Checkpoint - Backup

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 11

Presents …

Checkpoint - Backup
Checkpoint Backup

There are a few methods to perform a backup of Check Point system running Gaia OS. They differ
by size, time of creation and content.

The built-in Gaia backup procedures:

 Snapshot Management
 System Backup (and System Restore)
 Save/Show Configuration (and Load Configuration)

All methods are appliance-specific and can only be restored on the same model of appliance.

All methods can be used to backup your Security Gateways, Security Management Servers.

For complete backup of the system and maximum confidence, Check Points recommends
combining all three methods as part of the backup plan (Snapshot Management, System
Backup/Restore, and Save/Load Configuration).

Snapshot Management

The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes all
of the operating system files and various Check Point software files such as specific drivers and
configuration.

To create the snapshot image requires free space on the Backup partition. The required free disk
space is the actual size of the root partition, multiplied by 1.15.

The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will
not be saved.

Starting in R77.10, Gaia OS supports exporting an image from one machine, importing and
restoring that image on another machine of the same type (e.g., can be used during RMA cases).

When exporting a snapshot, the Gaia OS transfers the relevant files for a snapshot to the
/var/log/ partition, then compresses all files into one archive file.

For this operation, the requirement is that the free space in the /var/log/ partition is at least
twice the size of the final snapshot.

We can revert to a snapshot through.

 Gaia Clish.
 Gaia Portal - "Snapshot Management" page.
 Gaia Portal First Time Wizard (starting from R77.10) - "Import existing snapshot" option.
Points to remember.

 Snapshot and Revert operations must be performed on appliances of the same model.

 Any user data saved in /var/log/ partition is not saved as part of the snapshot.

 When reverting to a snapshot taken on a machine other than the current machine, the license may
be invalid and may require re-activation, due to MAC address change.

 You cannot import a snapshot if a snapshot with the same name already exists on the machine.

 Renaming of the exported image is not supported. It is not possible to revert from a snapshot image
that was renamed.

 Firewall logs are not restored during reverting.

 Threat Emulation updated engine, images, detection rules and logic may need to be downloaded
again after reverting.

 All packages that were uploaded with SmartUpdate to the Security Management Server before
reverting are invalid after reverting. To fix this, delete the packages from SmartUpdate and upload
them again.

System Backup (and System Restore)

System Backup can be used to backup current system configuration.

Gaia's Backup feature allows backing up the configuration of the Gaia OS and of the Security
Management server database, or restoring a previously saved configuration

A backup creates a compressed file that contains the Check Point configuration including the
networking and operating system parameters, such as routing and interface configuration etc., but
unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.

To save a backup locally.

HostName> add backup local


Creating backup package. Use the command 'show backup status' to monitor creation progress.

To show a list of local backups.

HostName> show backups


backup_gaiaGW_15_1_2013_12_15.tgz Tue, Jan 15, 2013 62.41 MB

To show the status of a backup or restore operation being performed.


HostName> show backup status
Performing local backup.

Backup configurations on Check Point appliances are stored in /var/log/CPbackup/backups/

Backup configurations on Open Servers are stored in /var/CPbackup/backups/

To restore from a backup (Clish)

 Step 1
Run the appropriate restore command.

HostName> set backup restore local backup_gaiaGW_21_1_2013_09_52.tgz


Restoring from backup package. Use the command 'show backup status' to monitor restoring
progress. Please reboot the machine when it's finished.

 Step 2
Monitor progress.

HostName> show backups


backup_gaiaGW_15_1_2013_12_15.tgz Tue, Jan 15, 2013 62.41 MB

HostName> show backup status


Performing local backup.

 Step 3
Once operation is done reboot the machine.

 Step 4
Install policy.

Configuring Scheduled Backups (Clish)

Step 1
Create the backup task.

HostName> add backup-scheduled name TuesThursBackup local


The backup name and type has been set.
The backup is not yet scheduled.
Please use the command 'set backup-scheduled name...' in order to schedule the backup.

Step 2
Schedule the backup task.

