Murphy1138
Dabbler
- Joined
- Aug 5, 2022
- Messages
- 15
Hello all, I would like some advice and operational info on using VMWare-Snapshots in the event of Ransomware Rollback correctly.
I have 3x Dell R740 running VMware ESXi, 6.7.0, 19195723 connected over iSCSI via 2x paths to the data store on the TrueNAS 13.U1.1 server with SYNC=ALWAYS Enabled, a Dell R740XD2 with 24 disks.
I have 2x Pools.
TANK01 - is made up of:
Then I set up the snapshot as either a manual task or automatic.
My understanding is that that will tell vSphere that a snap of the VM is needed, the host will snap it, TrueNAS will then snapshot its storage locally, then tell vSphere to remove the snap of the VM and then I can see my snapshots on TrueNAS.
Is that correct?
Next, what is the correct way of reverting the snapshots, obviously TrueNAS does not snap the working memory.
My goal is in the event of a ransomware outbreak and guest servers end up encrypted.
Is that the correct process, if not what is?
Many thanks for your time and effort in helping.
Murph.
PS I also have a very robust backup setup in the event of ransomware, this is an extra step.
I have 3x Dell R740 running VMware ESXi, 6.7.0, 19195723 connected over iSCSI via 2x paths to the data store on the TrueNAS 13.U1.1 server with SYNC=ALWAYS Enabled, a Dell R740XD2 with 24 disks.
- 14 x SSD
- 10 x HDD
I have 2x Pools.
TANK01 - is made up of:
- 4x Data vdevs, with 2x disks each in mirrors - Total 8x SSDs
- 1x ZIL vdev with 2x disk mirror. - 2x SSDs
- 1x spare vdev with 2x hot standby disks. - 2x SSDs
- 4x data vdevs with 2x disk mirrors - total 8 x HDDs
- 1x ZIL vdev with 2x disk mirror - 2x SSDs
- 1x spare vdev with 2x hot standby disks - 2xHDDs
Then I set up the snapshot as either a manual task or automatic.
My understanding is that that will tell vSphere that a snap of the VM is needed, the host will snap it, TrueNAS will then snapshot its storage locally, then tell vSphere to remove the snap of the VM and then I can see my snapshots on TrueNAS.
Is that correct?
Next, what is the correct way of reverting the snapshots, obviously TrueNAS does not snap the working memory.
My goal is in the event of a ransomware outbreak and guest servers end up encrypted.
- Power off the VMs on the vSphere host/ESXI Servers.
- Roll back the snap shot on TrueNAS
- Rescan vSphere Storage
- Power up VMs, they boot and will be back to a pre-ransomware state.
Is that the correct process, if not what is?
Many thanks for your time and effort in helping.
Murph.
PS I also have a very robust backup setup in the event of ransomware, this is an extra step.
Last edited: