Configuring automatic backups

When a configuration error occurs, there must be a way to quickly recover a sound configuration. Also, when there is a failure, it must be possible to reproduce the previous configuration on a new SNS firewall. To do so, automatic and regular archiving of the SNS firewall configuration on a remote server should be implemented.

The configuration of the SNS firewall can be exported in Configuration > System > Maintenance > Backup in three different modes:

  • Instant export to the workstation that was used to access the web administration interface,

  • Regular export to a WebDAV server hosted on the Internet in an infrastructure managed by Stormshield,

  • Regular export to a custom WebDAV server.

When a custom WebDAV server is selected, a HTTP or HTTPS link can be used. For HTTPS, the certificate used by the server must be submitted to the SNS firewall.

R53 | SNS-SMC | Set up automatic backup on a controlled server
The automatic backup function should be enabled for the configuration, which should then be encrypted and protected with a password. The backup should then be exported to a controlled custom WebDAV server via an authenticated HTTPS connection or an SMC server.

Local automatic backups can also be enabled in command line. However, in native mode, such backup files cannot be exported automatically to a remote server, e.g. via SSH. Files generated locally must be transferred using a custom script, but must not be retrieved via SSH in a connection initiated by a remote server as this would require the use of an administrator account on the SNS firewall, which is not recommended. The creation of a script is recommended on the SNS firewall that connects to a remote server in SSH and transfers the backup files.

R53 ⁃ | SNS | Set up automatic backup via SSH
If no controlled WebDAV or SMC servers are available, the configuration of an encrypted, password-protected automatic backup is recommended. This backup will be exported via SSH through a connection that the SNS firewall initiated.

With the config autobackup command, the SNS firewall’s local automatic backup can be configured and enabled. The following is a sample configuration of a local encrypted automatic backup that is launched every day:

config autobackup set state=1 distantbackup=0 period=1d backuppassword=<my_password>

Once it has been configured, it must be enabled:

config autobackup activate

Implementing automatic backups through such commands will generate the file in the folder /data/Autobackup/. Every new backup overwrites this file, so it must be transferred over a secure channel to a remote appliance beforehand.

The extension of the backup file will always be .na regardless of whether it is encrypted with a password. It is the same as the backup file that is generated from the web administration interface (Configuration > System > Maintenance > Backup menu).