Configuring automatic backups

When a configuration error occurs, there must be a way to quickly recover a sound configuration. Moreover, when there is a failure, it must be possible to reproduce the previous configuration on a new SNS firewall. To do so, automatic and regular archiving of the SNS firewall configuration on a remote server should be implemented.

The configuration of the SNS firewall can be exported in Configuration > System > Maintenance > Backup in three different modes:

  • Instant export to the workstation that was used to access the web administration interface,

  • Regular export to a WebDAV server hosted on the Internet in an infrastructure managed by Stormshield,

  • Regular export to a custom WebDAV server.

When a custom WebDAV server is selected, a HTTP or HTTPS link can be used. For HTTPS, the certificate used by the server must be submitted to the SNS firewall.

R53 | SNS-SMC | Set up automatic backup on a controlled server
We recommend enabling the password-protected, encrypted automatic configuration backup function. The configuration has to be exported to a customized and controlled WebDAV server via an authenticated HTTPS connection, or to an SMC server.

Local automatic backups can also be enabled in command line. However, in native mode, such backup files cannot be exported automatically to a remote server, e.g. via SSH. Files generated locally must be transferred using a custom script, but must not be retrieved via SSH in a connection initiated by a remote server as this would require the use of an SNS firewall administrator account, which is not recommended. The creation of a script is recommended on the SNS firewall that connects to a remote server in SSH and transfers the backup files.

R53 ⁃ | SNS | Set up automatic backup via SSH
If no controlled WebDAV servers or SMC servers are available, the configuration of an encrypt, password-protected automatic backup is recommended. This backup will be exported via SSH through a connection that the SNS firewall initiated.

With the config autobackup command, the SNS firewall’s local automatic backup can be configured and enabled. The following is a sample configuration of a local encrypted automatic backup that is launched every day:

config autobackup set state=1 distantbackup=0 period=1d backuppassword=<my_password>

Once it has been configured, it must be enabled:

config autobackup activate

Implementing automatic backups through such commands will generate the backup.na file in the folder /data/Autobackup/. Every new backup overwrites this file, so it must be transferred over a secure channel to a remote appliance beforehand.

WARNING
The extension of the backup file will always be .na regardless of whether it is encrypted with a password. It is the same as the backup file that is generated from the web administration interface (Configuration > System > Maintenance > Backup menu).