Configure the Live Backup Environment - Administrator Guide - EoL - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide
End of Life > EoL

Configure a live backup environment by mirroring your production server to a backup server in Cortex XSOAR.

Live Backup enables you to mirror your production server to a backup server, and in disaster recovery scenarios to easily convert your backup server to be the production server.

When using Cortex XSOAR with Elasticsearch, Live Backup is not available. To back up or restore the contents of your Elasticsearch database, follow the instructions for Disaster Recovery for Elasticsearch. Alternatively, you can also implement a full high availability solution.


Before you start, ensure that you save the disaster recovery configurations before you copy all files.

These instructions do NOT apply to multi-tenant deployments. Instead, follow the Configure Live Backup instructions in the multi-tenant guide.Configure Live Backup

  1. On the production server, enable live backup.

    1. Go to SettingsAboutTroubleshootingServer Configuration.

    2. Verify that the External Host Name is correct.

    3. Click Add Server Configuration.

    4. Add the following key and value.





    5. Go to AdvancedBackups and in the Live Backup field, select ON.

    6. Add the following backup server parameters.



      Hostname/IP Address

      Backup server IP address or Host name (without https:// prefix).


      Default is 443.

      Trust server certificate (unsecured)

      ON: certificates are not checked. OFF: certificates are checked.

      Use proxy

      Select whether to use a proxy.

  2. On the backup machine (with a different host name or IP address), install Cortex XSOAR.

    1. sudo ./ -- -dr -do-not-start-server

    2. Verify that the backup server is accessible from the production server through port 443 (or any other port configured as a listening port). Ensure that there are no firewalls that might drop communication.

  3. On the production server, stop the Cortex XSOAR server:

    sudo service demisto stop

  4. On the production server, create a tarball file of the necessary files and folders on the production server and copy it to the backup server.


    This process may take several hours, depending on your server specs and the amount of data that needs to be copied.

    1. Ensure that all files and folders located in /var/lib/demisto have demisto:demisto ownership:

      chown -R demisto:demisto /var/lib/demisto

    2. Create the tarball file:

      tar --ignore-failed-read -pczf demistoBackup.tgz /var/lib/demisto/data /var/lib/demisto/artifacts /var/lib/demisto/attachments /var/lib/demisto/images /var/lib/demisto/systemTools /var/lib/demisto/d2_server.key /usr/local/demisto/cert* /usr/local/demisto/demisto.lic

      Sometimes the demisto.lic file is located in /var/lib/demisto/demisto.lic rather than /usr/local/demisto/demisto.lic. If so, change the directory in the command.

      If you have not set up a D2 server, you can remove /var/lib/demisto/d2_server.key.

    3. Verify the integrity of the tar file:

      md5sum demistoBackup.tgz

    4. Print the contents of the tar file to a text file:

      tar -tvf demistoBackup.tgz > demistoBackup.txt

      Do not delete the text file.

    5. Transfer the tarball file (demistoBackup.tgz) to the backup server, using your preferred tool such as scp:

      # scp demistoBackup.tgz root@<yourBackupServerIPortHostname>:/root

  5. On the backup server, check the MD5 Checksum and compare it to the original file to verify the tar file is 100% valid:

    md5sum demistoBackup.tgz

    The MD5 sum is displayed. Compare this value against the MD5 sum saved in demistoBackup.txt in Step 4.

  6. On the backup server, extract the backup tarball file (original file permissions and ownership are preserved):

    sudo tar -C / -xzpvf demistoBackup.tgz

  7. Ensure all the copied files and folders have demisto:demisto ownership.

  8. Start the backup server:

    sudo service demisto start

  9. Start the production server:

    sudo service demisto start

    If the procedure is successful, Live Backup is ON.

    If the server is active, Cortex XSOAR appears as usual when you connect. You can Transition an Active Server to Standby Mode or Transition a Standby Server to Active Mode.