Mumbai Security and Compliance User Group

Hi,

I have a few questions regarding the above mentioned topic..

Backup and Recovery

1. After backing up from one SSIM, to recover on a different SSIM, does the machine specs required to be the same as the original machine? The configuration of the 2nd SSIM must also match with the first SSIM before initiating the recovery process..correct?

At the moment, I do not have any guidelines/documentation for backup and recovery. I would appreciate it if anyone will be able to pass a copy of the above documentation.

Disaster Recovery

1. At the moment, as far as I know..an agent is bootstrapped to 1 SSIM only. Is it possible to bootstrap it to 2 SSIM's ( 1 for production and 1 for DR ) at a single point of time?. In a scenario if the production SSIM goes down, pending events at the collector will be automatically forwarded to the DR SSIM by the agent without having to reconfigure the agent. If it can be done that way..how?Is there a documentation which I can follow?

2. If the scenario in the above point occurs..When the production SSIM comes up again, is there any way to push the events which was received by the DR SSIM to the Production SSIM? Is there a documentation which I can follow?

3. Also let me know if my collector appliance goes down what backup will be required to recover the collector role where no additional roles are assigned to it.

There are no DR planning guides available for SSIM, if anyone can help me with the guides can be helpfull.

Thanks in advace to all the people who are able to help me on this

Backup and Recovery-> If you take your DB2 + LDAP Backup and your event archive you can restore them on a different machine but they are limitations. The target machine needs to have the same Hostname/IP. The hardware not need the same, technically for example you can restore your physical SSIM into a Virtual machine but it is advised to have the same disk structure if possible.

Disaster Recovery

1- An agent will only forward to one SSIM at time but it can fail over if it's primary SSIM is down. (see the configuration in the System tab called Agent connection configuration). You can have more than 1 over appliance.

2- There is no way to automatilcally push the event back to the Primary SSIM if they have been written to the secondary archive. (technically they could be moved back manually) or better if they are stored on a shared storage. But again they are limitation as an archive on disk can only be accessed by one SSIM at time.

3- Collection appliances have no config stored, everything is in the ldap of the master. If one of you collector box is down, reinstall, register it back to the master (if it has same hostname/Ip etc..) and all configuration will be back.

I will check if there is a guide around.

Backup and Recovery->  If my existing appliance box has gone through some hardware damage & i have the LDAP & DB2 backed up already & i wanted to restore the same on new hardware Appliance.

Then i need to install the new setup from scratch on new hardware with latest patches & liveupdate and then need to restore my backup on it right????

Disaster Recovery  ->

If suppose i have backed up my eventarchive which is on local disk of archive appliance & after disaster i restore that backup on some SAN volume attached to new appliance with same hostname & IP as earlier, then what additional config i need to do?????

If i have backup of Master LDAP & DB2, then after disaster, should i get all the configs which i have done under Product config TAB for diff. products??????

Also can you please share what are the best practicies for LDAP & DB2 Backup & If any guide you have for SSIM Disaster recovery.

You correct, you need to install the entire SSIM appliance from scratch. And you need to install the exact same patch level. We only support restoring the DB2/ldap if it is restore to the same build/version.

For the event archive restore, you need to be aware fo you Event Storage rule. Be carefull if you create a new rule in an existing folder it will overwrite the data. In general alwasy create the rule first (this will create the folder), then copye back the archive data.

All configurations are stored in the ldap. (apart from Asset/Policy/Network).

I am not sure if we have such a guide or pdf but I will check.

Hi Laurent, 

Thanks for your reply.

some more questions:

Can i schedule LDAP backup for Daily, Weekly or monthly basis.If yes then how??

If i have Service provider, Correltor, Archiver & collector role appliance.

Then LDAP & DB2 backup of which role appliance will be required??

Do i need to export the rules configured manually??

If i have configured script to backup eventarchive data on daily & weekly basis on the same box.

And if i run the adhoc backup for daily & weekly folders then does it affect my appliance resource utilization(RAM, CPU etc. )

I'm sure Laurent can give a better answer but backups are confusing for sure.  You can schedule selective ldap backups through the Web GUI from 4.7.4, but I'd like to know the reason why the selective backups which from the list seem to contain everything I'd expect and "full ldap backup" results in the selective backup (with everything selected) of around 16MB and a full ldap backup of 50MB? What extra is going into that file?

As for which one you backup, you only need the LDAP master backup, if you backup any others then it will just pull the configuration from the master and back that up - I've checked this and it's correct, if you backup 3 SSIMs all doing ldap replication you'll get three identical files. Don't forget to cron/script a job to transfer this data off box.

I'd definitely export as much as possible as well on a frequent basis, rules, networks, assets, sensor configs etc.  Having an ldap backup that's corrupt isn't much fun.

Hi Mike,

Thanks for your reply, i forgot to mention that i am using 4.7.3.

And i am not able to find any option to schedule LDAP backup.

Under Settings > Database  >Maintenance Options.

only option to enable automated backups.

Does this backup means DB2 and LDAP both.

B'coz i have already scheduled this backups & still i am able to find only DB2 backup and not LDAP backups.

Please tell me how can i schedule my LDAP backup in SSIM 4.7.3

Technically there is no option to schedule LDAP backup. However You can use a Selective backup (I believe Selective Backup was added in 4.7.4)

If you select all the entry in the selective backup and schedule it, you have have the same as a full ldap backup.

For Mike, I never double checked the size of difference in size, I will have a look, it seems to be strange.

Hi Laurent,

Thanks for your reply,

It will be helpfull if youi can provide any guide or any document which can help me creating Disaster recovery doc for myself.

This may help

http://www.symantec.com/docs/TECH89265

Hi Mike,

Thanks for the share, i have already gone through this.

Actually i am looking for any official DR guide from Symantec.

I have drafted my own as such, but i need something official.