feature request - firewall config backup and restore
yesterday, blue went out for the 1st time. after reading up on how to recover, the reflash worked and i had to pair and update the device names and rules again.
a way to download the config and use the same config to update a new firewalla would be nice. i mean, if you got a quite a few devices like IoT that will each have to be renamed in the device list, and rules recreated or approved again, a config file would make recovery easier.
-
I realize this is a less than ideal solution (more of a work around).
Not sure about iPhones, but there are several apps on the Google play store that can selectively backup an apps data.
Effectively, you can create a backup of the firewalla app complete with storage data and cache.... Then use the same app to restore that backup to your phone and then use the firewalla restore function.
I agree we shouldn't need to jump through these hoops for something so basic, but at least this provides a rudimentary way of backing up a known good config.I should add that when I tested this, I immediately restored within minutes of performing the backup. I can confirm that a restore took place, I cannot 100% confirm it was my backup image which was restored. However, it was not my backup then where would the config have been restored from? The only other possibility would be if all or part of the config is stored in the cloud and simply pulled down through the app. I don't think this is the case. But has it ever been officially stated that the config isn't stored in the cloud?
And if it is stored in the app, how do multiple phone's sync that config?
-
Yes. Updated backup is part of Google native backup solution. Third party apps just offer more granularity.
I do intend on testing the backup again with various changes before the restore point. But my testing time is limited by family and work obligations. And the family internet usage further limits the available time windows
-
Having to even dream up these workarounds for a BASIC feature is absolutely mind boggling. Firewalla product managers really need to get a grip of what their user base needs. Offline backup/restore is a BASIC feature. I'm personally telling anyone I know interested in Firewalla to NOT buy the product while such a "CIA" feature is missing.
-
@brian AND we need a FULL LOCAL web management interface. Apps do NOT cut it in 2023. It's absurd we can't do proper backups AND configure it via a local web admin interface. I really have NO idea what the Firewalla product managers are thinking. Clearly they have NO CLUE how people want to use security appliances.
-
My app works just fine, it is simple, easy, and gets things done, this is the reason I bought firewalla! I see no point in going backward and making a web interface, there are plenty of those out there that probably require manpages. If you do want something complex, go with csco, or palo alto, and good luck... I use these at work, and when I am home, my firewalla is just what I need.
-
@1980cyber, as a career cyber professional, I am shaking my head at your comment.
I too want my home devices to minimize the amount of time I have to work on my home system.
A device without a backup is a big problem waiting for a time to occur. A problem that will cost many hours of home life to recover from. A cost that can be avoided with regular backups.
There is nothing "complex" about an automated backup. And clicking Restore is infinitely simpler than spending hours rebuilding your config from scratch *when* it fails. And it absolutely will fail.
@firewalla- You just don't get it. It is not sufficient to have one copy of the running config. If that config becomes corrupted for any reason ( including user error) you must rebuild from scratch.
The MINIMUM acceptable for a network device of this complexity is a running config, a boot config, the ability to copy run to boot, and the ability to export the boot config.
Any less and you have an insecure design.
-
I just spent hours the last two days resetting up my firewalla at our facility. Something crashed over the weekend, and had no backup to go to except a file that was a corrupted backup. WE NEED THE OPTION TO DO BACKUP TO A USB DEVICE OR CLOUD. Even Linksys and Netgear offer such on their routers.
-
@firewalla - somewhere I read that you said the active or current configuration was stored "in" the app.
IF that is true then there is a 3rd party iOS app named iMazing that allows me to save ( backup) an app from my iPhone to my computer ( when the iPhone is cabled to that Mac ). And to reinstall that saved app from within their iMazing app. They have this functionality in case someone needs an older version of an app or IF an app is no longer available on the App Store.
It sounds to me that this would/could/might work to save the firewalla app onto a computer and then allow a person to download another copy of the firewalla app from the App Store onto their iPhone, and then try setting up a reset Firewalla box ( a Purple SE in my case) using that new installed Firewalla app. And IF things did not go well when trying new configurations on the Firewalla box, then they could sort of clean off, reset etc. install that prior firewalla app version using iMazing and restore the prior configuration from "within" that "older" firewalla app copy, using this process ... which hopefully would restore the firewalla box to it's previous state.
Of course IF a lot of the configuration data is stored in the cloud, then who knows what might happen....
What say ya @firewalla ????
-
The configuration data is stored inside your APP, and a copy is also stored on the box. If you want more backup, you can always pair another phone, MAC (with Mx chip), Pad ...
The reason we are only limiting these options is to ensure we don't have to deal with old copies of configuration data. Meaning you did a backup a few releases ago and now want to restore it. Usually, to make this successful, we will have to provide a pretty complex configuration migration strategy for every release. Usually these things are extremely difficult to implement and test ...
