On the Management > Backup/Restore > Backup/Restore tab you can create backups, import backups, as well as restore, download, send, and delete existing backups.
This section is only visible if at least one backup has been created before, either by the automatic backup function or manually (see section Create Backup).
You can decide whether to download, restore, delete, or send a backup.
Download: Opens a dialog window where you can decide to download the file encrypted (provide password) or unencrypted. Click Download Backup. You are prompted to select a location in the file system for the downloaded backup to reside.
Encrypt before downloading: Before downloading or sending it, you have the option to encrypt the backup. Encryption is realized with Blowfish cipher in CBC mode. Provide a password (second time for verification). You will be asked for this password when importing the backup. The file extension for encrypted backups is ebf, for unencrypted backups abf.
Note – A backup does include administrator passwords, the high availability passphrase if configured, as well as all RSA keys and X.509 certificates. Since this information is confidential, it is good practice to enable encryption.
Restore: Replaces the current system settings by the settings stored in a backup. You will have to log in again afterwards. If the selected backup contains all data you can log in directly. If the selected backup does not contain all data (see section Create Backup) you will have to enter the necessary data during the login procedure. If only the host data has been removed in the selected backup you can add an additional administrative email address if you want. It will be used where no recipient is given and as additional address where multiple recipients are possible.
Note – Backup restoration is only backward compatible. Only backups from versions smaller than the current one are considered functional. If there is a version conflict the version number in the Available backups list will be orange.
Restoring backups from USB flash drive: You can also restore unencrypted backup files (file extension abf) from a FAT formatted USB flash drive such as a simple USB stick. To restore a backup from a USB flash drive, copy the backup file to the USB flash drive and plug the device into Sophos UTM on AWS prior to boot up. If several backup files are stored on the device, the lexicographically first file will be used (numbers precede letters). For example, suppose the backup files gateway_backup_2012-04-17.abf and 2011-03-20_gateway_backup.abf are both stored on the USB flash drive. During the boot up, the second file will be used because it begins with a number, although it is much older than the other one.
In addition, a lock file is created after the successful recovery of a backup, preventing the installation of the same backup over and over again while the USB flash drive is still being plugged in. However, if you want to install a previous backup once again, you must first reboot with no USB flash drive plugged in. This will delete all lock files. When you now boot with the USB flash drive plugged in again, the same backup can be installed.
- Delete: Deletes a backup from the list. Using the Delete icon on the bottom of the list, you can delete all selected backups. To select backups, click the checkboxes to the left of the backups or use the checkbox on the bottom to select all backups.
Send: In a dialog window you can specify the email recipients. By default, the address(es) provided on the Automatic Backups tab are selected. Then decide if you want to send the file encrypted (provide password) or unencrypted. Click Send Now to send the backup.
- Encrypt before sending: See Encrypt before downloading above.
Backups are not only useful to restore your system after an (unwanted) change or failure. Moreover, they can be used as templates to set up systems that should have a similar configuration so that those systems are already pre-configured in some way which can save you a lot of time. For that, you can strip certain information from a backup before it is created, e.g. hostname, certificates, etc.
To create a backup with the current system state, proceed as follows:
In the Create Backup section, enter a comment (optional).
The comment will be displayed along with the backup in the backup list.
Make the following settings (optional):
Remove unique site data: Select this option to create the backup without host-specific data. This includes hostname, system ID, SNMP data, HA data, license, shell user passwords, and anonymization passwords as well as all certificates, public and private keys, fingerprints and secrets of Email Protection, Web Protection, Client Authentication, IPsec, SSL VPN, RED, WebAdmin, Web Application Firewall, and proxies.
Such backups are a convenient means to set up multiple similar systems. There are some things to consider though: 1) After restoring you are presented the basic system setup. 2) Only the first interface is configured, the primary IP address being the one that has been configured during installation. All other interfaces will be disabled and set to IP address 0.0.0.0.
Caution – Although most of the host-specific data is being removed, such a backup template still contains confidential information, such as user passwords. Therefore it is good practice to always encrypt it.
Remove administrative mail addresses: Select this option to additionally remove the administrator email addresses used in various parts of Sophos UTM on AWS, e.g. postmaster addresses in Email Protection, notifications, etc. This option is especially useful for IT partners who set up Sophos UTM on AWS devices at customers' sites.
Click Create Backup Now.
The backup appears in the list of available backups.
If a backup is created with one or both of the options selected, the backup entry contains a respective additional comment.
Note – The HA settings are part of the hardware configurations and cannot be saved in a backup. This means that the HA settings will not be overwritten by a backup restore.
To import a backup, proceed as follows:
- Click the Folder icon and select a backup file to upload.
- Click Start Upload.
Decrypt the backup.
If you want to upload an encrypted backup file, you must provide the correct passphrase prior to importing the backup.
Click Import Backup to import the backup.