I've always received great advice here on the Forum, so I thought I'd give a little back.
I recently was faced with the unenviable task of doing a complete rebuild of a UTM installation from scratch on bare metal that had a corrupted installation and corrupted backups. However, this install had many firewall rules, network and service definitions, etc. The backups were functional in the sense that you could open them in WebAdmin and view all of the settings, firewall rules, network definitions, services definitions, etc. However, things just didn't work correctly and a fresh install from scratch was badly needed.
The solution is fairly simple and obvious, but with a little twist. Here are the steps:
1. Perform a FULL backup of the "corrupted" installation. Also, print out the backup, just in case.
2. Download this FULL backup to the PC that you'll use to rebuild / repair the UTM. Note if this PC is running Windows, you should have AT LEAST 6 Gigs of RAM installed, but 8 Gigs is recommended.
3. On the PC that you're using for the rebuild, install Oracle "VirtualBox" VM software, if it's not already installed. I know that VirtualBox isn't officially supported by Sophos, but it's free, installs into Windows or Linux, and is very simple to setup and use. I can't recommend VirtuaBox being used in a production environment, but for our purposes here, it'll work just fine. I'm sure other VM's can be used here as well.
4. In VirtualBox, you'll need to set up 2 VM's. One VM will be a fresh install of Sophos UTM from a ISO file, the other VM will be of a lightweight OS that can run a modern browser. I used Linux Mint running Firefox for my second VM. Linux Mint is free, lightweight compared to Windows, and is a great distro for users migrating from Windows.
5. When you set up your Sophos UTM's VM's "hardware" in VirtualBox, MAKE SURE you set it up so that the virtual hardware matches the physical hardware in your bare metal machine. In other words, if your bare metal machine has 4 CPU's, 1 HDD, 4 NIC's, and CD-ROM drive, MAKE SURE your VM machine has 4 CPU's, 1 HDD, 4 NIC's and a CD-ROM drive. Don't worry too much about the memory size of the VM matching the bare metal machine. The VM just needs enough to allow the UTM to run. 4 Gigs is a good setting; you may get away with less or you can use more if you have the spare RAM available.
6. When you set up the virtual NIC's for both VM's, make sure the NIC assignments match your bare metal machine's assignments. Using the hardware example above, if your bare metal machine has 4 NIC's, labeled eth0 through eth3 and eth0 is your WAN and eth3 is your primary LAN for accessing WebAdmin, MAKE SURE you configure the VM's NIC's the same way. You can use a "dummy" connection for the WAN interface on the Sophos UTM VM, ie we're not going to really use this WAN interface to connect to the internet, so you don't need to worry about using the host PC's connection, etc.
7. In VirtualBox, you'll need to set you "virtual network" up so that the 2 VM's LAN connections you just created can talk to each other. Using the example above, set up the Linux Mint VM's eth3 to be the LAN interface that will "talk" to the Sophos UTM's eth3 LAN interface. There are some good YouTube tutorials on the specifics of making this work, if you have problems.
8. Now in VirtualBox, first start the Sophos UTM VM and go through a complete virtual installation of the UTM into your VM. During the Sophos UTM VM installation, setup the WebAdmin IP address exactly the same as the real, bare metal machine. At the point where the UTM installation requires the WebAdmin login, go ahead and start your other VM (Linux Mint in the above example), and open a browser in the 2nd VM to connect to WebAdmin. If everything is set up correctly, you should be able to access the UTM on the first VM from your WebAdmin running on the second VM. During the Sophos UTM installation on the VM, when it reaches the point of "install from backup", go ahead and install the FULL backup of the bare metal machine and let the UTM VM installation reboot, etc until the Sophos UTM installation has completed on in the VM. At this point you should have a fully functional VM running of your Sophos UTM installation. Check to make sure you can access all of the settings and pages in your VM UTM and that it's identical to the real, bare metal UTM's configuration.
9. At this point, you should have 2 VM's running, one is the UTM and the other is an OS with a browser with WebAdmin running AND they should both be able to "talk" to each other through a virtual network created with VirtualBox. If this is not the case, then work the problem until these two VM's work together just like a real setup.
10. Make sure the VirtualBox VM running WebAdmin has Bidirectional "cut & paste" and "drag and drop" enabled.
11. Once you're convinced that your VirtualBox virtual network is running correctly and you can access everything in your backup, you're ready to start the rebuild of the bare metal machine.
12. Using the Sophos UTM installation CD or USB, perform a complete, from scratch installation on the bare metal machine. You will re-format your hard drive on the bare metal machine, so all data and log files on this drive will be lost.
13. On the PC that has your VirtualBox VM's running, access WebAdmin on the REAL, bare metal machine through your normal OS's browser (NOT a browser in any of the VM's) to complete the bare metal machine's installation. Use all of your real settings when configuring the bare metal machine. We will NOT be using a backup here (the backup is corrupted).
14. At this point you should have a real browser opened that's accessing WebAdmin on the real, bare metal machine and a virtual browser that's opened in a VirtualBox VM that's accessing the UTM VM. Since the 2 browser windows running WebAdmin will look almost identical, I recommend changing the background of the VM browser / desktop to something obnoxious, like bright red, to help you quickly see which one is the VM backup.
15. Now that you have a "blank" but "good" installation running on the bare metal machine and accessible via a "real" web browser and a VM browser accessing your "backup" VM UTM, you can methodically copy and paste ALL of the settings from the backup VM UTM to the real UTM, one item at a time. It is a long, slow, painful process, but it is easier than trying to decipher your printed backup and since you literally walk through every page and every setting in WebAdmin, you shouldn't miss anything or get any typo errors. If you do miss something or make a typo (or not copy / paste an entire line, ie miss a few characters), it's very easy to go back to the VM backup and see what you did wrong.
16. It's worth noting that if your bare metal machine has more than 4 NIC's, you may have to get creative, since VirtualBox is limited to 4 virtual NIC's per VM. There are ways around this; it just gets more complicated.
Again, this is a last resort option, but unfortunately we'll probably all have to do it at some time. I'm sure there are other similar methods to do this, but this worked for me.
Please feel free to comment or add suggestions and I hope this helps someone.
Thanks,
Ben
This thread was automatically locked due to age.
