Sophos UTM 9.6 backups - creation and automation

With the backup function, you can save the settings of the UTM on a local hard disk. With the help of the backup file, you are able to transfer a proven configuration to newly installed or misconfigured systems.

Create a new backup file after each change of the system settings. This way you will always have the current settings of your system saved. Also keep your backups in a safe place, as security-relevant data such as certificates and cryptographic keys are contained in them. Always check the backup file for readability after it has been generated. It is also advisable to generate a checksum using an external MD5 programme, which will also enable you to check the integrity of the backup file later.

Creating backups

On the tab Administration > Backups > Backup/Restore you can create, import, restore, download and send backups as well as delete existing backups.

Available Backups

This section is only visible if at least one backup has already been created, either automatically or manually (see section Creating a Backup).

All backups are listed with their creation date and time, their UTM version number, their creator and comment.

You can download, restore, delete or send a backup.

• Download: Opens a dialogue box where you can choose whether you want to download the file encrypted (enter password) or unencrypted. Click Download Backup. You are asked to select a location in the file system where the downloaded file is to be saved.

  • Encryption is done by Blowfish encryption in CBC mode. The encryption is done by Blowfish encryption in the CBC-mode. Enter a password (a second time for confirmation). You will be asked for this password when you want to import the backup. For encrypted backups the file extension is ebf, for unencrypted backups abf).

    Note: - A backup contains administration passwords, the high availability password (if configured) and all RSA keys and X.509 certificates. As this is confidential information, it is advisable to encrypt backups.

• Restore: Replaces the current system settings with the settings saved in a backup. Afterwards you have to log in again. In case the backup contains all data, you can log in directly. If the selected backup does not contain all data (see section Creating a Backup), you must enter the required data during the login process. If only the host data has been removed from the selected backup, you can add another administrator e-mail address if required. This is used in places where no recipient was previously entered and as an additional address where multiple recipients are possible.

  Note - Backup Restore is only backwards compatible. Only backups of versions smaller than the current version are considered functional. If there is a version conflict, the version number in the Available Backups list becomes orange.

• Restore backups from USB flash memory: You can restore unencrypted backup files (file extension abf) from a USB flash drive formatted with FAT formatted USB-flash memory such as a USB flash drive. To restore a backup from a USB flash drive, copy the backup file to the USB flash drive and connect it to the Sophos UTM before starting the system. If there are multiple backup files on the storage device, the lexicographically first file is used (numbers before letters). For example, suppose the backup files gateway_backup_2012-04-17.abf and 2011-03-20_gateway_backup.abf are both on the USB flash drive. When starting, the second file is used because it starts with a number, although it is much older than the other file.

  After a backup has been successfully restored, a lock file is created. This prevents the same backup from being installed again and again while the USB flash memory is still plugged in. If you still want to reinstall a previous backup, you must first restart the computer concerned without the USB flash memory connected. This will delete all lock files. If you now restart the computer with the USB flash memory connected, the same backup can be installed.

• Delete: Deletes a backup from the list. With the delete symbol below the list you can delete all selected backups. To select backups, click on the selection boxes to the left of the backups or use the selection list below to select all backups.

• Send: A dialogue box allows you to specify the email recipients. By default, the addresses specified on the Automatic Backups tab are selected. Then decide whether you want to send the file encrypted (specify password) or unencrypted. Click Send Now to send the backup.

  • Encryptbefore sending: See above: Encrypt before downloading.

Create a backup

Backups are not only useful if you want to restore your system after an (unintentional) change or failure. They can also be used as templates to set up systems with a similar configuration. These systems are then quasi pre-configured, which can be an enormous time-saver. For this purpose, you can remove certain data from a backup before creating it, e.g. host name, certificates, etc.

To create a backup with the current system settings, proceed as follows:

1. Enter a comment in the Create Backup section (optional) . The comment is displayed next to the backup in the backup list.

2. Remove unique site data: Select this option to create the backup without host-specific data. This includes host name, system ID, SNMP data, HA data, licence, shell user passwords, anonymising passwords, all certificates, public and private keys, fingerprints and keys of Email Protection, Web Protection, Client Authentication, IPsec, SSL VPN, RED, WebAdmin, Web Application Firewall and proxies.

   Such backups allow you to conveniently create multiple similar systems. However, you should note some points: 1) After the restore, the Basic System Configuration page is displayed. 2) Only the first interface is configured, with the primary IP address configured during installation. All other interfaces are disabled and given the IP address 0.0.0.0.

   Caution: Although most host-specific data is removed, such a backup template still contains confidential data such as user passwords. Therefore, it is advisable to encrypt backup templates.

   Remove administrative email addresses: Select this option to remove the administrator email addresses used in various areas of the UTM, e.g. postmaster addresses in Email Protection, Notifications, etc.. This option is particularly useful for IT partners setting up Sophos UTM appliances at customer sites.

3. Click Create Backup Now. The backup will appear in the list of available backups. If a backup was created using one or both of the selected options, the backup entry will contain an additional note to this effect.

   Note: The HA settings are part of the hardware configuration and cannot be saved in a backup. This means that the HA settings will not be overwritten in the course of a backup restore.

4. Make the following settings (optional):

Import backup

To import a backup, proceed as follows:

1. Click the folder icon and select a backup file to upload.
   Click Start Upload.
2. Decrypt the backup. If you want to import an encrypted backup, you must first enter the password.
3. Click Import Backup to import the backup. Note that when you import the backup, no restore is performed yet. The backup is only added to the Available Backups list.