Advertisement
Configuring a Standby or Secondary MARS Appliance
Configuring a Standby or Secondary MARS Appliance
You cannot run queries and reports or perform incident investigation over archived data directly. To
perform any kind of investigation using archived data, you must restore that data to a MARS Appliance.
Therefore, we recommend that you configure a secondary appliance for this purpose. The reason to use
a separate appliance to study old data is that you must restore the period data to the appliance, and the
restore re-images all configuration and event data based on the archive settings for the defined period.
To restore to a secondary appliance, you must restore to an appliance of the same model or higher. For
example, you can restore an image from a MARS 20 to a MARS 20, MARS 50, MARS 100, or MARS
100e; however, you cannot restore a MARS 50 to a MARS 20. Restoring to a secondary appliance differs
from restoring to the actual appliance that performed the archive. The following issues must be
addressed when restoring to a secondary appliance:
•
•
•
Because a single image of the complete system configuration data is archived and updated daily, no
matter what period you select from an archive, the system configuration data includes the most recent
changes. In other words, selecting a period that is 365 days old affects only the event data. The system
configuration that is restored mirrors that of the most current archive.
For more guidance, see
Guidelines for Restoring
When you do restore to an appliance, keep in mind the following guidelines:
•
The pnrestore command does not check to ensure that the same version requirement is met, and it will
Caution
attempt to restore an incorrect version match.
•
•
•
•
Install and Setup Guide for Cisco Security MARS
6-40
You must purchase a new license key for the secondary appliance. Each license key is associated
with the serial number of the appliance to which it is assigned.
You must enter that new license key on the restored image before you can log into the secondary
appliance.
When restoring the image to the secondary appliance, you need to take the primary appliance off the
network or perform the operation behind a gateway that can perform NAT. When the secondary
appliance comes up and you are on the same network, you receive an IP address conflict error,
because the IP address assigned to the secondary appliance exactly matches that of the primary.
Guidelines for Restoring, page
The version of MARS software running on the appliance to be restored must match the version
recorded in the archive. For example, if the data archive is for version 4.1.4, you must reimage the
MARS Appliance to version 4.1.4, not older or newer, before using the pnrestore command to
recover the system configuration and events.
All restore operations take a long time. Time varies based on the options you select. See
page
A-43.
A restore of configuration data only takes less time.
A restore operation does not allow for incremental restores of event data only. It always performs a
complete reimage of the harddrive in the target appliance.
All configuration information, including the license key, IP addresses, hostname, stored certificates
and fingerprints, user accounts, passwords, and DNS settings, are always restored.
Chapter 6
Administering the MARS Appliance
6-40.
pnrestore,
OL-14672-01
Advertisement
Chapters
Troubleshooting
