Backup/Restore Zenarmor Configuration and Policies on OPNsense
A software or hardware malfunction, a human-caused event, or even natural calamities such as floods, fires, earthquakes, or tornadoes can result in a total system wipeout. And sometimes unfortunate events occur when we least expect them or are least prepared for them. The data backup makes it accessible in the event of data loss or corruption. You can only recover data from a previous time period if you have a backup.
Configuration and policy files for Zenarmor can be backed up manually at any time via the OPNsense web GUI. After your backup has been completed, it can be transferred to a distinct medium with a single click to reduce the risk of data loss in the future.
It is recommended that you create backup copies on a consistent and regular basis. The longer the interval between backup copies, the greater the risk of data loss when recovering from a failure. Regular backups protect your data and allow your system to rapidly recover and resume operation.
Zenarmor Backup & Restore Page allows you to perform the following tasks:
- Backup Zenarmor Configuration
- Restore Zenarmor Configuration
Backup Zenarmor Configuration
You can easily backup the Zenarmor configuration and policy files by following the steps below:
-
Navigate to the Zenarmor → Settings → Backup & Restore on your OPNsense GUI.
Figure 1. Zenarmor Backup & Restore
-
Click the Generate Backup button to create a new Zenarmor backup file.
-
When you click the Generate Backup button on the Backup & Restore page, a Generate Backup dialog window opens. This window allows you to create a backup of the current Zenarmor configuration for firewall restoration.
Figure 2. Backup File Without Encryption
-
You can encrypt the backup file by switching on the Encrypt backup file toggle button in the Generate Backup dialog. If encryption is enabled, you must enter and confirm a password.
Figure 3. Backup File Encryption is Enabled
infoWhen the backup file encryption is enabled, CA certificates are included in the backup file. If encryption is disabled, CA certificates are not included.
-
Click the Generate Backup button to start the backup operation. Once the process is completed, the backup file appears in the backup list on the Backup & Restore page.
Encrypted backup files are marked with a lock icon in the list, while unencrypted backups are listed without an icon.
Figure 4. Backup File Encryption is Enabled
By default, backup files are stored on the firewall itself and can be viewed in the Backup Files pane at the bottom of the page. It is strongly recommended to download the backup file to your local disk or an external storage device. Otherwise, a fresh installation or system reset will permanently remove all locally stored backup files from the Zenarmor GUI.
Restore
On the Zenarmor Backup & Restore page, the Backup Files pane contains the existing backup files in the system and the file operation buttons. You can view the detailed file information (date of the backup and whether the file is encrypted or not) in this panel. You may execute the following backup file operations on the Zenarmor Backup & Restore page:
- Upload
- Restore
- Download
- Delete
You can either upload a backup file from your local disc or select one of the backup files stored on your OPNsense system to restore the Zenarmor configuration and policy files.
Restore by Uploading Backup File
You can easily restore your Zenarmor configuration and policy files from your local disk by following the next steps:
-
Navigate to the Zenarmor → Settings → Backup & Restore on your OPNsense GUI.
-
Click on the Browse Backup File in the Restore pane to start the restore operation by uploading a backup file from your local disk.
Figure 5. Uploading a Backup File
-
Select the backup file and click Open to upload it. This will open a dialog box asking for Restore Parameters.
Figure 6. Selecting Restore Parameters
-
If the backup file is encrypted, an encryption password is asked in the Restore Backup window. Fill in the password field.
-
Select the proper option for the Restore Option. You can either restore all configuration files or only policy and rule files from the backup file.
-
By default, license data is excluded from the restore operation. To restore it, switch off the toggle button in the window.
-
By default, Zenconsole cloud settings are excluded from the restore operation. To restore it, switch off the toggle button in the window.
-
By default, CA certificates are included in the restore operation. To exclude them, switch on the Exclude CA certificate toggle button.
-
Click on the Restore button in the Restore Parameters window. If all goes well, a notification message is displayed at the right bottom of the page.
If the firewall is registered to an organization, a warning message is displayed indicating that centrally managed settings restored from the backup may be overwritten during the next update.
Figure 7. A Warning Message
Restore by Selecting Backup File Stored on OPNsense
You can easily restore your Zenarmor configuration and policy files from your OPNsense disk by following the next steps:
-
Navigate to the Zenarmor → Settings → Backup & Restore on your OPNsense GUI.
-
Select a file listed in Backup Files pane.
-
Click the Restore button under the Actions column corresponding to the selected backup file.
Figure 8. Restoring a Backup File on OPNsense
-
This action opens the Restore Backup dialog.
Figure 9. Selecting Restore Parameters
-
If the backup file is encrypted, an encryption password is asked in the Restore Backup window. Fill in the password field.
