Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1122 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you test Sophos XG Backups?

GavinDaniels

Hello All,

I am interested in how people may be testing and verifying the config backups from Sophos XG Firewalls.

I have my customers units email me a backup of the config on a weekly basis, and I just rely on them being recoverable. But after having a failed upgrade, and looking to revert to the last backup, I found that using the last couple of backup files resulted in putting the firewall in 'Fail Safe Mode'

I went back a couple more weeks and found the backups from then were functional.

But it does put into question how to test the backup files, and ensure that they are going to be usable in the event of an issue.



This thread was automatically locked due to age.
  • 0

    There are some things to know about backup / restore:

    https://support.sophos.com/support/s/article/KB-000036245?language=en_US

    In Case you have such hardware, you can use this on the hardware appliance. 

  • 0 in reply to LuCar Toni

    Hello Toni,

    A wealth of information as always.

    But there are some shortcomings in this approach. And there really needs to be a better way of testing.

    I can keep my old XG125 and use it to test backups of most of the devices, but for my customers who have XG210, XG230, and XG310 it becomes difficult.

    I have a customer with an XG230 which was running 17.5.MR9. I did an upgrade to 17.5.MR14-1 and it failed the upgrade. I tried to revert it back to 17.5.MR9 and it remained in FailSafe mode.

    Reset to factory defaults, and the unit would start with V17.5.MR14-1

    Restore the last automatic backup into the fresh unit, Crashes and goes back into Failsafe Mode.

    Given that there is no easy documentation extract from an XG (something else I have pointed out on many occasions) things were looking bad.

    Try a backup from 8 weeks ago, and this one restores fine. Keep resetting the unit and trying other backups, and find that 3 weeks ago was when the backups stated being corrupt.

    What was changed 3 weeks ago? Enabled One Time Passwords and attached them to IPSec VPN usage.

    I think that a VM Player image or Hyper-V image of a hardware model which can have a backup restored to for testing would be an advantage. It would also allow for being able to factory reset a unit and then rebuild it from a visible inspection.

    But I will be speaking with my account manager about the loan of a unit during the Xmas - New Year period so I can do a restore of the current backups, so I can ensure that they are not corrupt.

    And then use my expired XG125 for testing the other backups I have.

  • 0

    Hi,

    While there's no native way to do it, you can test them 2 ways:

    1) Create a 30 day trial of Sophos XG in VM with same version and same or more amounts of interfaces. It should restore in the VM without a problem

    2) Open the backup with openssl and see the contents

  • 0 in reply to Antonio Cienfuegos S

    Hello Antonio

    Thanks for the response.

    But I already have 15 hidden trial versions in my Sophos Account from all the training courses.

    I am supposed to up that by another 12 per year?

    There is some flaw in the backup which got introduced. 2 weekend backups in a row were corrupt, 4 previous were all ok.

    I have the issue in with support at present, but they can't get their head around the seriousness of the issue. It may only be related to V17.5.MR9 (which the unit was running before the upgrade to V17.5.MR14 which uncovered the issue)

    But Support must have some way of validating backup files.

  • 0 in reply to GavinDaniels

    The way 1 will not work, you can´t restore a Backup of XG Models with more than 8 NIC into a VM/ESX.
    There is only the hardway with a new Hard Disk inside and a complete reinstall...

    And you can´t Restore Backups from old Releases like 17.5.14 into 17.5.14-1 if you had some Rules and SMTP Settings configured.
    Will work with a blank config ...

  • 0

    Hey.

    So I had to reboot the firewall today. And guess what. Fail-Safe Mode

    I ended up having to restore the backup from 1 month ago, which had 2 changes from the current running firmware. An IP Address range added to a VPN Tunnel, and OTP enabled.

    I have restored the backup, added the IP Range to the IPSec tunnel, and have rebooted the firewall without issue.

    I have also downloaded and upgraded the Firewall to V17.5.MR15 which has just been released. No issue.

    While the customers office is closed later this week, I will enable OTP and then give the unit a reboot and see if it returns to FailSafe Mode.

    But there is an issue there, and since I placed an urgent support call to Sophos regarding the Fale Safe mode, maybe they will take more of a look at the problem