Store the backup files in a safe location as instructed in Storing Backup Files (page 944).

3. When necessary, restore a backup as instructed in Restoring Backups (page 945).

942 Chapter 57

Backing up and Restoring System Configurations

Creating Backups

Prerequisites: None

Management Server backups include all configuration information, including licenses, the server components’ certificates needed for system communications, the root CA, and locally- stored user accounts. The configurations you create in the SMC for the engine components is included in the Management Server backup, so these components do not have to be separately backed up.

Log Server backups contain the Log Server configuration information, the Alert Server configuration information and state, and optionally also the log data stored on the server. There is a configurable limit to how large the Log Server backup can be.

Authentication Server backups must be created separately for each Authentication Server node. Authentication Server backups only contain information about user accounts in the Authentication Server’s user database. Configuration information about the Authentication Server is included in the Management Server backup.

The directions below explain how to use the Management Client to take and manage the backups. It is also possible to create backups on the command line, see Command Line Tools (page 1071). The backup file itself is the same regardless of the method used.

file itself is the same regardless of the method used. Note – To back up the

Note – To back up the Management Server, there must be enough free disk space on the server. Twice the size of the management database is required. If there is not enough available disk space, the backup process does not start.

To create backups

1. Right-click the Management or Log Server, or Authentication Server node you want to back up and select Backup. The Backup Task Properties dialog opens.

2. (Optional) If you want to back up additional servers, select the server(s) from the list on the left and click Add.

3. (Optional) If you want to create an encrypted backup, select Encrypted, and enter and confirm a password. We recommend using this option if the configuration contains elements for TLS Inspection.

4. (Optional) If you are creating a backup of Log Server(s) and you want to back up the log files, select Back up Log Files.

5. Click OK. The progress is shown on a new tab.

Creating Backups

943

What’s Next? Copy the backup files from the backup directory to a separate, safe location for storage, see Storing Backup Files (page 944).

Related Tasks

If you want to create backup tasks and schedule them to run at regular intervals, see Creating Backup Tasks (page 967) and Scheduling Tasks (page 970). To back up and delete log data with the log management tools, see Getting Started with Log Data Management (page 950).

Storing Backup Files

Prerequisites: Creating Backups

The backup files are saved in the <installation directory>/backups/ directory on the server on which they were created. We recommend copying the backup file to a safe location, for example, to removable media or another host. Otherwise, you will have to manually recreate all configurations if the data on the host computer is irrecoverably lost.

s t o r e d i n t h e C:\ProgramData\Stonesoft\Management Center directory. stored in the C:\ProgramData\Stonesoft\Management Center directory.

Note – If you installed the Management Server in the C:\Program Files\Stonsoft\Management Center directory in Windows, some program data may be

The backups files are compressed to .zip files or .enc files and they can also be decompressed manually if needed. If necessary, the backups are split into several files to fit the maximum file size. Each backup has its own subdirectory.

Note – Remember to handle the backup files securely, since they contain all the configuration information for the system.the maximum file size. Each backup has its own subdirectory. To store backup files 1. Browse

contain all the configuration information for the system. To store backup files 1. Browse to the

To store backup files

1. Browse to the backup directory on the Management Server or Log Server:

Backup files are stored in the <installation directory>/backups directory or a subdirectory under it. Unencrypted backups are .zip files. Encrypted backups are .enc files.

2. Copy the backup files to a safe storage location.

944 Chapter 57

Backing up and Restoring System Configurations

Restoring Backups

Prerequisites: Creating Backups

Backups created in one operating system can be restored to an installation running on some other operating system without any special measures. This is useful when changing the operating system or hardware platform.

See the upgrade instructions in the Release Notes. If an intermediate upgrade is required between your current version and the newest version, upgrade the existing installation to (at least) the intermediate version to create a working backup.

When you restore a backup, the backup restoration process checks that there is enough disk space on the destination drive. Twice the size of the backup file is required. If there is not enough available disk space, the restoration process fails.

It is also possible to restore backups on the command line. For more information, see Command Line Tools (page 1071).

What’s Next? To restore a Management Server backup, see Restoring a Management Server Backup. To restore a Log Server backup, see Restoring a Log Server Backup (page 946). To restore an Authentication Server backup, see Restoring an Authentication Server Backup (page 947).

Restoring a Management Server Backup

If you are restoring the backup to clear a dynamic update package from your system, disable automatic updates before restoring the backup.

To restore a Management Server backup

1. Check that the backup file is in the <installation directory>/backups/ directory of the server in question. If you have moved the backup file to a different location, you must first copy it back to the

to a different location, you must first copy it back to the <installation directory> /backups/ directory.

<installation directory>/backups/ directory.

Note – If you installed the Management Server in the C:\Program Files\Stonsoft\Management Center directory in Windows, some program data may be

stored in the C:\ProgramData\Stonesoft\Management Center directory.

2. Shut down the Management Server service through the operating system’s service management feature or using the command line script. If you have trouble shutting down the services, disable the automatic startup of the SMC services in the operating system and restart the computer.

3. Start the backup restoration script:

In Windows, run <installation directory>/bin/sgRestoreMgtBackup.bat In Linux, run <installation directory>/bin/sgRestoreMgtBackup.sh

4. Select the backup file to be restored: The default Management Server backup file names

have the following structure: sgm_vVERSION.[BUILD]_YYYYMMDD_HHMMSS[comment].

Restoring Backups

945

5.

Type y and press enter to confirm the restoration. Encrypted backups require you to enter the password that was used to encrypt the backup when it was created.

If the restore operation fails, the original configuration remains unchanged.

What’s Next? If the backup is restored on a system that uses a different IP address than the Management Server that the backup is from, you must complete the relevant steps to change the IP address, see Changing the Management Server IP Address (page 339). The backup contains the internal CAs (certificate authorities). If components in the system have certificates from a different CA than the one contained in the backup, the certificates are not accepted as valid after restoring the backup and have to be regenerated as explained in Troubleshooting Certificates (page 1019). Otherwise, start the Management Server.

Restoring a Log Server Backup

To restore a Log Server backup

1. Check that the backup files are in the <installation directory>/backups/ directory of the server in question. If you have moved the backup files to a different location, you must first copy them back

to the <installation directory>/backups/ directory.

2. Shut down the Log Server service through the operating system’s service management feature or using the command line script. If you have trouble shutting down the services, disable the automatic startup of the SMC services in the operating system and restart the computer.

3. Start the backup restoration script:

In Windows, run <installation directory>/bin/sgRestoreLogBackup.bat In Linux, run <installation directory>/bin/sgRestoreLogBackup.sh

4. Select the backup file to be restored: The default Log Server backup file names have the

following structure: sgl_vVERSION.[BUILD]_YYYYMMDD_HHMMSS[comment].

5. Type y and press enter to confirm the restoration. Encrypted backups require you to enter the password that was used to encrypt the backup when it was created.

If the restore operation fails, the original configuration remains unchanged. If it is not possible to transfer the logs through a backup, log files can be copied to the Log Server through the operating system like any other files.

What’s Next? If you restore the Log Server backup on a computer with a different IP address than the Log Server the backup was created with, complete the relevant steps in Changing the Log Server IP Address (page 340). Otherwise, restart the Log Server and the Management Server.

946 Chapter 57

Backing up and Restoring System Configurations

Restoring an Authentication Server Backup

To restore an Authentication Server backup

1. Check that the backup files are in the <installation directory>/backups/ directory of the server in question. If you have moved the backup files to a different location, you must first copy them back

to the <installation directory>/backups/ directory.

2. Start the backup restoration script:

In Windows, run <installation directory>/bin/sgRestoreAuthBackup.bat In Linux, run <installation directory>/bin/sgRestoreAuthBackup.sh

3. Select the backup file to be restored.

4. Type y and press enter to confirm the restoration. Encrypted backups require you to enter the password that was used to encrypt the backup when it was created.

5. In the Management Client, right-click the Authentication Server and select Apply Configuration when the backup has been successfully restored.

when the backup has been successfully restored. Note – The original configuration remains unchanged until

Note – The original configuration remains unchanged until you apply the Authentication Server’s configuration.

Recovering from a Hardware Failure

Prerequisites: Creating Backups

To restore Management Server configurations on repl acement hardware

1. Install the Management Server software (see the Management Center Installation Guide). Exact same version is not required for recovery, but all SMC components must run the same version to work together.

2. Restore the Management Server backup as explained in Restoring a Management Server Backup (page 945).

To restore Log Server configurations on replacement hardware

1. Install the Log Server software, if not installed together with the Management Server software (see the Management Center Installation Guide). Exact same version is not required for recovery, but all SMC components must run the same version to work together.

2. Restore the Log Server backup as explained in Restoring a Log Server Backup (page 946).

Recovering from a Hardware Failure

947

To restore engine configurations on replacement har dware

1. Generate an initial configuration for the engine in the SMC as explained in Saving an Initial Configuration for Security Engines (page 461).

2. Install the hardware into the network and configure in the same way as a normal new installation (see the Installation Guide or Appliance Installation Guide).

3. When contact with the Management Server is established, install the policy. The full working configuration is transferred to the engine.

The full working configuration is transferred to the engine. Note – In some cases, IPsec VPN

Note – In some cases, IPsec VPN certificate information may be lost and policy installation fails. If this happens, delete the old IPsec VPN certificates in the Management Client and create new VPN certificates for the engine. When you use the same CA and certificate details, the new certificates are accepted by other components. Policy installation is also possible if you disable the invalid configurations (for example, by disabling all VPN-specific Access rules in the policy). See Creating and Signing VPN Certificates (page 909).

948 Chapter 57

Backing up and Restoring System Configurations