Backup and restore

You can take encrypted backups and restore the configurations.

Backups contain the entire configuration on XG Firewall and are encrypted. You can save backups on XG Firewall, use FTP to save them on a server, or email the backup. You can set up an automatic backup schedule, or take a backup manually.

You must enter a password to encrypt the backup. To restore the backup, you must reenter the password and the secure storage master key.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The default administrator (username: admin) sets the secure storage master key.

The master key requirements for backup and restore are as follows:

  • You must enter the secure storage master key when you restore a backup that has a master key. If you don't enter the master key, you can't restore these backups. You can restore backups taken before the master key was set without entering the master key.
  • You must enter the master key and the backup encryption password.
  • Scheduled backup: Until you set the master key, XG Firewall continues to take scheduled backups, but the backups won’t have the master key’s extra protection.
  • Manual backup: You must create the master key before taking a manual backup.
Warning After you create the master key, all new backups use it to secure sensitive data. If you don't enter the master key, you can't restore these backups. However, you can restore backups taken before the master key was set.

Best practices

When to take a backup:

  • Schedule automatic backups.
  • Take a manual backup before and after you make a considerable change to the configuration.
  • Take a backup before upgrading the firmware.

How to keep the backup secure:

  • If you save backups at a different location, make sure the location is secure.
  • Make sure you set the secure storage master key to protect and restore sensitive information.

Compatible devices for restoring configuration

The following rules apply for restoring the backup configuration to a different XG Firewall device:

  • Hardware models:
    • You can restore the configuration to a model with an equal or higher number of Ethernet ports.
    • You can't restore the configuration from hardware models with FleXi Port modules to virtual SFOS appliances or hardware models without FleXi Port modules. These modules allow you to add additional ports to the XG Firewall appliance. For more details, see Backup-restore compatibility check.
  • Wireless devices: You can restore from a wireless device to another wireless device with an equal or higher number of Ethernet ports.
  • Revisions: You can restore to a hardware model with a different revision if it has an equal or higher number of Ethernet ports.
  • Firmware versions: You can restore to a device with the same or later firmware version.
  • Pattern versions: You can restore to a device with the same or later pattern version. If it's of an earlier version, update the patterns, and then restore the configuration.

Backup

Setting

Description

Backup mode

To save the backup, or save and transfer the backup, select an option from the following list:

  • Local: Saves the backup on XG Firewall.
  • FTP: Saves to the FTP server.

    Specify the IP address of the FTP server, the username and password, and the FTP path. The FTP server can have an IPv4 or IPv6 address.

  • For FTP backup, the username must not include the domain when separated by a \ character. Only the special characters @, / and $ are supported as part of username or password.
  • Email: Emails the backup file.

    Enter the recipient's email address.

For FTP and email, XG Firewall first stores the backup locally and then transfers it.

Backup prefix

Enter a prefix to identify the backup configuration. Use the prefix to identify the configuration when you have more than one device.

By default, XG Firewall stores backups without a prefix. The backup name is as follows:

With prefix: <Prefix>_Backup_<Device Key>_<timestamp>

Example: Dallas_Backup_ABCDEY190_26Nov2014_12.09.24

Without prefix: Backup_<Device Key>_<timestamp>

Example: Backup_ABCDEY190_26Nov2014_12.09.24

Frequency

Select the frequency with which you want to take backups. If you store the backup on XG Firewall, only the latest backup is retained.

If you want to save the previous backup, download it.

Encryption password

Enter the password with which you want to encrypt the backups. You need to enter this password when restoring the backup.

To encrypt backups scheduled with earlier firmware versions without a password, you now need to provide a password.

Change encryption password

Use this to change the password.

Backup now

Click to take a backup manually.

Apply

Click to apply the settings.

Download
Click Download Download backup button to download the backup stored on XG Firewall. Select one of the following options and click Download backup:
  • Download encrypted backup
  • Encrypt backup with a different password before you download: Use this to set a different password for the downloaded backup. The password doesn't apply to the encryption password set for all backups.

For backups scheduled with earlier firmware versions, you need to enter a password to encrypt the backup before downloading it.

Backup restore

Setting

Description

Restore configuration

Upload the backup file to restore a configuration.

Password

Enter the password with which the backup was encrypted.

To restore unencrypted backups taken with earlier firmware versions, you don’t need a password.

Upload and restore

Click to upload and restore the backup configuration.

If you restore an older configuration, you'll lose the later changes.