You can create a backup of the AppGate ZTNA system in two ways:
Create a snapshot of a virtual machine, which saves the Appliance configuration and file system.
Use sdpctl to perform a backup and then use the cz-restore utility and the appropriate backup file to recreate an equivalent system on a fresh, non-activated appliance.
Backing-up a Collective using sdpctl
sdpctl performs an orchestrated backup of some or all the appliances in a Collective. It will remotely trigger the backup and then download the files locally. When complete, the backups will be placed in a folder (appgate_backup_xxxxx) in the directory where sdpctl was run. There will be a file for each appliance specified.
NOTE
Before starting the backup, ensure you have sufficient space. sdpctl will estimate the required disk size and proceed only if there is enough space.
Before restoring an appliance, note the passphrase you established in the Controller admin UI in the Global Settings form (Settings > Global Settings > General Appliance Settings). The files are encrypted with this passphrase. This allows an unprivileged user to perform a system backup and download, but they will not be able to access the backup data. The loss of the passphrase renders the backup files useless.
To restore an appliance:
Upload the appropriate backup file to the appliance using scp, sftp, or another suitable method and run the restore process using sudo cz-config restore The command will prompt you for the backup passphrase.
A backup can be restored on an appliance running on the same API version as the backup file up to API version + 2. For example, a backup taken on API version 19 can be restored on an appliance running versions 19, 20, and 21.
Next, you will use the cz-restore utility with the backup file to restore the appliance.
cz-restore (internal)
Use the cz-restore utility and the backup file on a fresh, non-activated appliance to recreate an equivalent system.
Note the following before performing a restore:
All current data on the appliance will be permanently destroyed.
The restore appliance version follows the same rules as the upgrade version rules. For example, if version A can only be upgraded to version B, then a restore can only be applied to A or B.
What to restore
Single Controller. Will restore from a backup file and generate a functional, single Controller.
Gateways. Gateways are stateless; the best practice to restore a gateway is by re-seeding the appliance from the Controller through the Controller's Admin UI.
Additional Controllers.
You should only perform a restore when no Controllers are working. This will generate a functional, single Controller.
Other Controllers still shown in the Admin UI will need to be re-enabled and then re-seeded. Go to System > Appliances, create any additional Controllers required, and download the required seed files.
If one Controller is still working, best practice is to deactivate and re-seed to make any additional Controllers.
The default restore assumes no passphrase was used. It is possible to include this by using OPTIONS.
To perform a restore:
Sign in to the Controller using SSH.
Run the restore command:
sudo cz-restore [OPTIONS] FILENAME
OPTIONS |
|
|---|---|
-h, --help | Print help and exit. |
--passphrase-file | Followed by the name of the file to use to keep the passphrase. For example, you can add the line thisismypassphrase to some suitable file such as /etc/restore. |
--keep-host-network | Uses the current network configuration instead of the configuration in the backup file |