It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Backup Daemon

  • Last updated on

The Backup Daemon is a new feature that adds to the existing options for creating and restoring backups for and from stand-alone and managed firewalls. Unlike backups stored in PAR files at a user's request, the backup daemon can be configured to operate autonomously at a scheduled time without any further interference. The backup daemon operates on the box level of an unmanaged box, a CC-managed box, and a Control Center, and must always be configured on the box level.

The backup daemon can create backups of the firewall configurations on the box level, on the CC level, and on the box & CC levels.

Creating Backup Storages and Backups

Local and Remote Storage

After enabling the backup daemon, you must register a certain type of storage that is identified by a unique ID.

The back-end storage can be one of three types:

  • Local Storage: Local back end in the file system of the firewall

  • Remote Storage: An AWS S3 bucket

  • Remote Storage: An Azure blob

Although the size of local storage is limited by the size of the firewall's internal hard disk/SSD, remote cloud storage is limited only by the licensing model you chose. However, if local control, availability, and speed are paramount to you, operating local storage can be the better choice.

Connecting to storage is provided by configuring a 'path' (back-end URL) that lets the backup daemon send data to the configured storage. The format for the 'path' depends on the type of storage you chose:

  • Local storage: /myPath
    Example: /myLocalStorage

  • AWS S3 bucket: server:port/bucket_name
    Example: https://s3.amazonaws.com/bucket-backups

  • Azure blob: container_name:/path
    Example: containerbackup:/folder-backups

For more information on how to use cloud storage, see the user guides of the corresponding cloud provider and search for methods for accessing a bucket/blob.

Authorization, Backup Encryption

Back-end storage is intended to be used over the long term. However, due to specific circumstances, a local back-end storage cannot be deleted on a user level after its creation and therefore requires thorough planning before being created.

If it is unavoidable to delete an incorrectly configured storage, please contact Barracuda Support!

Every local back-end storage requires information for permitting a specific user to write to its file system. Access to the local storage uses your firewall credentials. When using a remote storage, you must use an existing Backend user user ID and a Backend key for access. These credentials are mandatory for connecting to remote storage.

In addition, every storage is protected by encryption. You must provide an encryption password both for local and for remote storage.

The back-end URL contains the specific path for a certain storage (e.g., Local, AWS, Azure), as described above. This path entirely describes the directory nodes from the upmost directory down to the effective storage, e.g.:

  • Local: /your/specific/the_storage

  • AWS S3 bucket: https://s3.amazonaws.com/bucket-backups

  • Azure blob: containerbackup:/folder-backups

The encryption password is used to encrypt the content of the_storage. Therefore, every instance that is to access the content of this storage requires the use of this encryption password for encrypting/decrypting the content. Once the encryption password has been set, it can no longer be changed. If you want to delete a certain storage, you must do it manually via SSH on your firewall or by logging into your Cloud storage with your Cloud credentials.

For better organization, it is also possible to create multiple storage locations under a partly common path /your/common/storage_path/, e.g., /your/common/storage_path/storage_1, /your/common/storage_path/storage_2. In this case, as already mentioned, each storage_<n> requires its individual encryption password for access.

After entering the URL for the back end, you can add one or multiple backup jobs by configuring repeating trigger events.

Backup Jobs

A backup job is identified by a unique ID that relates exclusively to the firewall it is created on. The backup job can be configured to compress the data before sending it to the storage. You must create an execution trigger, which is the time to start the backup, supplied in Unix-like cronjob format. This cronjob format requires you to enter the time in the following template: 'Minute - Hour - Day of Month - Month - Day of the Week'.

Note: The minimal supported interval is daily!

The following table shows some examples of different possible entries:

Minute

Hour

Day of the Month

Month

Day of the Week

Meaning

0

0

*

*

*

Daily 00:00

20,40

3

*

*

5-6

Every Friday and Saturday, always at 03:20 (AM) and 03:40 (AM).
Note: using 7 as Sunday on the Campus page is non-standard and not supported by us.

