Describes live backup, how to configure your environment, server DR status, and disaster recovery scenarios in Cortex XSOAR.
Live Backup enables you to mirror your production server to a backup server. In a disaster recovery situation, you can easily convert your backup server to be the production server.
Note
This chapter contains instructions for configuring Live Backup for a single server deployment. For multi-tenant deployments, follow the Configure Live Backup instructions in the multi-tenant guide.
Server actions are mirrored in real-time. There might be pending actions due to high server load, connectivity issues, and so on. Consider the following:
Live Backup uses a single main server and a single standby server. Beyond these, additional servers are not currently supported.
Active/Active configuration is not currently supported.
Each host retains its own distinct IP address and host name.
Neither host has any awareness of which node is truly active. Therefore, failover is not dynamic, meaning that making a node active must be done manually, by an administrator.
In the event of a server failover, engines dynamically reconnect to the active host.
Although Live Backup works in real time, in rare cases, due to communication issues/downtime/heavy load on the server or a server crash/restart, the number of pending actions to mirror is too great. At that point the Live Backup works in "recovery mode" to avoid data loss and to avoid using too much resources. Once it's done recovering it returns to live backup mode. Cortex XSOAR persists each and every mirror action until it's verified on the other side, so when restarting the service, we ensure nothing is missed.
When Live Backup enters recovery mode, an error message appears in the UI. This message is just an indication that the system is in recovery mode.
When using Cortex XSOAR with Elasticsearch, Live Backup is not available. To back up or restore the contents of your Elasticsearch database, see Disaster Recovery for Elasticsearch. You can also implement a full high availability solution.
Caution
As the process of making a Cortex XSOAR server active is a manual process, it is conceivable that two servers could be active simultaneously. You must avoid this scenario because both hosts collect and work on potentially the same security incidents, which could possibly lead to the following:
Incident duplication
A higher load on your integration endpoints
Possible significant database inconsistencies due to duplication of internal identifiers being shared between nodes and causing existing incidents to be overwritten.
Tip
If there is ever uncertainty about whether a host that is presently down or stopped was in an active state before it went offline, it is recommended that you put the presently active host into a standby state before starting the Cortex XSOAR service on the other host. You can then make it active again after you have confirmed whether the host you are starting is already in active mode.
To configure the live backup environment, see Configure the Live Backup Environment.
The following scenarios describe how to test, and deal with active server failures:
When you first install the Cortex XSOAR server and it starts for the first time, you can use a configuration file to transition between DR states, as described in Transition Between DR States Through the Configuration File.
If you need to upgrade your live backup environment, see Upgrade the Live Backup Environment.
For details about the relationship between engines and disaster recovery, see Engines and Disaster Recovery Troubleshooting. For information about host names, DNS, and disaster recovery, see Host Names, DNS, and Disaster Recovery.