How to Back Up and Restore Firewall, Secure Access Controller and Control Center Configurations

Last updated on 2024-02-26 10:13:19

To back up and restore your system, you must create a Portable Archive (PAR) file. A Barracuda CloudGen Firewall running firmware 6.0.1 or higher can also create encrypted PCA files to store the system configuration.

File Type, Suffix	PAR File Format	Human Readable	Original Box Readable	Replacement Box Readable	CC Readable (managed boxes)	Comment	Restore Configuration via...
PCA	Encrypted PAR file. Uncompressed.	NO	YES (Specific SN# only!)	YES (password protected)	YES (password protected)	For security reasons, this is the factory preset default option. If another file type is selected, it will be set to the new default. Note that the PCA file format is tied to the serial number of the appliance, which is unique. Therefore, in case of a hardware failure, you will not be able to re-use this file on your new appliance. In such a case, consider using the PPE or PGZ file format instead, which will be accepted by any appliance.	Barracuda Firewall Admin. If the password is set to the serial number of the appliance, you can also restore via /opt/phion/update/ or USB stick when using F-Series Install.
PPE	Binary encoded PAR file. Uncompressed, unencrypted.	NO	YES	YES	YES	Use this standard binary file format if you want to avoid human-readable text files.	Barracuda Firewall Admin.
PAR	Cleartext PAR file. Uncompressed, unencrypted.	YES	YES	YES	YES	This file format is human-readable. Beware of using this file format if security is a high priority.	Barracuda Firewall Admin, /opt/phion/update/, USB stick when using Barracuda F-Series Install
PGZ	Compressed PAR file. Unencrypted.	NO	YES	YES	YES	Can only be created via Barracuda Firewall Admin.	Barracuda Firewall Admin, /opt/phion/update

These file extensions will be displayed in the window to select which file format to use for saving your archive file:

In Barracuda Firewall Admin, you can create these PAR files on two levels of the configuration tree:

Box level – Creating a PAR file on the box level applies both to stand-alone boxes and to the box level of a Control Center.
CC level – Creating a PAR file on the CC level lets you create backups for the whole configuration tree and for single boxes in the configuration tree.

You can trigger the creation and restoration of a backup via the popup menu in Barracuda Firewall Admin:

Level	Operation	All Boxes	Note
Box Level	Create backup	-	This applies to stand-alone boxes and the box level on Control Centers.
	Restore backup	-	This applies to stand-alone boxes and the box level on Control Centers.
CC Level	Create backup		Creating a backup for multiple boxes will store the whole configuration tree on the CC level. The preset file name for a single box will have the name of the firewall, e.g., `832-FW-QA`. The preset name for multiple boxes (= whole configuration tree) will suggest the name `archive.par`.
	Restore backup		Restoring a backup for a single box will restore it under the Boxes node in the related cluster. Restoring a backup for multiple boxes will restore the whole configuration tree on the CC level.

Stand-Alone CloudGen Firewall and Stand-Alone Secure Access Controller

Create a PCA or PAR file to back up and restore the configuration of a stand-alone CloudGen Firewall or a stand-alone Secure Access Controller.

Back-Up the CloudGen Firewall or Secure Access Controller

Go to CONFIGURATION > Configuration Tree.
Right-click Box and select Create PAR file. The Save As window opens.
Select the archive type:
- Encrypted PAR File (*.pca) (Default)
- PAR file (*.ppe)
- Cleartext PAR File (*.par)
- Compressed PAR File (.pgz)
If you selected Encrypted PAR file, the Password window opens.
Click Use Serial Number, or enter the Password manually.
PCA archives with manual passwords cannot be used to reinstall your CloudGen Firewall or Control Center via F-Series Install or update the configuration via /opt/phion/update. Decrypt the archive manually for these operations. For more information, see phionar and conftool.

Restore the CloudGen Firewall or Secure Access Controller

Go to CONFIGURATION > Configuration Tree.
Right-click Box and select Restore from PAR file. Select the required PCA / PPE / PAR / PGZ file.
If you are using a PCA file, enter the Password and click OK.
Click Activate.
Go to CONTROL > Box.
In the left navigation pane, expand Operating System and click Firmware Restart. Click Yes to confirm that you want to restart the subsystem.
Expand Network and click Activate new network configuration.
Activate the new network configuration:
- If you are continuing to use the same management IP address and management port, click Failsafe.
- If the new network configuration uses a new management IP address, click Activate Now.
  For information, see How to Activate Network Changes.

PAR files can also be created from the CLI. For more information, see How to Create PAR or PCA Files on the Command Line. If the PAR file should be used for the setup process, copy the PAR file to the USB flash drive that you will use for installation. You can only copy one PAR file on the USB flash drive. You must name the file as box.par.

Barracuda Firewall Control Center

Two PAR files are needed to back up your Firewall Control Center: the box layer box.par and the archive.par containing the Control Center configuration that includes all managed firewalls, the Secure Access Controller, and all Secure Connectors. You cannot restore a managed firewall from the archive.par directly.

If you are running a productive Control Center and a second Control Center for test purposes and both use the same configuration, you must change the Control Center ID on your test Control Center since the ID of each Control Center must always be unique. For more information, see How to Generate a New Control Center ID.

