Skip to content
Uniqcli

Backup and Disaster Recovery with HPE StoreOnce and Zerto

How-toUniqcli TeamMay 23, 202611 min read
Backup and Disaster Recovery with HPE StoreOnce and Zerto

Data loss and unplanned downtime remain among the costliest risks in IT operations — and the threat surface keeps growing. Ransomware campaigns, hardware failures, and regional outages have made "backup" an insufficient strategy on its own. Organizations need a layered approach that combines efficient, immutable backup storage with continuous data protection and automated failover. Two HPE technologies sit at the center of that approach: HPE StoreOnce for intelligent deduplicated backup storage and HPE Zerto Software for continuous replication and orchestrated disaster recovery. Used together, they address the full backup-to-recovery lifecycle, from minutes-old restore points to coordinated site failover with near-zero data loss.

This guide explains how each product works, how they complement each other, and the practical steps involved in deploying them as a unified backup and DR strategy — whether you are protecting VMware workloads on-premises, replicating to a cloud target, or building a cyber-resilient vault for a federal or healthcare environment.

Understanding the Role Each Technology Plays

Before walking through deployment, it helps to be precise about what each product actually does, because the two are often conflated in vendor marketing.

HPE StoreOnce is a purpose-built backup storage appliance that uses HPE's patented 4 KB-chunk deduplication to reduce stored backup data by up to 60:1. It serves as the landing zone for your backup application — whether that is Veeam, Commvault, Veritas NetBackup, or another ISV — through the HPE StoreOnce Catalyst protocol, a data-protection-optimized interface that outperforms both NAS shares and emulated Virtual Tape Libraries. StoreOnce handles long-term retention, immutability enforcement, and efficient off-site replication of backup data.

HPE Zerto Software is a continuous data protection (CDP) and disaster recovery platform. Rather than running scheduled backup jobs, Zerto replicates I/O changes in real time at the hypervisor level, maintaining a rolling journal that captures a recovery point every few seconds. This allows RTOs measured in minutes and RPOs measured in seconds — capabilities that conventional backup jobs simply cannot match. Zerto also handles automated failover orchestration, non-disruptive DR testing, and workload mobility between on-premises sites and public clouds.

The two technologies are complementary, not competitive. Zerto provides the short-window, application-consistent recovery layer. StoreOnce provides durable, cost-efficient, ransomware-hardened long-term backup storage. Together they implement a "3-2-1-1" data protection model: multiple copies, on multiple media types, with at least one off-site, and at least one immutable.

Current HPE StoreOnce Models and Where They Fit

HPE's Gen5 StoreOnce lineup covers entry-level branch offices through hyperscale data centers. All models run HPE StoreOnce OS 5.2, support StoreOnce Catalyst, and require up to 80% less rack space and up to 29% less power than earlier generations.

Model Usable Capacity Range Max Backup Throughput Typical Fit
StoreOnce 3720 Starting at 18 TB raw Entry-level SMB, remote/branch office
StoreOnce 3760 108 TB – 216 TB Midrange Mid-market data centers
StoreOnce 5720 144 TB – 576 TB Up to 70 TB/hour Enterprise data centers
StoreOnce 7700 Enterprise all-flash Up to 300 TB/hour Hyperscale, mission-critical

All models support ISV-managed immutability, dual authorization controls, built-in hardware encryption, multifactor authentication, and air-gapped copy mechanisms — features that are non-negotiable in federal, SLED, and healthcare environments subject to FISMA, HIPAA, and NIST 800-53 requirements.

You can browse available HPE StoreOnce systems at Uniqcli to see current configurations and request pricing.

How HPE Zerto Delivers Continuous Data Protection

Unlike snapshot-based or scheduled backup tools, Zerto operates at the hypervisor I/O layer, intercepting writes before they reach the production datastore and fanning them out to one or more replication targets simultaneously. Key architectural elements include:

