Is there a way to keep a cold standy up to date?

[ifican]

Short story is i am away alot. I need to make sure if something goes south with hdd or hardware i can have the wifey simply swap a few things and be back online. I havent had to do a restore in a number of years so i dont even recall the exact process but that is on my short list to pull one of my otherwise unused fanless and get it prepped and ready for if that day ever comes. What i am curious about though, is there a way to keep what is effectively a cloned cold standby unit up to date with current software? Is the only way to once or twice a year power it on, install the latest iso and install the same version backup before putting it back away?

[jcoffin]

With all the experimental builds I run on my home network, I have to keep a spare on hand. I only bring the spare out when I need to upgrade it so it's on the same version as the main firewall. I use the backup uploaded daily to Google drive so their configurations are in sync.

[sky-knight]

Untangle is just another device on the network if you connect External.

So if you want a cold spare ready, you just install the platform and connect External to the LAN like anything else. It won't route or bridge anything, but it'll be online and subject to automatic updates.

Then in the event of a failure, you just swap it into position, restore your backup, and move your license.

If you want to test things, restore without networking.

[jcoffin]

Or go crazy and run VRRP hot spare in parallel. https://wiki.untangle.com/index.php/...iguration#VRRP

[sky-knight]

That's by far the easiest way to keep things going, then you just do periodic restores without networking to keep the 2nd unit configured.

[tjk]

Or go crazy and run VRRP hot spare in parallel. https://wiki.untangle.com/index.php/...iguration#VRRP

Would be nice to have a passive license for the 2nd vrrp member, vs a full license. Sophos, Juniper, etc all do this when you run them in an active/passive state.

[Armshouse]

Or go crazy and run VRRP hot spare in parallel. https://wiki.untangle.com/index.php/...iguration#VRRP

Check that your ISP will give you more than one public IP though as each Untangle will need one.

[sky-knight]

Would be nice to have a passive license for the 2nd vrrp member, vs a full license. Sophos, Juniper, etc all do this when you run them in an active/passive state.

What Untangle needs is simply a command center designation that allows us to pair a VRRP partner. So that when the primary faults, the secondary automatically gets the license moved.

But before that really has value, we need working configuration sync... right now VRRP will fault, and the 2nd unit will take over. But until you restore the most recent backup from the primary without networking, you're missing settings. Even if you do restore without networking... you're potentially missing settings.

And then you can move the license easily enough... but Untangle needs a ton of work getting the configurations straight before any of this automation makes sense.

[tjk]

Couldn't agree more on tagging it as a partner and having it move the license, but that will impact revenue.

As for config sync, I've been testing the template in CC, and it eventually updates the 2nd unit with the config settings, minus networking. I think they should sync some of the network stuff, like port fwds, filters, etc. Leave the interface stuff alone, but having to enter rules in two places is wonky for sure.

[sky-knight]

I don't think Untangle lacks the ability to automate license location due to revenue constraints. I think it's just that the Command Center isn't ready for it. Untangle got into the cloud management game VERY late.