HostName> set backup-scheduled name TuesThursBackup recurrence weekly days 2, 4 time 18:00
Backup was successfully scheduled.
To configure monthly or weekly backups, days and months need to be converted to numerical
format. For example: Monday becomes 1, Tuesday becomes 2, and September becomes 9 and so
forth.

Save Configuration (and Load Configuration)

Saving Gaia OS configuration settings as a ready-to-run CLI script. This allows us review our current
setup and quickly restore the Gaia OS configuration.

This operations are only for Gaia OS settings e.g. configuration of interfaces, SNMP, dynamic
routing, etc.

To export the Gaia OS settings.

Gaia Clish

HostName> save configuration <Name of the file>

Expert mode

[Expert@HostName:0]# clish -c "save configuration <Name of the file>"

To import the Gaia OS settings.

Gaia Clish

HostName> load configuration <Name of the file>


HostName> save config

Expert mode

[Expert@HostName:0]# clish -i -f <Name of the file>


[Expert@HostName:0]# clish -c "save config"

Points to remember.

 Restore is only allowed using the same Gaia version on the source and target devices.

 Restore is only allowed using the same appliance model on the source and target devices.

 Once restore is done, we must reboot the machine and install policy in order to apply the new
configuration.

 The backup file name generated by the backup command should not be renamed and must not
contain spaces.

 Log files are not backed up by default for Security Management Servers, to include log files in the
back up include the -l flag.
 Log files are backed up by default for MDS backups, to exclude log files from the backup include
the -l flag.

 Endpoint Security Server Database is not backed-up by Gaia backup.

Migrate Export

The migrate tool is located in the $FWDIR/bin/upgrade_tools/ directory.

This command backs up all Security Management configuration, independent of hardware, OS or


Check Point version.

The output file does not include OS information.

If we just want to backup the object/rule data, we should use the migrate export utility.

We can use this utility to backup Check Point configuration on the management server.

If the system is not running on a highly loaded CPU, you can do a backup on a live system without
interruption of the services.

If we change the Check Point version you can only go up, in other words you can upgrade not
downgrade.

Use the migrate utility to export and import Check Point Security Management Server database.

migrate <ACTION> [OPTIONS] <FILE>

Action:

export - exports database.

import - imports database.

Options (optional parameters):

-l - Export/import SmartView Tracker logs.

When migrating between 2 different major versions, you should use Migration Tool of the higher
version - i.e., when upgrading from R71 to R75, "R75 Management Server migration tools" should
be used on R71.
To export:

# cd $FWDIR/bin/upgrade_tools
# ./upgrade_export filename

To import:

# cd $FWDIR/bin/upgrade_tools
# ./upgrade_import filename

Note - upgrade_import will stop Check Point services.


Database Revision Control

This utility creates a version of your current policies, object database, IPS updates, etc. It is useful
for minor changes or edits that you perform in SmartDashboard.

It cannot be used to restore your system in case of failure.

To perform database revision control:

In SmartDashboard -> 'File' menu -> Database Revision Control -> Create
Comparison of backup methods

Snapshot System "show "upgrade_export" /


Management Backup configuration" "migrate export"

How much time Depends on


30 - 60 minutes 5 - 30 minutes Few seconds
does it take? configuration

Size of output file Depends on


5-100 GB Few KB N/A
on Security Gateway configuration

Size of output file Depends on


5-100 GB 5-100 GB Few KB
on Management Server configuration

Does it back up
Yes Yes Yes No
Gaia OS configuration?

Does it back up
Yes Yes No Yes
Products configuration?

Does it back up
Yes No (*) No No
Hotfixes?

Not by default.
Use the flag "-l"
Does it back up
in the syntax
Check Point No No No
to backup the
logs?
SmartView Tracker
logs as well

Does it support
No Yes No No
automatic scheduling?

Upgrade is performed
Can you restore With manual
Yes No when importing to
from different version? adjustments
a newer version

Does it require to close


R7x - No
SmartConsole GUI No No Yes
R80 - Yes
clients?

Does it require to stop


No No No Yes
Check Point services?

Does it require reboot? No No No No


[email protected]
https://www.facebook.com/groups/inspectingfirewalls

You might also like