Backup and Disaster Recovery with HPE StoreOnce and Zerto

Data loss and unplanned downtime remain among the costliest risks in IT operations — and the threat surface keeps growing. Ransomware campaigns, hardware failures, and regional outages have made "backup" an insufficient strategy on its own. Organizations need a layered approach that combines efficient, immutable backup storage with continuous data protection and automated failover. Two HPE technologies sit at the center of that approach: HPE StoreOnce for intelligent deduplicated backup storage and HPE Zerto Software for continuous replication and orchestrated disaster recovery. Used together, they address the full backup-to-recovery lifecycle, from minutes-old restore points to coordinated site failover with near-zero data loss.
This guide explains how each product works, how they complement each other, and the practical steps involved in deploying them as a unified backup and DR strategy — whether you are protecting VMware workloads on-premises, replicating to a cloud target, or building a cyber-resilient vault for a federal or healthcare environment.
Understanding the Role Each Technology Plays
Before walking through deployment, it helps to be precise about what each product actually does, because the two are often conflated in vendor marketing.
HPE StoreOnce is a purpose-built backup storage appliance that uses HPE's patented 4 KB-chunk deduplication to reduce stored backup data by up to 60:1. It serves as the landing zone for your backup application — whether that is Veeam, Commvault, Veritas NetBackup, or another ISV — through the HPE StoreOnce Catalyst protocol, a data-protection-optimized interface that outperforms both NAS shares and emulated Virtual Tape Libraries. StoreOnce handles long-term retention, immutability enforcement, and efficient off-site replication of backup data.
HPE Zerto Software is a continuous data protection (CDP) and disaster recovery platform. Rather than running scheduled backup jobs, Zerto replicates I/O changes in real time at the hypervisor level, maintaining a rolling journal that captures a recovery point every few seconds. This allows RTOs measured in minutes and RPOs measured in seconds — capabilities that conventional backup jobs simply cannot match. Zerto also handles automated failover orchestration, non-disruptive DR testing, and workload mobility between on-premises sites and public clouds.
The two technologies are complementary, not competitive. Zerto provides the short-window, application-consistent recovery layer. StoreOnce provides durable, cost-efficient, ransomware-hardened long-term backup storage. Together they implement a "3-2-1-1" data protection model: multiple copies, on multiple media types, with at least one off-site, and at least one immutable.
Current HPE StoreOnce Models and Where They Fit
HPE's Gen5 StoreOnce lineup covers entry-level branch offices through hyperscale data centers. All models run HPE StoreOnce OS 5.2, support StoreOnce Catalyst, and require up to 80% less rack space and up to 29% less power than earlier generations.
| Model | Usable Capacity Range | Max Backup Throughput | Typical Fit |
|---|---|---|---|
| StoreOnce 3720 | Starting at 18 TB raw | Entry-level | SMB, remote/branch office |
| StoreOnce 3760 | 108 TB – 216 TB | Midrange | Mid-market data centers |
| StoreOnce 5720 | 144 TB – 576 TB | Up to 70 TB/hour | Enterprise data centers |
| StoreOnce 7700 | Enterprise all-flash | Up to 300 TB/hour | Hyperscale, mission-critical |
All models support ISV-managed immutability, dual authorization controls, built-in hardware encryption, multifactor authentication, and air-gapped copy mechanisms — features that are non-negotiable in federal, SLED, and healthcare environments subject to FISMA, HIPAA, and NIST 800-53 requirements.
You can browse available HPE StoreOnce systems at Uniqcli to see current configurations and request pricing.
How HPE Zerto Delivers Continuous Data Protection
Unlike snapshot-based or scheduled backup tools, Zerto operates at the hypervisor I/O layer, intercepting writes before they reach the production datastore and fanning them out to one or more replication targets simultaneously. Key architectural elements include:
- Virtual Protection Groups (VPGs): The unit of replication in Zerto. A VPG bundles a set of VMs that must be recovered together, preserving application consistency across multi-VM workloads like SQL clusters or SAP environments.
- Journal-based recovery: Zerto maintains a continuous, rolling journal of all writes. Administrators can rewind to any point in that journal — down to a few seconds before a ransomware encryption event began — without pre-staging snapshots.
