feature request - firewall config backup and restore

Comments

52 comments

  • Avatar
    Andy

    I think the option to backup/restore a point in time would be valuable, maybe an auto backup when changes are made, and keep x amount of revisions.

    There may be times many changes are made, and you end up breaking something and cannot remember what the config was prior. Also having the option to export a backup just in case Firewalla is damaged, a restore can be done to a new unit.

    6
    Comment actions Permalink
  • Avatar
    Firewalla

    In this situation, as long as you have the app that paired with the old unit available, you can "restore" the config to a new unit.   (So the firewalla need not be 'live', as long as the app is there, the config is saved on the app storage)

    Anyway, we do understand config dump, it is on the list for sure.  

    5
    Comment actions Permalink
  • Avatar
    Mstormo

    Where are we on the 'config dump' feature? It would certainly be a benefit to be able to store this dump before trying to configure new services/setups through SSH, for example with the new and more capable Gold version.=

    4
    Comment actions Permalink
  • Avatar
    argentcove

    The auto-backup idea is interesting, but I wanted a way to save my complete config to a backup that I could restore at any time. I thought that was what this thread was all about?

    Any other decent router lets you backup the config to a downloadable file. After powering up my FWG for the first time, I was super disappointed that this feature was missing. It makes me less confident in making any significant configuration changes to my network.

    4
    Comment actions Permalink
  • Avatar
    EngNezar

    I agree with you @Lee backup and restore should be a default feature for any device.

    wish it'll be released soon.

    4
    Comment actions Permalink
  • Avatar
    lee

    that's a different use case scenario. that's for migrating from a live firewalla to another live firewalla.

    the scenario i had in mind is to recover the firewalla from a config file or backup file.

    picture a remote office using blue, it goes down. it's then reflashed and paired to the mobile app of the administrator for the site. he now needs to recreate all the rules and allow the devices again. something that could be avoided if the app had an export config feature to dropbox or google drive which could be imported back into the reflashed blue.

    3
    Comment actions Permalink
  • Avatar
    Mstormo

    This is really too "consumer" thinking, and not geared towards us "Home DIYers", "Advanced Tinkerers", "IT professionals" who don't mind things getting a bit more advanced.

    Configurations can change, sure, then just version the configuration when you save it, and mark it as incompatible in the new firmware when you no longer can read it. Heck, I'm sure there are portions you could still read, even if sections are not valid anymore. You could even use the readable sections as a template for proper values if we have to go through a new setup routine. "It might break" is simply a very lame excuse for not allowing downloading our settings.

    • I might want to experiment with a completely new network configuration with VLAN etc, only to quickly revert if it didn't work out or my family starts complaining. Storing my settings locally would let me quickly recover to the old configuration
    • I had a water leak a few years ago, which fried every single piece of electronics in my house (except my laptops). Having a off-device backup would allow me to recover quickly. On-device configuration would be useless.
    • Maybe I would want to replicate my current setup at my parents house, using my on configuration as a template.

    There are tons of reasons to offload the configuration to somewhere else (heck, I'd like to version control mine!). "You might not be able to load it again" is a cop-out, and unprofessional.

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    We are likely to create this feature in the next two firewalla releases (1.46 or 1.47).  We will add more items to be stored.  At the moment (and this can change) this item is on our higher priority list. 

     

    2
    Comment actions Permalink
  • Avatar
    john burton

    I agree ... I had to re-flash my purple today .. and then re-build all my rules....

    It would be so good to have a way to backup my config so that if I have to re-flash again, they could all be restored.

    Please add my name to the list looking

    Thank you.

    2
    Comment actions Permalink
  • Avatar
    David Parish

    I agree with needing a simple way to be able to restore settings without a nuclear “reset” of the device. As I have stated before, my Asus routers have this feature as does every other firewall software. TBH, if my Asus router was good at dual wan functionality ( it has the capability but it doesn’t work correctly ) I would not have gone with Firewalla Gold. My Asus RT-AC86U with Merlin firmware and added scripts will do everything my FWG will do for a lot less money. Don’t get me wrong, I like the FWG but really guys, a simple ability to establish a restore point seems like a no brainer.

