UTM Disaster Recovery Testing Failing

I've put together a brief disaster recovery spreadsheet with the help of Sophos.

 

Today I tried to test it and of course it doesn't work.

 

This is what I'm trying to achieve:

 

Client rings me and says their Sophos SG135 is dead.

I have an NFR SG135.

I ring Sophos and get a temporary licence for my NFR.

I load the latest backup for the Client UTM on to my NFR using the Import Backup in the WebGui, then enter the temporary licence number.

I bring the NFR UTM to the Client, smiles all round.

We then have 30 days to get the replacement UTM.

 

That was the theory.

I try to import the Client backup into my NFR UTM, but it simply won't appear in the list of backups.

 

Sophos are now saying I have to do it via shell command?

 

Seriously? I spent an hour with the Sophos Support guy setting up the Disaster Recovery Test, and at the first hurdle it fails?

 

Can someone please help me fix this?

 

Cheers.

  • What's the file name, Murray?

    The easiest way to restore a backup is to put it in the root directory of a FAT 32 USB memory stick with no other backups in the directory.  Insert the USB stick into the appliance and power it up.

    You shouldn't need a temporary license as the client's backup should include their license.  You only would need a temporary license if the client's appliance was a different model than your NFR SG 135.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Thanks for the very helpful reply.

    The backup file name is nsh_9.509003_2018-04-11_13-45.abf

    I'm trying to load that on to my NFR UTM, it is exactly the same model UTM, SG135, as the Client's UTM.

    I've standardised on the 135.

     

    The problem is I keep getting conflicting and confusing advice from Sophos Support ☹

    Initially I was told I didn’t need a temporary licence, then I was told I did.

    Then I was told I could import the backup from Webgui, then I was told I had to do it from CLI.

    I spent an hour with support remoted in looking at my spreadsheet, see attached, to formulate both Disaster Recovery Testing, and an actual Disaster Recovery.

    Look under Testing DR.

    Which is now completely wrong ☹

    I really need to get this right as when a Client’s UTM fails its going to be a very stressful situation.

     

    Many thanks, Martin

     

    Sophos Disaster Recovery.xlsx

  • In reply to Martin Murray:

    You dont need a licence for backup recovery.

    I used disaster recovery 3 times via USB with no problems in home environment (pc hardware). The only problem was that you have to reconfigure the interfaces.

    Put the USB in the hardware with the backup file only on it, than turn on the machine

  • In reply to oldeda:

    What do you mean by "reconfigure the interfaces"?

    That could end up complicated as the backup NFR has different subnets on different ports, the port forwarding is then related to a particular subnet.

  • In reply to Martin Murray:

    This is a lot easier than you're imagining, Martin.  Apparently, you got routed to a tech in training.

    Oldeda was talking about what happens when the two devices are not identical, but yours are all SG 135.

    The backup contains the license and all of the information needed to immediately make the replacement 135 function in exactly the same way as the one being replaced.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    I wish you were running Sophos Support!

    I get so many confusing responses :(

    I think most of the confusion is around Licencing.

    If I load my Client's backup on to my NFR UTM, these are 2 different Licences, and Sophos are saying this won't work.

    If I try and load the Client Backup on to my NFR UTM, it simply doesn't work, why is that?

    Does it only work for that UTM's backup?

    Does the USB stick recovery mode get around this?

    Cheers, Bob.

    PS and this is just me testing out Disaster Recovery, imagine if I was trying to do this for real?!

    I would have a very unhappy client :(

  • In reply to Martin Murray:

    "If I load my Client's backup on to my NFR UTM, these are 2 different Licences, and Sophos are saying this won't work."

    It's not possible to load two licenses.  Installing a license replaces the one that was there.

    The USB stick, command line and WebAdmin backup restores all have the same result - the complete replacement of the existing configuration with the configuration backup.

    I know the guy that runs Sophos Support worldwide.  He's a great leader and has done a lot to improve things.  As a newby, one always gets routed to the lowest first-level support.  I've been doing this so long that my account is marked so that I usually get a good first-level and I can get almost-immediate escalation.  It just takes awhile to get used to a manufacturer's support systems.

    If you were really doing this for a client, he'd think you were pie at it.

    Cheers - Bob

  • In reply to BAlfson:

    "he'd think you were pie at it."

    Not sure what that means?

    I've just checked all my emails and this Sophos Support case was started on the 23rd March.

    They have consistently given me the wrong advice for 3 weeks :(

    Your advice worked wonderfully, I simply loaded the Client backup onto the NFR UTM and bam, worked first time after the reboot.

    Logged in, tested everything, then reversed everything, and back to the NFR UTM perfectly.

    Took about 10 mins in total.

    As opposed to the hours spent with support :(

    "I know the guy that runs Sophos Support worldwide.  He's a great leader and has done a lot to improve things.  As a newby, one always gets routed to the lowest first-level support.  I've been doing this so long that my account is marked so that I usually get a good first-level and I can get almost-immediate escalation.  It just takes awhile to get used to a manufacturer's support systems."

    He needs to fix up Support here in Australia.

    I had to ring Brother last week re a tricky networked printer, spoke to a very knowledgeable guy within 10 mins, he walked me through the solution in 5, absolutely brilliant.

    Compare that to Sophos...

    Anyway, I'm very happy now, that I can provide a fully configured UTM to my Clients in less than an hour, including travel time :)

    We have a separate 4G backup network for that hour.

     

    Cheers, Martin

  • In reply to Martin Murray:

    "he'd think you were pie at it." - I learned that from an Aussie years ago.  He said it meant to be really great at doing something.  I guess maybe I'm showing my age!

    Cheers - Bob