This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS Backup & Restore to a new XGS (same model) restores everything, or just some things?

On an XGS, if I use Backup & Firmware > Backup & Restore > Backup I can restore this with Backup & Firmware > Backup & Restore > Restore. Does this include everything I need? Will the new XGS then functionally be the same as the old and no user would be able to tell the difference?

I'm thinking of certificates, SSH key, firewall rules, custom groups, static DHCP addresses, SSL VPN config, etc.

I don't want to expect the Restore to work and then find that I have to download a different certificate to every device to get TLS decryption to work, or to find DHCP works but all of the static machines have to be reentered. I guess part of my fear is based on not understanding the difference between Backup & Restore and Export/Import. The Backup file is small (I assume binary), while the Export is huge and slow to generate (I assume XML or something), which then worries me that I have the wrong one, or that perhaps one or the other (or both) don't actually include everythingthat I'd need to be 100% back up quickly.

I read on an older posting that if you have both devices at once, you could do a temporary HA cluster to copy everything without any downtime, but that seems to have its own potential complications -- and I've never done anything with a cluster -- so if Backup on the old and Restore on the new works perfectly, I'll live with the fairly minimal downtime. (But can't have more than minimal downtime chasing down stuff that isn't actually backed up in the Backup.)

Thanks for any tips!



This thread was automatically locked due to age.
  • Backup / Restore or HA Cluster is actually somesort of the same. But HA Cluster is only possible between the same model (and rev), but Backup/Restore is more flexible. See: https://support.sophos.com/support/s/article/KB-000036245

    Export/Import will not export everything (due security parts etc.). But Backup/restore should cover all important aspects. 

    __________________________________________________________________________________________________________________

  • Thanks for the link! I'm still slightly worried that "important stuff" might not include everything I need to have a perfectly seamless switch. That is, Backup/Restore is necessary for a swap like that, but is it entirely sufficient?

  • I am not fimiliar with a settings, which is not included. But i did not want to talk in absolutes. 

    There are "tweaks" on the database level, which are not in backups (for example a Sophos specific hotfix). 

    __________________________________________________________________________________________________________________

  • I just thought of one possibility: are the MAC addresses included and cloned? In my case, having a different MAC address for the Gateway port (Port 2) will kill connectivity until the ISP is notified and adds a new MAC address. Or I manually clone it, which would mean that I would have recorded it.

  • If you use HA, the MAC is replaced anyway with a virtual MAC. If not, we are not overwriting the hardware MAC, if not specific replaced by you in the GUI.

    __________________________________________________________________________________________________________________

  • So, I ended up in the Catch-22 I wanted to avoid. I wanted to Restore to the new appliance before making it live and it turns out I can't because the new appliance is on an older Firmware (EAP1-Build236, which is ancient, compared to GA-Build289 which is current). I had moved quickly through all of the setup menus and chose "Take care of this later" as often as possible, because I assumed the Restore would work. So who knows if the new appliance will even work when I connect the WAN?

    So, if I want to proceed, I guess I have to: a) configure the new appliance enough to get connectivity to the outside world and hopefully not with exposed vulnerabilities, b) get the MAC address of the WAN port working so I actually have ISP access, c) update the firmware, which is going to de-register the old device -- no falling back if anything goes wrong (and things may have already gone wrong since I had assumed that a Restore would suffice).

    So I guess I'll clone the old appliances WAN MAC address, plug it in, take the entire network down for an indeterminate period of time, upgrade the Firmware and hope that the Restore then works, wrestle with any other details (like maybe the AP won't like the new appliance, who knows?).

    The current method's okay if you're starting from scratch, but not so great for updating.

  • You can actually overwrite the MAC on the new Appliance. Therefore you could overwrite the MAC of the new XGS. You should lift the XGS to V18.5 MR1. 

    __________________________________________________________________________________________________________________

  • So it took two hours to get back to connectivity. Observations:

    1. Restore only restores to the same Firmware version as the Backup came from. A new device will probably come with an older Firmware version. So unless you know the magical way to download the ISO and install it, you will not be able to handle the replacement process "offline" in a small infrastructure. If this is your firewall, you will take the entire network down during the time you're updating the firmware -- with the additional lags involved in reboots, updates, etc.

    2. My fear of needing to deactivate the original before I could update/Restore the replacement was unfounded. Every time it asked me to register, I told it I'd register later and was able to postpone until then. (Once I did finally register the replacement -- after the replacement was finally in place and fully operational -- Sophos immediately deregistered/dropped the old one. It initially said something about three license updates before a drop, but it was immediate.)

    3. I cloned the old appliances WAN MAC address so I could plug in the new appliance and get the update. Doing the Restore clobbered the cloned MAC address. I didn't immediately realize what had happened, and figuring that updates might do this again in the future -- it wasn't clear whether it was the Firmware update or the Restore that caused problems, but now I'm pretty sure it was the Restore -- so I started the process of having the ISP registering the new MAC, which cost me a half hour or so of coordination.

    So the tip would be, on the old appliance, set your MAC address manually to its default before you do the final Backup that you will Restore on the new appliance. (Or realize that you will again have to manually set it after the Restore.)

    4. The SSH key seems to be backed up/restored, along with VPN SSL user certificates, etc. So it did back up pretty much everything I needed.

    5. The Master Security key is not backed up.

    6. Speaking of Master Security Key, somehow mine got changed on the old box, I guess, and I found out because you need not only the Backup Key but also the Master Key to Restore. I had both in my password manager, but the Master Key was incorrect on Restore. So I had to plug back into the old appliance and reset it to what is in my password manager, then generate another Backup. This requires the CLI and I made the mistake of using the one from the GUI. Which does not allow copy/paste. Which is extremely frustrating when you need to enter two 20+-character random passwords. Extremely. Please fix.

    7. Sophos Central doesn't know about replacements, and a Backup/Restore thus do not save your Sophos Central settings. You need to register and approve with Sophos Central for the new device.

    8. The de-registration (with Sophos, not Sophos Central) process does work as advertised: once you do allow it to register it does detect that this is an RMA and does the right thing. I did this from the appliance (I think by clicking on Administration and following the link to register).

    Last, I think this RMA will bear some fruit for Sophos. I think they'll discover something worthwhile about the returned appliance. So despite all of my frustrations, I think this will be a win-win (for me and Sophos both).