-
Select the proper option for the Restore Option. You can either restore all configuration files or only policy and rule files from the backup file.
-
By default, license data is excluded from the restore operation. To restore it, switch off the toggle button in the window.
-
By default, Zenconsole cloud settings are excluded from the restore operation. To restore it, switch off the toggle button in the window.
-
By default, CA certificates are included in the restore operation. To exclude them, switch on the Exclude CA certificate toggle button.
-
Click on the Restore button in the Restore Backup window. If all goes well, a notification message is displayed at the right bottom of the page.
If the firewall is registered to an organization, a warning message is displayed indicating that centrally managed settings restored from the backup may be overwritten during the next update.
Figure 10. A Warning Message
Downloading a Backup File
You can download the backup files stored on your OPNsense system to your local disc by following the next steps:
-
Navigate to the Zenarmor → Settings → Backup & Restore on your OPNsense GUI.
-
Locate the desired backup file in the Backup Files pane.
-
Click the Download button under the Actions column corresponding to the selected backup file.
Figure 11. Downloading a Backup File on OPNsense
Deleting a Backup File
You can delete the backup files stored on your OPNsense system by following the next steps:
-
Navigate to the Zenarmor → Settings → Backup & Restore on your OPNsense GUI.
-
Locate the desired backup file in the Backup Files pane.
-
Click the Delete button under the Actions column corresponding to the selected backup file.
Figure 12. Deleting a Backup File on OPNsense
-
A confirmation dialog is displayed to prevent accidental deletion.
Figure 13. Confirmation for Deleting a Backup File on OPNsense
-
Click on the Delete button to confirm and permanently remove the backup file from the OPNsense disk.
CLI Backup Restore
Starting with Zenarmor version 1.9.2, backup files can be restored via the Command Line Interface (CLI).
The following should be provided in a sequence for the restore script.
- Locate the CLI.php file
cd /usr/local/opnsense/mvc/app/models/OPNsense/Zenarmor/
-
Call CLI.PHP file
-
Restore
-
Locate the backup file
-
Type Password for restoring
-
Provide restore option (all | rule). Type “rule” if you only restore Firewall Rules
-
Provide License Exclusion option (true | false)
USAGE
[CLI.php] [restore] [ Backup FILE path] [pass 'a*1',''] [option 'all','rule'] [license Exclude true,false]
Sample usage for non-encrypted files
php /usr/local/opnsense/mvc/app/library/OPNsense/Zenarmor/CLI.php restore /root/zenarmor-backup-OPNsense.localdomain-1625074552.tar.gz false '' all true
Sample usage for an encrypted files
php /usr/local/opnsense/mvc/app/library/OPNsense/Zenarmor/CLI.php restore /root/zenarmor-backup-OPNsense.localdomain-1625086767.tar.gz.enc true '123456' all true
Sample usage for CLI php
# php /usr/local/opnsense/mvc/app/library/OPNsense/Zenarmor/CLI.php usage
Command Args
#######################################################
sample-report
notice-mtu interfaces*
notice-interface_not_exists interfaces*
notice-scheduled_report_mail_send_error
notice-rss_enabled
notice-license_expired_warning
notice-license_expired
notice-license_conflict
notice-license_revoked
notice-license_cancelled
notice-mongo_arc_install action*
notice-elastic_arc_install action*
notice-campaign data
notice-new_db_version version*
dashboard-cache
migrate
migratewebcat
migrate-config-xml removeSensei*
setpoliciestocloud
config2db
licensedel
licenseActivation isRestart
setlicense activationKey* force
setlicensesize
configurelicensefeature
restore path* isEncrypted* password option* isLicenseExclude*
scheduled-service-control
generate-static-file
onboot service* status*
crons action*
reset
aliases
reload
deletesettings
sysctl mode*
bufsysctl
setClusterUUID
isGlobal
setretireafter keep
saveload
wanlist
setflavor
saveDbConfigES
saveDbConfigSQ path*
saveDbConfig dbType* retireDay* deploymentSize*
setbypass enabled* mode*
setdnsenrichment servers* reverse*
setrestapi enabled*
setswap
setcloudthreatintel domains* enabled*
setCloudRegister uuid* adminEmail*
sethealth healthCheck* healthShare* heartbeatMonitor*
settimestamp
setscheduledreport data*
setscheduledreportchart data*
sendsamplescheduledreport data*
fillscheduledreportchart
setRetireAfterfromCloud maxRetireDay*
setPrivacy data*
setblocknotification status*
setinterface iface*
checkOfLoading
removeRegister
setCustomerId
health-check
resetreportingES
setStreaming data*