-
Whichever way you look at it, even the simplest router allows you to download the configuration file in case you have to import it after restoring.
A copy is made in the app, tomorrow for whatever reason, you lose that mobile, where you had the Firewalla app with your copy... and you have to restore it, and you lose EVERYTHING!
There is no option to download the file, not even to use cloud services such as iCloud in the iOS App and Google Drive in the Android App.
For the price it is worth, these shortcomings are not at all justifiable.
This was the main reason why I removed Firewalla from my network, because with a recovery, you can't do anything but start from scratch.
I will have a Firewalla again when you have fixed it, but seeing the initial date of this post and the current state, I doubt that will happen.
Let the user decide.
-
@firewalla - How can you claim to be a security company and write nonsense like that??
For one to lose the config all you have to do is:
A) Use your phone to make any change that crashes the device. The config on your phone and on your device are now corrupt and you have nothing to restore from.
B) Make any change that has negative consequences and not discover it immediately. When it is discovered you have no backup config, and no documentation of the previous config.
C) Have an event at your location that destroys both devices. Lightning, Fire, and flood are the most likely and they are common disasters.
Flood - This need not be any more serious than a busted pipe.
Fire - Even a relatively minor fire will result in the fire department soaking everything with water.
Lightning - All you need is an electrical storm while your phone is charging. And what do people who are expecting a power loss do? Charge their phones.
As for your statement, "to make this successful, we will have to provide a pretty complex configuration migration strategy for every release. Usually these things are extremely difficult to implement and test"
1) COTS (cheap off the shelf) consumer devices manage it. I think my Linksys WRT54G was $49. As did the free open source software that I loaded later.
2) Most network gear manages by using a text config and an interpreter.
3) All you need to do is backup the config and the firmware together and restore them simultaneously. Or make the old versions available and require that the config version match.
4) You are doing in place upgrades, which means you already have config migration working.
Backup 101:
- If you don't have an onsite backup of your current and last stable config, you don't have a backup.
- If you don't have three copies with one being off site, you don't have a backup.
- If you can't test a restore of an backup, you don't have a backup.
You clearly aren't interested in developing a viable backup feature. Own it and don't patronize your customers by making up absurd reasons why they don't need one. -
Philip is exactly right! Literally every other networking/security product I use at home allows me to DOWNLOAD and OFFLINE configuration file, which I can backup and store wherever I want. I can then RESTORE the config at some point in the future, should I need it. This is basic IT 101. Firewalla clearly doesn't understand basic IT. My $75 Netgear switch supports offline config file backups. The fact Firewalla, which can cost almost 10x as much can't, is absolutely UNACCEPTABLE. And that Firewalla keeps peddling BS as to why they can't do backups is even worse. This is the #1 reason why I hesitate to fully recommend Firewalla to anyone. The lack of a full local web interface is another brain dead decision.
And not to mention, what's Firewalls' response to rolling back a config that caused a major issue? With any other network device I own, I can upload the last know GOOD config and viola...I'm back. Not with Firewalla. But if I want to restore a config from, say a week ago, nope...I'm out of luck.
The responses here from Firewalla should be shocking and a massive red flag on how the product managers view IT, security, and change control. Clearly they don't understand ANY of those basic concepts when it comes to protecting the FW config. It's simply appalling.
-
And I would add, I have a $100 Hubitat home automation hub. This $100 home automation hub does backups right:
1) It does nightly file-based config backups to the internal storage of the Hubitat hub. You can then review past backups and RESTORE to any backup with a couple of clicks. It also lists the firmware version the backup is from.
2) At any time the admin can DOWNLOAD the nightly configuration backup (or do an on-demand manual backup) to their PC, and store/backup whoever they please. You can then, at any time, UPLOAD the config file and restore to a last known good state.
3) Hubitat offers a subscription based CLOUD backup that performs a NIGHTLY automated config backup. At any point in the future I can select any backup from the history list and do a one click restore. This also lists the firmware version used for the backup.
And mind you, this is for a $100 home automation hub that doesn't really perform any security functions. However, we have the $600+ Firewalla gold plus, costing literally 6x, and it doesn't have ANY way to perform an offline backup. That is downright unacceptable.
-
I cant believe after all this discussion nothing has been done about a way to perform a complete offline backup. We run a set of small offices (6 locations) each with a firewalla gold. I had one fail yesterday and had to swap in a spare unit. The migration of the config did not recreate the networks and several rules were missing. I am still messing with the configs to get everything working. This is the 3rd box to die and we actually have a process now to keep spares on hand for this.
Needless to say this year we are swapping them all out with another product. As others have said, I am warning anyone that asks to avoid the product. Some features are great, but this is not a business critical device.
Please sign in to leave a comment.
Comments
84 comments