Back-Up the Control Center Box Layer

To back up the Firewall Control Center, you must create a PAR file for the box layer and the archive.par for the Control Center configuration.

Log into the box layer of the Control Center.
Go to CONFIGURATION > Configuration Tree.
Right-click Box and select Create PAR file. The Save As window opens.
Select the archive type:
- Encrypted PAR File (*.pca) (Default)
- PAR file (*.ppe)
- Cleartext PAR File (*.par)
- Compressed PAR File (.pgz)
If you selected Encrypted PAR file, the Password window opens.
Click Use Serial Number or enter the Password manually.

The box.par file is saved to your local hard drive.

Restore the Control Center Box Layer

To restore the Control Center:

Log into the box layer of the Control Center.
Go to CONFIGURATION > Configuration Tree.
Right-click Box and select Restore from PAR file. Select the required PCA / PPE / PAR / PGZ file.
If you are using a PCA file encrypted with a manual password, enter the Password and click OK.
Click Activate.
Go to CONTROL > Box
In the left navigation menu, expand Operating System and click Firmware Restart. Click Yes to confirm that you want to restart the subsystem.
Expand Network and click Activate new network configuration.
Select one of the following network configuration activation modes:
- If you are continuing to use the same management IP address and management port, click Failsafe.
- If the new management IP address and management port are different from the ones currently configured on the appliance, click Activate now.
  For information, see How to Activate Network Changes.

IMPORTANT: Before backing up or restoring the Control Center configuration, you must enable the CDDB service on the Control Center at CONFIGURATION > Configuration Tree > Infrastructure Services > CC Database.

As an alternative to the following two steps, you can back up and restore the Control Center configuration with the cctool.
For more information, see How to Back Up and Restore CC Archive PAR Files on the Command Line.

Back-Up the Control Center Configuration

Log into the Control Center.
Go to CONFIGURATION > Configuration Tree.
Right-click the Multi-Range and select Create PAR file.
The Save As window opens.
Select the archive type:
- Encrypted PAR File (*.pca) (Default)
- PAR file (*.ppe)
- Cleartext PAR File (*.par)
- Compressed PAR File (.pgz)
If you selected Encrypted PAR file, the Password window opens.
Click Use Serial Number or enter the Password manually.

The archive.par file is saved to your local hard drive.

Restore the Control Center Configuration

In order to prevent the Control Center from accidentally sending configuration updates to the managed firewalls while restoring the PAR file, it is recommended to block the update process:

Log into the Control Center.
Go to CONTROL > Configuration Updates.
Right-click into the main display area of the window.
A list is displayed.
Select Block Update Process from the list.

It is now safe to restore the PAR file:

Go to the CONFIGURATION > Configuration Tree page. If you are prompted with warning messages, click no.
Right-click Multi-Range and select Restore from PAR file.
Select the required archive.par file.
(Optional) If the license has changed, you must also import the base license of the box layer on the Control Center. For more information, see How to Manually Install the Licenses for the Control Center.

If you are restoring the configuration of a Control Center that has been reinstalled after a system crash, you must also restore the configurations of the appliances that it manages.

After restoring the PAR file, configuration updates must be unblocked:

Go to CONTROL > Configuration Updates.
Right-click into the main display area of the window.
A list is displayed.
Select Unblock Update Process.

Managed CloudGen Firewalls and Managed Secure Access Controller

To back up and restore the configuration of a CloudGen Firewall or Secure Access Controller that is managed by the Control Center, you must create a PAR file in the Control Center and then recover the managed firewall directly.

Back-Up the Managed CloudGen Firewall or the Managed Secure Access Controller

Log into the Control Center.
Click the CONFIGURATION tab.
In the Configuration Tree, navigate to the range and cluster for the CloudGen Firewall or the Secure Access Controller.
Expand Boxes, right-click the CloudGen Firewall or the Secure Access Controller, and select Create PAR file for box.
Select the archive type:
- Encrypted PAR File (*.pca) (Default)
- PAR file (*.ppe)
- Cleartext PAR File (*.par)
- Compressed PAR File (.pgz)
If you selected Encrypted PAR file, the Password window opens.
If you selected Encrypted PAR file, click Use Serial Number or enter the Password manually.
Save the PAR file to your local hard drive.

Restore the Managed CloudGen Firewall or the Managed Secure Access Controller

Log into the CloudGen Firewall or the Secure Access Controller.
Go to the CONFIGURATION > Configuration Tree page.
Right-click Box and select Restore from PAR file. Select the PAR or PCA file you previously created for this firewall in the Control Center.
If you are using a PCA file encrypted with a manual password, enter the Password and click OK.
Click OK to confirm the Emergency Override warning message.
Click Activate.
Go to the CONTROL > Box page.
In the left navigation pane, expand Operating System and click Firmware Restart. Click Yes to confirm that you want to restart the subsystem.
Expand Network and click Activate new network configuration.
Select one of the following network configuration activation modes:
- If you are continuing to use the same management IP address and management port, click Failsafe.
- If the new management IP address and management port are different from the ones currently configured on the appliance, click Activate now.
  For information, see How to Activate Network Changes.