Search <book_title>...

NetBackup™ 10.0 Application Guide

Last Published: 2022-09-23

Product(s): Appliances (2.1.4, 2.1.3, 2.1.2, 2.1.1, 2.1)

Platform: Flex Appliance OS

Product overview
1. Introduction to NetBackup applications for Flex Appliance
2. About the Flex Appliance documentation
Release notes
Geting started
1. Prerequisites before you can create NetBackup application instances
2. Installing the NetBackup Administration Console and client packages
Creating NetBackup application instances
1. Creating application instances
Managing NetBackup application instances

Configuring an isolated recovery environment on a Flex Appliance WORM storage server instance

You can configure an isolated recovery environment (IRE) on a WORM storage server instance to create an air gap between your production environment and a copy of the protected data. The air gap restricts network access to the data except during the timeframe when data replication occurs. This feature helps to protect against ransomware and malware.

To configure an IRE, you need a production NetBackup environment and a target Flex Appliance with a WORM storage server instance.

The production environment does not require any additional steps for this feature. Use the following procedure to configure an IRE on a WORM storage server instance.

Note:

This procedure only applies to Flex Appliance version 2.1.1 and later. Veritas recommends that you use version 2.1.1 or later if you want to use this feature. However, a hotfix is also available for version 2.1. To configure an IRE on Flex Appliance 2.1, see the Flex Appliance Isolated Recovery Environment (IRE) Air Gap Solution Deployment Guide.

To configure an IRE

For this release, you must download the following EEB from the Download Center and install it on the WORM storage server instance:
VRTSflex-msdp_EEB_ET4067891-16.0-3.x86_64.rpm
For instructions, see the topic "Installing application add-ons" in the Flex Appliance Getting Started and Administration Guide.
Configure Auto Image Replication from the production domain to the IRE domain. Choose the WORM storage server instance as the target storage unit.
For instructions, see the chapter "Configuring replication" in the NetBackup Administrator's Guide, Volume 1.
Log in to the WORM storage server shell. Run the following command to show the SLP windows from the primary server to the WORM instance:
setting ire-network-control show-slp-windows production_primary_server=<production domain> production_primary_server_username=<production username> ire_primary_server=<IRE domain> ire_primary_server_username=<IRE username>
Where:
- <production domain> is the fully qualified domain name (FQDN) of the primary server in your production environment.
- <production username> is the username of a NetBackup user with permission to list SLPs and SLP windows in the production environment.
- <IRE domain> is the FQDN of the primary server in the IRE. Use the same hostname that you used for the target primary server when you configured the SLPs in the production environment.
- <IRE username> is the username of a NetBackup user with permission to list SLPs and storage units in the IRE.
For example:
production_primary_server=examplePrimary.domain.com production_primary_server_username=appadmin ire_primary_server=exampleIREPrimary.domain.com ire_primary_server_username=appadmin
The following is an example output of the command:
```
EveryDayAtNoon:
SLPs: SLP1
Sunday start: 12:00:00 duration: 00:59:59
Monday start: 12:00:00 duration: 00:59:59
Tuesday start: 12:00:00 duration: 00:59:59
Wednesday start: 12:00:00 duration: 00:59:59
Thursday start: 12:00:00 duration: 00:59:59
Friday start: 12:00:00 duration: 00:59:59
Saturday start: 12:00:00 duration: 00:59:59

WeeklyWindow:
SLPs: SLP2
Sunday start: 10:00:00 duration: 01:59:59
Monday NONE
Tuesday NONE
Wednesday NONE
Thursday NONE
Friday NONE
Saturday start: 10:00:00 duration: 01:59:59
```
This example shows two SLP windows:
- A daily window for one hour starting at noon.
- A weekly window for two hours starting at 10:00 A.M.
Note:
If an SLP window is greater than 24 hours, show-slp-windows may display the duration incorrectly. Environments that have SLP windows greater than 24 hours are not candidates for IRE, as the network would always be open.
Based on the output for your environment, determine a daily schedule that accommodates the SLP windows and take note of it.
In the previous example, a daily schedule from 10:00 A.M. to 1:00 P.M. accommodates both SLP windows.
Note:
The start times in the output of this command are in the production primary server's time zone. If the production environment and the IRE are in different time zones, make sure that you adjust the start times accordingly before you set the air gap schedule.
Run the following command to configure which subnets and IP addresses are allowed to access the WORM storage server instance:
setting ire-network-control allow-subnets subnets=<CIDR subnets or IP addresses>
Where <CIDR subnets or IP addresses> is a comma-separated list of the allowed IP addresses and subnets, in CIDR notation.
For example:
setting ire-network-control allow-subnets subnets=10.80.120.208,10.84.48.0/20
Note:
The IRE primary server, the IRE media servers, and the DNS server for the IRE must be included in the allowed list. If all of these servers are in the same subnet, only the subnet is required to be in the allowed list.
Run the following command to set the daily air gap schedule:
setting ire-network-control set-schedule start_time=<time> duration=<duration>
For example:
setting ire-network-control set-schedule start_time=10:00:00 duration=03:00:00
Note:
The SLP replication window on the production domain must be configured to be open at the same time as the IRE schedule.