0

23

*/2

*

*

Every second day at 23:00

20, 40

3

*

*

6-7

Every Saturday and Sunday, always at 03:20 (AM) and 03:40 (AM)

0

18

31

12

*

Every 31st of December at 18:00

30

23

1,28

*/2

*

On the first and 28th of every second month at 23:30

Backup Retention, Backup Removal

If you are configuring backup jobs that are executed on a regular basis, you must be aware that the increasing number of backups will also increase the amount of consumed space on your configured storage!

IMPORTANT

When selecting the option 'Local' for creating the back-end storage on your firewall or Control Center, you must consider that the total amount of consumed storage space can quickly grow to several gigabytes. This applies especially to Control Centers when configuring repeated backups of 'Box and CC' configuration trees for a large number of managed firewalls. It is therefore essential to keep track of the amount of consumed space used!

Also, it is generally recommended that your backup strategy should keep the amount of used space to a minimum.

Because each configured backup can perform multiple backup jobs at either a single timestamp or at recurring time stamps, due to different execution triggers, the number of backups in the list will increase. However, you may not wish to keep all created backups. In order to more easily differentiate the importance of your backups, you can assign individual user tags to add meaningful information to your backups.

To protect your firewall/CC from consuming too much backup storage space, the edit field Retain last is preset with the value '5', and all other fields are left empty. An empty field has the intrinsic default value of '0'. This preset will ensure that the last 5 backups will be kept.

backup_daemon_retain_time_related_fields.png

If you want to keep all backups indefinitely, set all Retain fields (e.g., last, hourly, daily, weekly, monthly, yearly) to '0'. Modify any of these fields to meet your individual retention requirements. As soon as one of these limits is exceeded, all backups that surpass the limit will be deleted automatically.

However, if you want to keep certain backups indefinitely, you can make use of your individually configured user tags. By configuring a retain tag, all backups having the same value in a user tag will be exempted from automatic deletion.

NOTE

Before a new backup job is triggered, the time stamp of all existing backup files is checked and compared to the current retain-time-related configuration settings. Before the new backup is created, all existing backups that no longer match the given limits of the time-related retain fields will immediately be deleted.

Keep this in mind, especially when decreasing one of the configured retain-time-related values.

Monitoring and Restoring Backups

You can monitor your backups and their state at CONTROL > Backups. There are two views that provide all relevant information on all backup files and on the result of an action that was executed on each triggered backup:

Backup Overview

The Backups view displays a list of all configured back ends, their names, the levels of the configured backups (e.g., Box, Control Center, Box & Control Center), the tags that can attribute a backup, and the creation time.

backup_daemon_view_list_of_backups.png
Backup Jobs

The Backup Jobs view displays a list of all processed backups grouped by the Backup Job ID.

backup_daemon_view_list_of_backup_jobs_collapsed.png

By expanding the entry for a Backup Job ID entry, the list displays all associated backup jobs that have been triggered by the configured execution trigger. The time-related columns show the beginning and end time stamps and the Result column shows the current state of a triggered backup job.

backup_daemon_view_list_of_backup_jobs.png

A backup job can be attributed to the following states:

  • Success – A backup job has been successfully completed.

  • Pending – A backup job is scheduled for execution.

  • Failed – A backup job has failed.

The Description column provides further details that refer to the signal state of the entry in a row. These details should be informative enough in most cases. At times, however, you may want to know more about what happened during a certain phase. In such cases, even further details can be found in the log box_Config_backup.log.

For more information on how to create scheduled backups, see How to Create and Monitor Backups Using the Backup Daemon.

Restoring Backus

Restoring a backup is done by locating the required backup and triggering the process for restoring it onto the related firewall.

For more information on how to configure the backup daemon and how to restore backups, see How to Restore/Delete Backups Using the Backup Daemon.