Backups

NetDefense can automatically back up each device’s full configuration to an S3-compatible storage provider. Backups are encrypted and can be scheduled to run on a cron schedule.

How Backups Work

Backup configuration has two levels:

1. Organization-level config — defines the S3 endpoint, bucket, credentials, cron schedule, and a master encryption key. This is set up once per organization.
2. Per-device toggle — each device can be individually enabled or disabled for backups. This lets you exclude lab or test devices from the backup schedule.

Encryption Keys

All backups are encrypted before upload. There are two key levels:

• Organization key (org) — the default encryption key shared across all devices in the organization. Set via ndcli backup encryption-key set.
• Device key (device) — an optional per-device override encryption key. When set, this device’s backups use its own key instead of the organization key.

Tip

Use per-device encryption keys for compliance zones that require separate key management — for example, when different teams are responsible for different segments of infrastructure and must maintain independent key custody.

Show Backup Config

View in NDWeb

ndcli backup config show

Organization:   example-org
Status:         ○ DISABLED

S3 Endpoint:    https://s3.us-east-1.wasabisys.com
S3 Bucket:      example-firewall-backups
S3 Folder:      production
S3 Key ID:      AKIAIOSFODNN7EXAMPLE
Schedule:       0 2 * * *
Encryption Key: ● Configured

Created:        2026-02-20 19:19:51
Updated:        2026-02-20 19:19:51

The Schedule field uses cron syntax. 0 2 * * * means “every day at 2:00 AM”.

View Backup Status

View in NDWeb

ndcli backup status

╭───────────────────┬──────────┬─────┬─────────────┬───────────╮
│ Device            │ Backup   │ Key │ Last Backup │ Status    │
├───────────────────┼──────────┼─────┼─────────────┼───────────┤
│ fw-branch-austin  │ Enabled  │ org │ 2d          │ ● FAILED  │
│ fw-branch-chicago │ Enabled  │ org │ 6h          │ ● SUCCESS │
│ fw-branch-denver  │ Enabled  │ org │ 6h          │ ● SUCCESS │
│ fw-guest-lobby    │ Disabled │ -   │ Never       │ -         │
│ fw-hq-primary     │ Enabled  │ org │ 6h          │ ● SUCCESS │
│ fw-hq-secondary   │ Enabled  │ org │ 6h          │ ● SUCCESS │
│ fw-lab-bench      │ Disabled │ -   │ Never       │ -         │
│ fw-staging-01     │ Enabled  │ org │ 1d          │ ● SUCCESS │
╰───────────────────┴──────────┴─────┴─────────────┴───────────╯

Total: 8 devices (6 with backup enabled)

Reading this output:

• Key: org — the device uses the organization-level encryption key for its backups.
• Key: device — the device uses a device-specific encryption key (set via ndcli backup encryption-key set --device <name>).
• fw-branch-austin shows FAILED — backups are enabled but the last attempt failed, likely due to a connectivity issue (this device also shows as NOT SYNCED).
• fw-guest-lobby and fw-lab-bench have backups Disabled — the guest firewall is excluded intentionally, and the lab device is still PENDING so backups don’t apply.