  • Virtual Protection Groups (VPGs): The unit of replication in Zerto. A VPG bundles a set of VMs that must be recovered together, preserving application consistency across multi-VM workloads like SQL clusters or SAP environments.
  • Journal-based recovery: Zerto maintains a continuous, rolling journal of all writes. Administrators can rewind to any point in that journal — down to a few seconds before a ransomware encryption event began — without pre-staging snapshots.
  • Zerto 10.9 Cyber Recovery VPG: Introduced in 2026, this dedicated VPG type is purpose-built for ransomware response, isolating recovery targets and integrating with HPE StoreOnce immutable storage for verified clean-state recovery.
  • Orchestrated failover and testing: Zerto automates failover runbooks, executes non-disruptive DR tests in isolated network bubbles, and produces test reports — critical for compliance audits that require documented recovery testing.
  • Platform breadth: Zerto 10.9 supports VMware vCenter, Microsoft Hyper-V, Microsoft Azure, AWS, and HPE Morpheus environments, including cross-platform CDP replication between vCenter and HPE Morpheus VM Essentials.

Integrating HPE StoreOnce with Zerto for Long-Term Retention

Zerto's CDP journal is designed for short-to-medium retention windows — typically hours to days — at production-level performance. For weeks, months, or years of retention required by compliance mandates, the integration with HPE StoreOnce closes the gap.

Here is how the combined architecture works in practice:

  1. Zerto replicates in real time from production VMs to a recovery site (secondary data center or cloud). The journal provides near-instantaneous restore points.
  2. Backup applications (Veeam, Commvault, etc.) run scheduled jobs that write deduplicated backups to HPE StoreOnce via the Catalyst protocol. Catalyst enables source-side deduplication — the backup application computes deduplication hashes on the source host, sending only unique chunks to StoreOnce and dramatically reducing network bandwidth.
  3. StoreOnce Catalyst Store replication can then send deduplicated backups to a second StoreOnce appliance at a DR site or to cloud object storage, maintaining an off-site copy without full re-transfer of data.
  4. Immutability policies on StoreOnce lock backup data for a defined retention period. Even a compromised administrator credential cannot delete or overwrite protected backups during the lock window, satisfying air-gap and WORM requirements.
  5. Zerto's Cyber Recovery VPG can point to StoreOnce immutable targets for validated clean-state recovery, ensuring that when an incident occurs, the recovery image itself has not been tampered with.

This layered approach means your organization has multiple recovery options depending on the scenario: seconds-ago recovery via Zerto's journal for a ransomware event, a recent daily backup on StoreOnce for a corrupted database, or a monthly compliance backup for regulatory e-discovery.

Deployment Steps: Standing Up the Integration

The following steps describe a representative on-premises-to-DR-site deployment. Cloud targets follow a similar pattern with provider-specific configuration.

Step 1 — Establish StoreOnce Catalyst Stores. On each StoreOnce appliance (primary and DR sites), create a Catalyst Store and configure access credentials for your backup application service account. Enable immutability policy at the store level, setting the minimum lock duration to match your retention SLA.

Step 2 — Configure Catalyst Copy replication. Within StoreOnce Management Console, set up a scheduled Catalyst Copy job from the primary Catalyst Store to the DR site Catalyst Store. Deduplicated data transfer means only changed blocks traverse the WAN, keeping replication bandwidth predictable.

Step 3 — Deploy Zerto Virtual Manager (ZVM). Install ZVM as a Windows VM or appliance on both the protected site and recovery site vCenter environments. ZVM integrates directly with vCenter and does not require agents inside guest VMs.

Step 4 — Create Virtual Protection Groups. In the Zerto UI, create VPGs grouping the VMs that form each application tier. Set the journal history duration (commonly 24–72 hours), select the recovery datastore at the DR site, and define network mappings for failover.

Step 5 — Configure Cyber Recovery VPGs for ransomware scenarios. For the most sensitive workloads, create a dedicated Cyber Recovery VPG pointing the recovery target at an isolated recovery network and mapping long-term retention to the StoreOnce Catalyst Store. This ensures that if Zerto detects real-time encryption anomalies, it can pivot recovery to a StoreOnce-backed clean image.

Step 6 — Run a non-disruptive DR test. Zerto's built-in test mode spins up VMs in an isolated network bubble at the recovery site without impacting production replication. Run this test quarterly and export the compliance report to satisfy audit requirements.

Step 7 — Validate StoreOnce immutability. Attempt to delete a locked backup object through the backup application or StoreOnce CLI. Confirm that the delete is rejected until the lock window expires. Document the test result for your security team.