    2
    Comment actions Permalink
  • Avatar
    EngNezar

    Basically, any configuration is a set of line code, then it has been stored on a file somehow with an extension of *.cfg or *.backup ...etc. we need a way to download and save such a file then in case something happened and we need to restore the last running config, then we can just upload this simple file and boom done.

    2
    Comment actions Permalink
  • Avatar
    Ross

    @Firewalla - what is the status of your work? I am lost after such a long conversation with so many topics and want to make sure I add correct thoughts on current information, not some long-forgotten comment.

    2
    Comment actions Permalink
  • Avatar
    AzagraMac

    More than 3 year of ticket, and still no possibility to export the configuration to a file, how embarrassing.... 

    We don't just want the option to migrate, which is fine, even the worst router, you can export the configuration.

    The truth is that Firewalla leaves much to be desired, it is more worthwhile to mount a Pfsense on a medium powerful computer with 2.5g and 10g cards, than to continue investing in firewalla. 

    One that says goodbye.

    2
    Comment actions Permalink
  • Avatar
    Aaron

    I'm in complete agreement with the folks requesting the ability to backup/restore a system config.  I know there's the current config in the app, but why not provide the ability to export/restore the config via the web interface, or ssh console?  Taking a backup is standard before any work and trusting/hoping a known good copy is in the app on someone's phone just doesn't cut it.

    2
    Comment actions Permalink
  • Avatar
    timt

    Just wanted to add my vote for the ability to externally save all configs and restore them. 

    My use case, which has been described by someone else already in this thread, is that I want to "baseline" my Firewalla Gold and have a way to restore to those configs at any time. I want to have multiple "restore points" so that, as I make changes, I can always revert to any of those "restore points". I'd prefer to store the configs myself, but if they need to be stored in a place that is managed by the app or by Firewalla, that is ok, as long as the configs can be applied to a new Firewalla as well. 

    I would want the config backup file to be downloadable from the web based interface (my.firewalla.com) so that I can save the config files on my network internally.

    I've also wanted the ability to turn off automatic upgrades because I run a business and I want to lower the risk that anything might break Firewalla. One of the updates broke local DNS hostname resolution, and it took down my network for a while. I reported the issue, and Firewalla fixed it within a few days, but during that time, I had to scramble to get my network back up and running. I want to be able to "version lock" my Firewalla and mobile app, and I know that this is not easy to implement.

    I know that there's a lot of challenges with adding these features. For one, the Firewalla and the mobile app need to remain compatible with each other. Turning off automatic upgrades could result in a user upgrading their mobile app while having an incompatibly older version of the firmware/software on their Firewalla. As for "restore points" or backups of all configs, this is tough because Firewalla is, in fact, Ubuntu with lots of apps installed that support all of its features. The configs for each app would need to be included in the backup file. And, because Firewalla performs automatic upgrades, there would need to be a degree of backward compatibility with backup configs for older versions of Firewalla. Backward compatibility of old backup config files is not an easy thing to implement. They would probably have to come up with their own config file schema that is an abstraction of all of the configs for the apps on Firewalla. It should also be noted that Firewalla has their own backend to support many features, and their backend has to also be compatible with the mobile app and software running on the Firewallas. I know that their backend probably mostly proxies API requests from the web and mobile client to the Firewalla device, but nevertheless, their backend support is free to us as users, which is pretty nice, and it adds some complexity for the features we are wanting.

    Another feature I've wanted is the ability to give servers on my local network additional hostname aliases. Even my Fios router supports this through their web UI. For Firewalla, it looks like I'm going to need to add DNSMasq configs. If I have to SSH into my Firewalla to manually add DNS configs just to support this, I might as well switch to something that gives me more control. I've tried using a DNS server on my local network, but that put me down a rabbit hole that was taking way too long. 

    Firewalla has been great, and the integration of their mobile app is really nice. The mobile app notifications are another big reason I've stayed with Firewalla. However, I am thinking I'm going to need to switch to pfSense. I'm not going to like having to VPN into my network to view and modify firewall configs with the pfSense web UI, but pfSense gives me a lot more control. Firewalla doesn't seem well-suited for businesses that need more control over configs and the ability to schedule and test software upgardes before they are applied in production. And to be fair, I do not think Firewalla claims to be for more than home/personal use or small businesses with simpler networking needs.

    Overall great product, but I guess it's back to the drawing board for me.

    2
    Comment actions Permalink
  • Avatar
    Network Bat

    Yea, this is a bit ridiculous. For example, tonight I need to test a bunch of changes and I want to know for sure that I have a simple way to roll back at a moment's notice.

    In theory, this should be as simple as just hitting a "Export system settings", and as easy to restore as "Restore system settings from file"

    I won't begin to venture as to how easy this is to implement, but in terms of "10 things every piece of network equipment should have", this is in the top 10 list from day one.

    2
    Comment actions Permalink
  • Avatar
    Kurtis Bickhaus

    I suppose then, it might be an advanced feature that some of us are willing to work with.  I understand that perhaps along with the config backup, we might need to also back up a copy of the whole system to flash back to the version that worked at the time of backup.  Perhaps a "developer mode"?  It would be fitting seeing as you have alpha and beta already.  Plus the upcoming API.  I myself am certainly willing to have to go through the extra effort of sticking an OS copy along with the backup.  It truly is just as critical as any other machine.

    *Or heck, call it something scary like "Warning, Administrative Mode: For qualified network technicians only.  Misuse may result in system corruption.".

    2
    Comment actions Permalink
  • Avatar
    Kurtis Bickhaus

    That’s also a wonderful idea to add onto what I said about taking a full image along with the config. I would not mind at all adding a firewalla folder to my inventory with versions and configurations.

    2
    Comment actions Permalink
  • Avatar
    Anthony Domagas

    Just lost all of my target list and including the default target list.

    Add my vote for the ability to externally save and restore configs

    2
    Comment actions Permalink
  • Avatar
    Harry Kemp

    +1 for the ability to backup and restore a config file. Especially useful for new users like myself who might break something early on.

    2
    Comment actions Permalink
  • Avatar
    Markus Karlseder

    +1 absolute standard main function as every device can break.

    please give us a simple import / export config-file

    2
    Comment actions Permalink
  • Avatar
    Mstormo

    That'd be fine. It would just be good to have a backup _before_ rumargin around on the device and potentially wreaking havoc through SSH ;-)

    1
    Comment actions Permalink
  • Avatar
    Danny Natale

    Did this feature make it into .46 or .47?

    1
    Comment actions Permalink
  • Avatar
    argentcove

    That link just tells how to migrate. I still don't see a way to backup my current configuration before making changes. I understand that it should be on my phone, but if I made my changes from my phone, then would there be a backup of the config before the changes? 

    Am I missing something? 

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Do you want multiple restoring point? or just one? if it is one, there is the last successful configuration already stored in the system. 

    Are you Planning to do restore of previous configurations? 

    1
    Comment actions Permalink
  • Avatar
    Alan kam

    I agree with David Parish. We need a simple way to restore. In addition, if I’m not mistaken backup only store in apps. Is there ways to download to somewhere to save it?
    Some people do lost their phone without backup. I simple configuration backup file store where else is highly recommanded.

    1
    Comment actions Permalink
  • Avatar
    Ross

    So nothing new is planned?

    1
    Comment actions Permalink
  • Avatar
    Kurtis Bickhaus

    Surely there is a way to export the configuration, even if we had to encrypt it, there is a way to do it WITHOUT exposing anything proprietary. Perhaps that’s the concern? I mean, if it is, why not just say so?

    1
    Comment actions Permalink
  • Avatar
    Aaron

    Agreed, @Mstormo.  For a consumer box, this is fine, maybe even great, but for a lot of folks looking to develop and do more with it, the backup/restore issue is a non-starter.  Most folks got around the problem with old configs was a long time ago, by not allowing incompatible configurations to be restored.  There are a number of enhancements I'd like to try, but there's no way I'm going to risk breaking something and having to start over from scratch (which may very well be possible considering the one stored copy in the app may very well update before issues popped up).  I wanted another Gold for my office network, but for now, I think I'm going to continue looking at other options.

    1
    Comment actions Permalink
  • Avatar
    Bob O'Hara

    +1 It would be really nice if it was also human readable, say XML encoded.

    1
    Comment actions Permalink

Please sign in to leave a comment.