Proper Backup Question

[BSDsnob]

Hello,

Voyager says that backups are backing up the /config folder and I assume that is were the configuration script lies for the firewall rules. In the event of a complete system failure would I be able to recover from this backup or would I need the system to be preinstalled. I exported the smartcenter database with the installation CD and I assume that if I had nothing the copying over the /config backup would not be sufficient to rebuild the firewall. Or could I just install the ckpt fw version and replace the /config folder with the backup that I have? In the event of a total failure (smartcenter failure and fw machine) would I need a database backup to get a machine back up and running?

[Lackie]

Usually a Voyager backup gets placed in /var/backup or /var/backup/sched (for scheduled backups). If this is not a smartcenter server then the only information that you will need to backup is the Voyager information which will include the Interface information, routes, any VRRP or IP clustering configuations.

To do a restore, you will have to install the same version of IPSO and then install the verion of check Point that you are using, do a restore using Voyager and then push a policy from the smartcenter server.

In the event of a crash of the smartcenter server you will need to have a check Point backup from there to recover all of the Check Point data. This is best obtained from doing an upgrade_export on the smartcenter server.

hope this helps.

[BSDsnob]

Thank you looks like they were backing stuff up in a script, is there a way to recover the smart center not using the import method. Sorry I am new to checkpoint, and l'll tell you checkpoint and nokia are a pain in my arse! BSD used to be so simple cd to the port directory make and then make install what did they do to my OS!

[RayPesek]

By far the most critical piece is the SmartCenter configuration because it has all of the object definitions, the certificate authority, the user database and the rule base. SmartCenter pushes these to the Nokia box. Here's what I do:

Redundant physical drives in the SmartCenter. Every week or after a big change, I run upgrade_export.exe to export the SmartCenter stuff that's installed on the C: to the physically separate D:

Before any Windows Updates or major changes are made to the SmartCenter, an image is created. This gives me the SmartCenter on C: and the upgrade_export.tgz file on the D: in the image. I keep multiple images available.

After each HFA application to the enforcement module, I manually create the backup on the Nokia box and send it to the SmartCenter. That way it's included in the images as well.

I keep a copy of the relevant HFA's on the SmartCenter. I also keep a copy of the installation wrapper for FW-1 and a copy of the running version of IPSO.tgz file on the SmartCenter. This not only puts them all in the image, it lets me totally rebuild an enforcement module without having to go to the Internet at all.

I had to do this once to a remote firewall. It came with a different version of IPSO & FW-1. I cleaned it off via SSH and had it on the correct versions and up and running in one hour after the remote site got the replacement box from Nokia (an IP-120).

HTH,

Ray