Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA/STRM] Backup and Restore process

0

0

Article ID: KB12104 KB Last Updated: 24 Jun 2020Version: 14.0
Summary:

This article provides information on the backup and restore processes in Juniper Secure Analytics (JSA), formerly known as Security Threat Response Manager (STRM).

Symptoms:

Information must be backed up before re-imaging/upgrading the device. The backup types consist of configuration (config) and data backups. The default installation only backs up the configuration. If you would like to disable backups or enable data backups, you can do so by navigating to the backup configuration page: Admin tab > Backup and Recovery > Configure.

Solution:

See the Administration Guide for more information.

Note: Config backup is a full backup, whereas data backup is incremental.

For versions earlier than 2013.1r3:

Note that you can only restore a config backup that has the same Appliance ID, Build, and Patch Level that the backup was created from. For example, if you have created a config backup file with an Appliance ID of 3100/Build 2009.1/Patch 5, you can only restore the config in a matching environment with an Appliance ID of 3100/Build 2009.1/Patch 5.

Furthermore, if the config is to be restored to another device, it must be of the same hardware, as the Appliance ID is tied to the hardware platform; that is, you cannot take a backup from an STRM500 and restore it on a JSA3800. In cases involving RMA, before restoring the config, you must first transfer your license to the new device via LMS, since the license information is tied to the serial number.

For list of appliance IDs/types, see KB14832 - Appliance Name and Appliance ID Number Description List

For versions 2013.1r3 and later:

The platform and functionality restrictions for restoring were lifted.  The only restriction now is that the backup and restore must be on the exact same build version. That is, a  2013.1.r3.495292 backup can only be restored to 2013.1.r3.495292.

Backup Procedure

The configuration backup consists of:

  • Application configuration
  • Assets
  • Custom logos
  • Custom rules
  • Device Support Modules (DSMs)
  • Event categories
  • Flow sources
  • Flow and event searches
  • Groups
  • Index Management Information
  • License key information
  • Log sources
  • Offenses
  • Reference set elements
  • Store and Forward schedules
  • User and user roles information
  • Custom Dashboards
  • Vulnerability data
  • Certificates

Data backups consist of:

  • Audit log information
  • Event data
  • Flow data
  • Report data
  • Indexes

By default, only the configuration is backed up. Data backups must be manually enabled.

To enable Data Backup:

  1. Log on to the WebUI.
  2. Go to the Admin tab > Backup and Recovery > Configure (located at the top right hand corner).
  3. Select Configuration and Data Backup.
  4. Save the configuration.
  5. The data backup will start nightly at 2 AM.
  6. During daily data backups, the process reviews the data for the previous day and creates an archive file, which is written to the /store/backup/ directory.

Note: If your system has been running for a period of time, it has been collecting and storing data for the entire time period for which the retention setting is set.

The backup procedure only backs up data of the previous day, after it has been enabled; it does not retroactively create a backup of all existing data. Therefore, it is recommended that you enable backups, sooner rather than later, if required. If you require a one-time, full backup of STRM data, you must do this manually. All event and flow data is stored in the /store/ariel/ directory and this is the directory structure that you need to back up to save event and flow data.

Note: Currently, on-demand backup supports only config backup. The backups are stored under the '/store/backup' folder on your appliance. Backup files are saved by using the following format:

backup.<name>.<hostname>_<host ID>.<target date>.<backup type>.<timestamp>.tgz

Where:

  • <name> is the name associated with the backup.
  • <hostname> is the name of the system hosting the backup file.
  • <host ID> is the identifier for the system.
  • <target date> is the date that the backup file was created.
  • <backup type> is the type of backup. The options are data or config.
  • <timestamp> is the time that the backup file was created.

The backup needs to be copied to the remote server before re-imaging the appliance:

  1. Copy the latest Config, Db, and Data backups to a remote server using scp/ftp.
  2. Assuming that the IP address of remote server is 10.10.10.1:

    • #scp backup.nightly.strm-2500-1_2.07_10_2008.config.1223449342978.tgz root@10.10.10.1:/<path>
    • #scp backup.nightly.strm-2500-1_2.07_10_2008.db.1223449342978.tgz root@10.10.10.1:/<path>
    • #scp backup.nightly.strm-2500-1_2.07_10_2008.data.1223449342978.tgz root@10.10.10.1:/<path>

Restore Procedure

Once the appliance is re-imaged, log on to the console and follow the onscreen instructions to configure the IP address and root password. Make sure the IP address, gateway, hostname, and password are the same before re-image. If not, the config/data cannot be restored. Copy the backups from the remote server to the /store/backup folder on the appliance.

To restore configuration from backup:

  1. Log on to the WebUI.
  2. Go to the Admin tab > Backup and Recovery.
  3. Click the config backup that you wish to restore.
  4. Click Restore to restore the backup; this will restore the configuration.

To restore Event Data, Flow Data, and Reports Data from backup:

  1. Log in to your appliance, as root.
  2. Change the directory: cd /store/backup
  3. Identify the data files that you need to restore by reviewing the date stamps on the listed files. For example:
    root@csd6 /store/backup# ls
    backup.scheduled.csd6_2.07_03_2008.db.1204948866713.tgz
    backup.scheduled.csd6_2.07_03_2008.data.1208747105710.tgz
    backup.scheduled.csd6_2.07_03_2008.config.1208833492837.tgz
  4. Extract the files that you wish to restore.
    # e.g #tar –zxPf backup.scheduled.csd6_2.07_03_2008.data.1208747105710.tgz

    Note: Make sure that the extraction command includes the P option, which ensures that the files are extracted to their original directory. In later versions of code where RedHat is running, use the following parameters: #tar -zxpvPf  <filename>.

  5. If you only wish to restore a specific event, flow, or reporting data, you must also include an extraction path filter to limit the restored files using the following commands:
    Event Data: tar -zxPf backup.<name>.<hostname>._<host ID>.<target date>.<backup type>.<timestamp>.tgz /store/ariel/events

    Flow Data: tar -zxPf backup.<name>.<hostname>._<host ID>.<target date>.<backup type>.<timestamp>.tgz /store/ariel/flows

    Reporting Data: tar -zxPf backup.<name>.<hostname>._<host ID>.<target date>.<backup type>.<timestamp>.tgz /store/reporting
  6. Verify that the files are restored by investigating one of the restored directories:
    cd /store/ariel/flows/payloads/<yyyy/mm/dd>

    For example:

    #cd /store/ariel/flows/payloads/2008/3/31
    #ls
    0 1 10 11 12 13 14 15 16 17 18 19 2 20 21 22 23 3 4 5 6 7 8 9
  7. You can view the restored directories that are created for each hour of the day. If directories are missing, this may indicate that no data was captured for that time period.
  8. Continue this process for each backup file that you wish to restore. If there are 49 backups, this process must be repeated 49 times or to make this task easier, you can script the process.

Verify that the restored data is available:

  1. Log on to the WebUI.
  2. Click the Log Activity or Network Activity tab.
  3. Select Search > Edit Search from the drop-down list; the search window is displayed.
  4. In the Time Range box, select the Specific Interval option.
  5. Specify the date of the data that you just restored.
  6. Click Filter.
  7. View the results to verify the restored data.
Modification History:
2020-06-22: Added reference to KB14832 under solution.
2020-02-26: Article reviewed and updated for accuracy; minor, non-technical changes made
2017-03-31: Updated note in step 4, under the section, "To restore Event Data, Flow Data, and Reports Data from backup".

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search