Ransomware Response: A Realistic Recovery Scenario

Consider a healthcare organization that detects file-extension changes consistent with ransomware encryption at 2:14 AM on a Tuesday. Here is how the combined stack responds:

  • Zerto's real-time anomaly detection flags unusual write patterns at the hypervisor I/O layer and can alert operators within minutes of the encryption beginning.
  • Journal-based recovery allows the team to rewind affected VMs to 2:10 AM — four minutes before the ransomware was detected — and restore them at the DR site without touching production storage.
  • StoreOnce immutable backups remain unaffected because the ransomware cannot reach the locked Catalyst Store objects. Nightly backups from 1:00 AM are fully intact and verifiably clean.
  • HPE's Cyber Resiliency Guarantee provides access to HPE outage recovery experts within 30 minutes of a reported incident — a contractual commitment that matters in regulated environments where downtime has clinical consequences.

The result: an organization that might have faced days of downtime and potential ransom payment instead recovers key workloads in under an hour with zero data loss beyond a few minutes.

Sizing Considerations for Federal, SLED, and Healthcare Buyers

Organizations in regulated sectors should account for several requirements that affect how they size StoreOnce and configure Zerto:

  • Retention mandates: HIPAA requires six years of medical record retention; FISMA-High workloads often require 90-day immutable backup windows. Size StoreOnce capacity against your raw backup data volume divided by expected deduplication ratio (typically 10:1 to 20:1 for mixed workloads, higher for virtual desktop environments).
  • Backup window constraints: Healthcare organizations often have narrow backup windows around shift changes. The StoreOnce 5720's 70 TB/hour throughput or the 7700's 300 TB/hour ensures large datasets complete within maintenance windows.
  • Air-gap requirements: NIST 800-171 and CMMC Level 2/3 guidance increasingly calls for isolated backup copies. StoreOnce's dual-authorization deletion controls and hardware encryption at rest satisfy both the logical and physical air-gap intent without requiring a physically separate tape infrastructure.
  • WAN bandwidth for Zerto replication: Zerto's compression and deduplication reduce replication bandwidth, but mission-critical VPGs with high change rates — database transaction logs, for example — should be factored into WAN capacity planning. Zerto's bandwidth throttling and scheduling prevent replication from saturating production links.

Explore Uniqcli's storage guides for reference architectures tailored to federal and healthcare data protection requirements, or use our quote request tool to get a pre-configured bill of materials.

Key Differences: HPE Zerto vs. Traditional Backup Alone

Teams evaluating whether to add Zerto to an existing StoreOnce investment sometimes ask whether backup alone is sufficient. The table below highlights where each capability is strongest.

Capability HPE StoreOnce + Backup App HPE Zerto CDP Combined Stack
Recovery Point Objective Hours (last backup job) Seconds Seconds (Zerto) + scheduled (StoreOnce)
Recovery Time Objective Hours to days Minutes Minutes to hours, scenario-dependent
Retention depth Months to years Hours to days (journal) Full spectrum
Ransomware-hardened storage Yes (immutable) Anomaly detection + journal Both layers active
Compliance retention Yes No Yes
Non-disruptive DR testing Depends on ISV Built-in Built-in + backup validation
Cross-cloud mobility Via Catalyst copy Native Both paths available

For most enterprise, federal, and healthcare environments, the combined stack is not a luxury — it is the minimum architecture needed to meet documented SLAs and regulatory requirements.

How Uniqcli Helps

As an authorized HPE and HPE Aruba Networking partner, Uniqcli works with federal, SLED, healthcare, and enterprise buyers to configure and procure HPE StoreOnce and HPE Zerto solutions that are right-sized for actual requirements — not oversold on capacity or licensed features you will not use.

Our team can help you:

  • Identify the correct StoreOnce model based on your raw dataset size, expected deduplication ratio, and backup window
  • Size Zerto VPG configurations for VMware, Hyper-V, or HPE Morpheus environments
  • Navigate HPE GreenLake consumption options if CapEx is a constraint
  • Ensure your configuration meets FISMA, HIPAA, CMMC, or state CJIS requirements

Visit our HPE StoreOnce product page for current model availability, or contact our team to discuss your specific backup and DR requirements. If you are ready to move forward, our quote tool can generate a fast, accurate configuration for your environment.

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL