Backup and restore

You can take encrypted backups and restore the configurations.

Backups contain the entire configuration on Sophos Firewall and are encrypted. You can save backups on Sophos Firewall, use FTP to save them on a server, or email the backup. You can set up an automatic backup schedule, or take a backup manually.

You must enter a password to encrypt the backup. To restore the backup, you must reenter the password and the secure storage master key.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The default administrator (username: admin) sets the secure storage master key.

The master key requirements for backup and restore are as follows:

You must enter the secure storage master key when you restore a backup that has a master key. If you don't enter the master key, you can't restore these backups. You can restore backups taken before the master key was set without entering the master key.
You must enter the master key and the backup encryption password.
Scheduled backup: Until you set the master key, Sophos Firewall continues to take scheduled backups, but the backups won’t have the master key’s extra protection.
Manual backup: You must create the master key before taking a manual backup.

Warning After you create the master key, all new backups use it to secure sensitive data. If you don't enter the master key, you can't restore these backups. However, you can restore backups taken before the master key was set.

Best practices

When to take a backup:

Schedule automatic backups.
Take a manual backup before and after you make a considerable change to the configuration.
Take a backup before upgrading the firmware.

How to keep the backup secure:

If you save backups at a different location, make sure the location is secure.
Make sure you set the secure storage master key to protect and restore sensitive information.

Compatible devices for restoring configuration

The following rules apply for restoring the backup configuration to a different Sophos Firewall device:

Hardware models:
- You can restore the configuration to a model with an equal or higher number of Ethernet ports.
- You can't restore the configuration from hardware models with FleXi Port modules to virtual SFOS appliances or hardware models without FleXi Port modules. These modules allow you to add additional ports to the Sophos Firewall appliance. For more details, see Backup-restore compatibility check.
Wireless devices: You can restore from a wireless device to another wireless device with an equal or higher number of Ethernet ports.
Revisions: You can restore to a hardware model with a different revision if it has an equal or higher number of Ethernet ports.
Firmware versions: You can restore to a device with the same or later firmware version.
Pattern versions: You can restore to a device with the same or later pattern version. If it's of an earlier version, update the patterns, and then restore the configuration.

Backup


Setting	Description
Backup mode	To save the backup, or save and transfer the backup, select an option from the following list: Local: Saves the backup on Sophos Firewall. FTP: Saves to the FTP server. Specify the IP address of the FTP server, the username and password, and the FTP path. The FTP server can have an IPv4 or IPv6 address. For FTP backup, the username must not include the domain when separated by a \ character. Only the special characters @, / and $ are supported as part of username or password. Email: Emails the backup file. Enter the recipient's email address. For FTP and email, Sophos Firewall first stores the backup locally and then transfers it.
Backup prefix	Enter a prefix to identify the backup configuration. Use the prefix to identify the configuration when you have more than one device. By default, Sophos Firewall stores backups without a prefix. The backup name is as follows: With prefix: `<Prefix>_Backup_<Device Key>_<timestamp>` Example: `Dallas_Backup_ABCDEY190_26Nov2014_12.09.24` Without prefix: `Backup_<Device Key>_<timestamp>` Example: `Backup_ABCDEY190_26Nov2014_12.09.24`
Frequency	Select the frequency with which you want to take backups. If you store the backup on Sophos Firewall, only the latest backup is retained. If you want to save the previous backup, download it.
Encryption password	Enter the password with which you want to encrypt the backups. You need to enter this password when restoring the backup. To encrypt backups scheduled with earlier firmware versions without a password, you now need to provide a password.
Change encryption password	Use this to change the password.
Backup now	Click to take a backup manually.
Apply	Click to apply the settings.
Download	Click Download to download the backup stored on Sophos Firewall. Select one of the following options and click Download backup: Download encrypted backup Encrypt backup with a different password before you download: Use this to set a different password for the downloaded backup. The password doesn't apply to the encryption password set for all backups. For backups scheduled with earlier firmware versions, you need to enter a password to encrypt the backup before downloading it.

Backup restore

When you restore a backup, the following changes take place:

The restored backup replaces the current configuration. This also deletes the stored backup and restarts Sophos Firewall.
The IP address assigned to the web admin console on the restored configuration becomes active. You must use this IP address to access the web admin console.


Setting	Description
Restore configuration	Upload the backup file to restore a configuration.
Password	Enter the password with which the backup was encrypted. To restore unencrypted backups taken with earlier firmware versions, you don’t need a password.
Upload and restore	Click to upload and restore the backup configuration. If you restore an older configuration, you'll lose the later changes.