disaster recovery
-
I upgraded my home protectli box from bare metal CE to bare metal pfsense plus and enabled the auto cloud backup then noted my credentials and key etc.
I then (for the sake of tinkering) decided to test the auto backup and a bare metal recovery by formatting the box. installing proxmox VE and then setting up a clean install of CE (I couldn't find plus to reinstall) and then when I got to the bit where I thought I could simply enter my key and password to recover my lovely cloud backup (simulating a new hardware scenario after a disaster) I found there doesnt appear to be an option for that.
Am I missing something or is the auto backup not intended for this sort of backup/recovery?
It is not mission critical for mine as I also took a manual backup before I formatted however I do have a number of work pfsenses, from protectli boxes on small sites to rackmount 1537s on larger sites and assumed the auto backup could be used for such a disaster recovery.
The docs seem to suggest restoring from only a working firewall, not a new replacement or migration (upgrade perhaps?)
Also, it seems to have only stuck with CE after the manual restore and none of the packages install but again, a lot of faffing can fix this. I was expecting a complete restoration though not a partial. any 3rd party backups for CE or plus that will do a full job?
Any pointers or guide would be appreciated.
Cheers (probably missing something simple here)
-
I personally would not trust an encrypted cloud backup as my only line of recovery. I would at a minimum keep a local un-encrypted
confg.xml
backup in a safe location. That way you can always simply reinstall from scratch using the latest pfSense install image, and then restore your local backup ofconfig.xml
.You can create a local un-encrypted copy of
config.xml
using the option under the DIAGNOSTICS > BACKUP AND RESTORE menu in pfSense.My issue with encrypted cloud backups is the potential loss of the encryption credentials. Cloud backups are fine as an extra line of defense, but I feel safer having a local un-encrypted copy if I need it as a last resort.
A further complicating issue is upgrading a CE install to Plus. There are currently no publicly available install download images for a CE to Plus upgrade. You have to install CE, then put in your Netgate Plus upgrade license info, and essentially do the Plus upgrade again. I've seen a number of posts here on the Forum where individuals have had issues doing that. Not everyone, but a few for sure.
-
@bmeeks - Cheers, it turns out that after I restored my manual backup the auto backup cloud history was now available to restore from. kind of a catch 22. Think I may have to take a manual "site is working" copy of all of our firewalls to store just to kickstart the restore process. Good plan, will also mean I can get things running before the pitchforks and flaming torches arrive at the comms room door at work.
Glad I found this now while tinkering at home rather than on one of our sites. Now back to tinkering and see if I can automate the backup with a script like the built in one does.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@PsyMan2000 said in disaster recovery:
Glad I found this now while tinkering at home rather than on one of our sites. Now back to tinkering and see if I can automate the backup with a script like the built in one does.
Agreed that finding out the little "gotchas" with a lab test is way better than finding them during an actual crisis
.
I am not very familiar with the new automated backup piece in pfSense. I don't know what exactly is necessary in order to bootstrap a recovery with your
config.xml
backups in the Netgate cloud. Also not sure how, or if, the encryption key is tied to the local hardware. Would new hardware upset the key generation???I have historically just downloaded a copy of
config.xml
using the GUI menu option and then saved off the un-encrypted file someplace else in case I ever needed it. Of course I'm just protecting my local home network these days, so I am a bit more "lax" in the area of security with backed up data. But even if I were still in the corporate IT world, I would want at least one local copy of the backup so I could boostrap the whole network if required. If your firewall is your link to the cloud, and the firewall is needing disaster recovery, you could find yourself in a "chicken or the egg" scenario. -
@PsyMan2000 said in disaster recovery:
thought I could simply enter my key and password to recover
Per https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html#bare-metal-restoration it sounds like it. I haven't used ACB though, we just save the files to disk at our office and/or our clients'.
-
@SteveITS I missed the blindingly obvious. there was no box to put my key in to BEFORE I had enabled the auto backup service, once I enabled it and entered the password it generated a new key on the clean install which of course I do not want, at this point I can then paste in my old one from the backup docs I made and my historical backups automagically appeared for restoration. Exactly as I had expected.
I noticed that after my manual backup had restored that it also restored my key so the history was all there which is what prompted me to try again.
All good in the world and a weight off of my shoulders. It does work bare metal, just the CE to Plus bit to sort out but as far as getting a site back up and running after a failed box point of view goes thats pretty slick. could even run a VM instance while awaiting hardware delivery from that simple system.
In summary, the problem was found to be somewhere between the keyboard and the chair.
Thanks for everyones input :-D
-
@PsyMan2000 said in disaster recovery:
any 3rd party backups for CE or plus that will do a full job?
All you need is a 'Windows' PC.
Even better would be a server type Microsoft device.
All you need to do is creating a "Microsoft Windows Cron task" (scheduler something) and have it execute every day - mine fires at 08h00 AM (moments before I start to mess with my pfSense).
It will do a SSH login, retrieve the current config, and manage your downloaded config files, so you can say "keep the latest 100 days".
A real "set it and forget it tool" - and is a nice complement to the ABC solution.Btw : other, comparable solution exist, I guess.