- Zerto 10.9 Cyber Recovery VPG: Introduced in 2026, this dedicated VPG type is purpose-built for ransomware response, isolating recovery targets and integrating with HPE StoreOnce immutable storage for verified clean-state recovery.
- Orchestrated failover and testing: Zerto automates failover runbooks, executes non-disruptive DR tests in isolated network bubbles, and produces test reports — critical for compliance audits that require documented recovery testing.
- Platform breadth: Zerto 10.9 supports VMware vCenter, Microsoft Hyper-V, Microsoft Azure, AWS, and HPE Morpheus environments, including cross-platform CDP replication between vCenter and HPE Morpheus VM Essentials.
Integrating HPE StoreOnce with Zerto for Long-Term Retention
Zerto's CDP journal is designed for short-to-medium retention windows — typically hours to days — at production-level performance. For weeks, months, or years of retention required by compliance mandates, the integration with HPE StoreOnce closes the gap.
Here is how the combined architecture works in practice:
- Zerto replicates in real time from production VMs to a recovery site (secondary data center or cloud). The journal provides near-instantaneous restore points.
- Backup applications (Veeam, Commvault, etc.) run scheduled jobs that write deduplicated backups to HPE StoreOnce via the Catalyst protocol. Catalyst enables source-side deduplication — the backup application computes deduplication hashes on the source host, sending only unique chunks to StoreOnce and dramatically reducing network bandwidth.
- StoreOnce Catalyst Store replication can then send deduplicated backups to a second StoreOnce appliance at a DR site or to cloud object storage, maintaining an off-site copy without full re-transfer of data.
- Immutability policies on StoreOnce lock backup data for a defined retention period. Even a compromised administrator credential cannot delete or overwrite protected backups during the lock window, satisfying air-gap and WORM requirements.
- Zerto's Cyber Recovery VPG can point to StoreOnce immutable targets for validated clean-state recovery, ensuring that when an incident occurs, the recovery image itself has not been tampered with.
This layered approach means your organization has multiple recovery options depending on the scenario: seconds-ago recovery via Zerto's journal for a ransomware event, a recent daily backup on StoreOnce for a corrupted database, or a monthly compliance backup for regulatory e-discovery.
Deployment Steps: Standing Up the Integration
The following steps describe a representative on-premises-to-DR-site deployment. Cloud targets follow a similar pattern with provider-specific configuration.
Step 1 — Establish StoreOnce Catalyst Stores. On each StoreOnce appliance (primary and DR sites), create a Catalyst Store and configure access credentials for your backup application service account. Enable immutability policy at the store level, setting the minimum lock duration to match your retention SLA.
Step 2 — Configure Catalyst Copy replication. Within StoreOnce Management Console, set up a scheduled Catalyst Copy job from the primary Catalyst Store to the DR site Catalyst Store. Deduplicated data transfer means only changed blocks traverse the WAN, keeping replication bandwidth predictable.
Step 3 — Deploy Zerto Virtual Manager (ZVM). Install ZVM as a Windows VM or appliance on both the protected site and recovery site vCenter environments. ZVM integrates directly with vCenter and does not require agents inside guest VMs.
Step 4 — Create Virtual Protection Groups. In the Zerto UI, create VPGs grouping the VMs that form each application tier. Set the journal history duration (commonly 24–72 hours), select the recovery datastore at the DR site, and define network mappings for failover.
Step 5 — Configure Cyber Recovery VPGs for ransomware scenarios. For the most sensitive workloads, create a dedicated Cyber Recovery VPG pointing the recovery target at an isolated recovery network and mapping long-term retention to the StoreOnce Catalyst Store. This ensures that if Zerto detects real-time encryption anomalies, it can pivot recovery to a StoreOnce-backed clean image.
Step 6 — Run a non-disruptive DR test. Zerto's built-in test mode spins up VMs in an isolated network bubble at the recovery site without impacting production replication. Run this test quarterly and export the compliance report to satisfy audit requirements.
Step 7 — Validate StoreOnce immutability. Attempt to delete a locked backup object through the backup application or StoreOnce CLI. Confirm that the delete is rejected until the lock window expires. Document the test result for your security team.
Ransomware Response: A Realistic Recovery Scenario
Consider a healthcare organization that detects file-extension changes consistent with ransomware encryption at 2:14 AM on a Tuesday. Here is how the combined stack responds:
- Zerto's real-time anomaly detection flags unusual write patterns at the hypervisor I/O layer and can alert operators within minutes of the encryption beginning.
- Journal-based recovery allows the team to rewind affected VMs to 2:10 AM — four minutes before the ransomware was detected — and restore them at the DR site without touching production storage.
- StoreOnce immutable backups remain unaffected because the ransomware cannot reach the locked Catalyst Store objects. Nightly backups from 1:00 AM are fully intact and verifiably clean.
- HPE's Cyber Resiliency Guarantee provides access to HPE outage recovery experts within 30 minutes of a reported incident — a contractual commitment that matters in regulated environments where downtime has clinical consequences.
The result: an organization that might have faced days of downtime and potential ransom payment instead recovers key workloads in under an hour with zero data loss beyond a few minutes.
Sizing Considerations for Federal, SLED, and Healthcare Buyers
Organizations in regulated sectors should account for several requirements that affect how they size StoreOnce and configure Zerto:
- Retention mandates: HIPAA requires six years of medical record retention; FISMA-High workloads often require 90-day immutable backup windows. Size StoreOnce capacity against your raw backup data volume divided by expected deduplication ratio (typically 10:1 to 20:1 for mixed workloads, higher for virtual desktop environments).
- Backup window constraints: Healthcare organizations often have narrow backup windows around shift changes. The StoreOnce 5720's 70 TB/hour throughput or the 7700's 300 TB/hour ensures large datasets complete within maintenance windows.
- Air-gap requirements: NIST 800-171 and CMMC Level 2/3 guidance increasingly calls for isolated backup copies. StoreOnce's dual-authorization deletion controls and hardware encryption at rest satisfy both the logical and physical air-gap intent without requiring a physically separate tape infrastructure.
- WAN bandwidth for Zerto replication: Zerto's compression and deduplication reduce replication bandwidth, but mission-critical VPGs with high change rates — database transaction logs, for example — should be factored into WAN capacity planning. Zerto's bandwidth throttling and scheduling prevent replication from saturating production links.
Explore Uniqcli's storage guides for reference architectures tailored to federal and healthcare data protection requirements, or use our quote request tool to get a pre-configured bill of materials.
Key Differences: HPE Zerto vs. Traditional Backup Alone
Teams evaluating whether to add Zerto to an existing StoreOnce investment sometimes ask whether backup alone is sufficient. The table below highlights where each capability is strongest.
| Capability | HPE StoreOnce + Backup App | HPE Zerto CDP | Combined Stack |
|---|---|---|---|
| Recovery Point Objective | Hours (last backup job) | Seconds | Seconds (Zerto) + scheduled (StoreOnce) |
| Recovery Time Objective | Hours to days | Minutes | Minutes to hours, scenario-dependent |
| Retention depth | Months to years | Hours to days (journal) | Full spectrum |
| Ransomware-hardened storage | Yes (immutable) | Anomaly detection + journal | Both layers active |
| Compliance retention | Yes | No | Yes |
| Non-disruptive DR testing | Depends on ISV | Built-in | Built-in + backup validation |
| Cross-cloud mobility | Via Catalyst copy | Native | Both paths available |
For most enterprise, federal, and healthcare environments, the combined stack is not a luxury — it is the minimum architecture needed to meet documented SLAs and regulatory requirements.
How Uniqcli Helps
As an authorized HPE and HPE Aruba Networking partner, Uniqcli works with federal, SLED, healthcare, and enterprise buyers to configure and procure HPE StoreOnce and HPE Zerto solutions that are right-sized for actual requirements — not oversold on capacity or licensed features you will not use.
Our team can help you:
- Identify the correct StoreOnce model based on your raw dataset size, expected deduplication ratio, and backup window
- Size Zerto VPG configurations for VMware, Hyper-V, or HPE Morpheus environments
- Navigate HPE GreenLake consumption options if CapEx is a constraint
- Ensure your configuration meets FISMA, HIPAA, CMMC, or state CJIS requirements
Visit our HPE StoreOnce product page for current model availability, or contact our team to discuss your specific backup and DR requirements. If you are ready to move forward, our quote tool can generate a fast, accurate configuration for your environment.