Backup and restore
You can take encrypted backups and restore the configurations.
Backups contain the entire configuration on Sophos Firewall and are encrypted. You can save backups on Sophos Firewall, use FTP to save them on a server, or email the backup. You can set up an automatic backup schedule, or take a backup manually.
You must enter a password to encrypt the backup. To restore the backup, you must reenter the password and the secure storage master key.
Secure storage master key
The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The default administrator (username: admin) sets the secure storage master key.
Note
You must create the master key before taking a manual or scheduled backup.
Warning
After you create the master key, all new backups use it to secure sensitive data. If you don't enter the master key, you can't restore these backups.
Backups with a master key
- To restore a backup that has a master key, you must enter the master key in addition to the backup encryption password. You must share both if you share these backups with Sophos Support.
- Configurations are associated with their master key. If you generate a backup and then change the master key, you must use the previous master key to restore that backup. So, store the current and earlier master keys.
Backups without a master key
- You can restore manual and scheduled backups that don't have a master key. The firewall won't ask for a master key.
- If you restore a scheduled backup that doesn't have a master key, the firewall continues to take scheduled backups at the restored backup's frequency. You can't change the frequency until you set a master key.
Best practices
When to take a backup:
- Schedule automatic backups.
- Take a manual backup before and after you make a considerable change to the configuration.
- Take a backup before upgrading the firmware.
How to keep the backup secure:
- If you save backups at a different location, make sure the location is secure.
- Make sure you set the secure storage master key to protect and restore sensitive information.
Compatible devices for restoring configuration
The following rules apply for restoring the backup configuration to a different Sophos Firewall device:
-
Hardware models:
- You can restore the configuration to a model with an equal or higher number of Ethernet ports.
- You can't restore the configuration from hardware models with FleXi Port modules to virtual SFOS appliances or hardware models without FleXi Port modules. These modules allow you to add additional ports to the Sophos Firewall appliance. For more details, see Backup-restore compatibility check.
- You can't restore the configuration if the number of configured gateways in the backup exceeds the number of gateways the firewall supports.
-
Wireless models:
- You can restore backups from non-wireless and wireless models to wireless models with an equal or higher number of Ethernet ports.
- You can restore from a wireless model to a non-wireless model if it doesn't have any LocalWiFi configuration.
-
Revisions: You can restore to a hardware model with a different revision if it has an equal or higher number of Ethernet ports.
- Firmware versions: You can restore to a device with the same or later firmware version.
- Pattern versions: You can restore to a device with the same or later pattern version. If it's of an earlier version, update the patterns, and then restore the configuration.
Backup
Setting | Description |
---|---|
Backup mode | To save the backup, or save and transfer the backup, select an option from the following list:
|
Backup prefix | Enter a prefix to identify the backup configuration. Use the prefix to identify the configuration when you have more than one device. By default, Sophos Firewall stores backups without a prefix. The backup name is as follows:
|
Frequency | Select the frequency with which you want to take backups. If you store the backup on Sophos Firewall, only the latest backup is retained. If you want to save the previous backup, download it. |
Encryption password | Enter the password with which you want to encrypt the backups. You need to enter this password when restoring the backup. To encrypt backups scheduled with earlier firmware versions without a password, you now need to provide a password. |
Change encryption password | Use this to change the password. |
Backup now | Click to take a backup manually. |
Apply | Click to apply the settings. |
Download | Click Download to download the backup stored on Sophos Firewall. Select one of the following options and click Download backup:
For backups scheduled with earlier firmware versions, you need to enter a password to encrypt the backup before downloading it. |
Backup restore
When you restore a backup, the following changes take place:
- The restored backup replaces the current configuration. This also deletes the stored backup and restarts Sophos Firewall.
- The IP address assigned to the web admin console on the restored configuration becomes active. You must use this IP address to access the web admin console.
Setting | Description |
---|---|
Restore configuration | Upload the backup file to restore a configuration. |
Password | Enter the password with which the backup was encrypted. To restore unencrypted backups taken with earlier firmware versions, you don’t need a password. |
Upload and restore | Click to upload and restore the backup configuration. If you restore an older configuration, you'll lose the later changes. |