In rare situations, it can be necessary to completely reinstall the CloudGen firewall from scratch.
As of release 10.0, a new box recovery feature has been added to the CloudGen firewall. This feature provides the solution to recover the firewall to a specific firmware version that has previously been backed up interactively as a known working firmware version.
The Box Recovery feature can be used both on hardware/virtual, standalone/managed CGF appliances and Control Centers on box level.
Hardware boxes additionally provide the option for using the reset button on the rear side of the housing to trigger the recovery.
On virtual appliances, and depending on your virtual host system (if supported), you are not limited to use snapshots of your virtual instance as an alternative or in addition.
Prerequisites
Using the Box Recovery feature requires to match the following conditions:
Ensure a continuous power supply for the firewall!
If the recovery fails due a power outage, you must recover your firewall via a USB stick. In such a situation, the firewall can no longer be reached via a network connection. In such a case, you must recover the firewall on-site.
For more information, see How to Recover a CloudGen Firewall or Control Center Appliance with a USB Flash Drive.Barracuda Firewall Admin must be run at least with version 10.0.
The Box Recovery feature is available only on firmware versions >= 10.0.
Only the following models can use the Reset Button Recovery: F12, F18, F80, T100. On these appliances, the following configuration section will be displayed if all conditions apply:
Hardware boxes must have a serial number >= 3032296. This serial number indicates that the hardware box supports a reset button which can be used to trigger the box recovery. On hardware appliances, find the serial number bottom-sided on the label that starts with BOX-NG-……. .
If the serial number does not match, the reset button will continue to have its former function (hard reboot) even if all other preconditions apply. Also, the behavior prior to firmware version 10.0 will no longer be available (hardware reset).
Working Principle
Basically, the feature is meant to be used at a time when an administrator/user considers the state of an appliance to be worth saving for a later recovery with minimal configuration efforts.
The full cycle comprises the following steps:
1. Creating the Recovery Backup
Triggering the creation of a backup is done via Barracuda Firewall Admin either through the standalone firewall user interface or through the Control Center user interface for managed boxes, both for hardware and virtual appliances.
The process of creating a full recovery backup comprises 2 steps:
Downloading the ISO file that matches the currently running firmware version on the firewall. This must be done via Barracuda Firewall Admin through the standalone firewall user interface or through the Control Center user interface for managed boxes, both for hardware and virtual appliances.
The firmware version will be stored into the/artdirectory of your recovery partition on your hard disk from where it will be restored onto your working partition during the recovery process.
Creating a PAR backup of the configuration tree. This configuration backup will also be stored into the
/artdirectory.
On hardware appliances, the PAR archive will be encrypted with the devices' serial number (.pca). On any other non-hardware appliance, the PAR archive will be an unencrypted file (.par). For more information on archive files, see How to Back Up and Restore Firewall, Secure Access Controller and Control Center Configurations.
Creating an ART Recovery Backup for Standalone Firewalls
When the user triggers the creation of an ART backup in Firewall Admin, the firewall tries to download the ISO file from the Barracuda download portal that matches the currently operative firmware on the firewall. When the download completes successfully, the ISO file is stored in the /art directory.
You can check the status of the Box Recovery feature in the DASHBOARD.
Creating an ART Recovery Backup for Managed Firewalls
When the user triggers the creation of an ART backup in Firewall Admin, the Control Center tries to download the ISO file from the Barracuda download portal that matches the currently operative firmware of the managed firewall. The ISO file is only downloaded once for a specific firmware version (i.e. 10.0.0, 10.0.1, 10.1.0, …) and stored in the Control Center for a consequential distribution to all managed firewalls requiring one of those specific firmware versions.
2. Recovering a Backup
A recovery can be initiated in 2 ways:
Triggering the recovery via Barracuda Firewall Admin through the standalone firewall user interface or through the Control Center user interface for managed boxes, both for hardware and virtual appliances.
Triggering the recovery on a supported hardware box by pressing the reset button longer than 10 seconds. For more information, see the prerequisites.
As for creating, recovering a backup also comprises 2-3 steps:
Recovering the ISO file onto the operational hard disk partition.
Restoring the PAR file (if present) on top after the ISO has been recovered successfully.
(optional) If hotfixes were present on the firmware prior to the recovery, these hotfixes must be installed manually after the recovery.
For more information on how to install hotfixes, see How to Download Applications, Updates, and Hotfixes.