Backup and Restore

The system provides the ability to save device configurations and restore them when needed. Saving a configuration creates a backup of current settings, which can later be applied to the same unit or another device of the same type. Restoring a saved configuration eliminates the need for manual reconfiguration, which can be time-consuming and prone to errors. This feature is particularly useful in scenarios such as:

  • Device Replacement: When a unit is replaced, restoring the saved configuration ensures the new device operates with the same settings as the previous one.
  • Returning to a Known State: If changes have been made and a stable, tested configuration is required, restoring from a backup provides a quick and reliable solution.

Using this functionality streamlines maintenance tasks and helps maintain a stable and predictable network environment.

Backup and Restore via Web Interface

Note

If the restored configuration includes a different IP address, the current session will not redirect automatically

To create a backup of the current running configuration or restore a previously saved configuration, navigate to Maintenance and open the Backup & Restore page.

  • Backup Configuration: Click Backup to download a copy of the configuration.

  • Restore Configuration: A previously saved configuration can be restored by uploading it to the device:

    1. Click Choose File and select the configuration file
    2. Click Restore to upload and activate the configuration. The restoration process begins immediately.

Backup and Restore via CLI

Commands specified in Filesystem can be used to backup and restore a configuration file.

  • Backup Configuration: Backup the configuration file to a network location using scp:

    example:/file/cfg/#> export backup.cfg proto scp user test_user password test_password 192.0.2.1

  • Restore Configuration: Restore a configuration file from a network location using scp:

    example:/file/cfg/#> import proto scp user test_user password test_password 192.0.2.1 backup_remote.cfg backup.cfg

Restore Validation

The system provides functionality to verify the integrity and correctness of a configuration file before restoring. This ensures that the file is compatible and known to the device, reducing the risk of configuration errors and service disruptions. The verification checks includes:

  • Integrity validation: The file is compared with known created checksums, created and stored in the device, see Configuration Integrity.
  • Syntax validation: Checks the file for any structural or syntax errors or inconsistencies. This is done by validating the file against the provided JSON schema.
  • Semantic validation: Verifies that the dataset conforms to certain logical rules.

Auditable events will be created upon a restore event. Always check the audit log if there were any errors in applying the configuration or if the integrity check failed. These evens are described in Backup Restore Events and Configuration Integrity Events.

Manually check configuration integrity

If an unknown configuration file is restored, such as one older than the last five entries or created outside the device, it is recommended to manually verify its integrity. This can be done by comparing the hash of the running or startup configuration with the hash of the external backup file.

The startup and running configuration SHA-256 hashes are available in the Web interface under Status -> System -> Details or through the CLI command show config-hash:

example:/#> show config-hash
Running Configuration hash: 918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b
Startup Configuration hash: 918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b

To verify the backup configuration integrity, compare the resulting SHA-256 hash with backed up configuration file hash, which can be generated via the following commands:

  • Windows:

    C:\> certutil -hashfile backup.cfg SHA256
SHA256 hash of backup.cfg:
918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b

  • Linux:

    $ sha256sum backup.cfg
918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b    backup.cfg

Manually check configuration integrity prior restore

Before performing a restore, it is possible to verify integrity by comparing the stored configuration hash on the device with the hash of the externally backed-up file. Backup events can be reviewed in the audit log. In this example, the internal log buffer is used. Compare the SHA-256 hash of the external backup file with the corresponding hash displayed in the table to verify its integrity.

The external backup file hash can be found via the following command:

  • Windows:

    C:\> certutil -hashfile backup.cfg SHA256
SHA256 hash of backup.cfg:
918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b

  • Linux:

    $ sha256sum backup.cfg
918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b    backup.cfg

Compare the resulting hash sum with backed up hashes stored in the device via the audit search function. The configuration file hashes are stored under event ID 0x8000000000040000, see Configuration Integrity Events:

example:/audit/#> search 0x8000000000040000
SEQ    Time                  Level/Facility     USER/ROLE               Event                                                        EventID             Message

154    2025-11-23 10:42:14   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update running-config [918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b]

157    2025-11-23 10:42:14   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update startup-config [918319e1b9a8ba78ffb079d169e0a03bdda9ba676f738ecbb340a5a26bd64e4b]

200    2025-11-23 10:47:55   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update running-config [9ba8b96f251d3d216874267ef60c60eec2b859e110cd73356ad85e0827fd81ff]

202    2025-11-23 10:47:56   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update startup-config [9ba8b96f251d3d216874267ef60c60eec2b859e110cd73356ad85e0827fd81ff]

245    2025-11-23 10:48:19   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update running-config [ed7fdf0f94eee30d92f61f48fd0a5be6a3faf0bdeb5824681c85cffd13f68918]

247    2025-11-23 10:48:20   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update startup-config [ed7fdf0f94eee30d92f61f48fd0a5be6a3faf0bdeb5824681c85cffd13f68918]

418    2025-11-23 11:06:46   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update running-config [110fee8e8714433279b9107d30a7e7429d79b74111f76039563e8050cecf313c]

420    2025-11-23 11:06:47   Notice/Security    root/system             Configuration Integrity - Update Integrity                   0x8000000000040000  Update startup-config [110fee8e8714433279b9107d30a7e7429d79b74111f76039563e8050cecf313c]

Automate configuration integrity check

SNMP provides access to hashes for both the running and startup configurations. An external system can retrieve these hashes via SNMP and compare them with the hashes of stored backup files. This comparison verifies that the external backup matches the device’s current configuration.