Backup vs Upgrade_export

[Gremlin]

Hi all,

Anybody knows what the difference between the backup utility (SPLAT) and the upgrade_export? In fact, I always used the upgrade_export but till now I didn’t have the chance to test the restore procedures (the obvious advantage of distributed environment + HA for SmartCenter :) So my doubts are – does the upgrade_export utility back up the whole system (such as current policy, user DB, ip addresses, routing, hostname and so on)?

Given a standalone R61 system, will upgrade_export be enough? Or I will have to restore some configuration manually (i.e. backing it up manually too, in advance)?

[mcnallym]

The upgrade_export tool will just take the Check Point configuration, ie objects, rules, users etc.

The backup utility will make a backup of the SPLAT configuration and the Check Point configuration I believe.

Personally I tend to use the backup utility which I believe should backup the Check Point settings as well, but still take an upgrade_export as well to make sure that the Check Point settings are saved.

[dantro]

As mcnallym said. Doing the full backup requires a lot more time and diskspace. Since you can also export the cpconfig settings you could use upgrade_export and an cpconfig export for staying as safe as possible. The big plus is that an upgrade_export makes you platform independed. You can import it on a completely different machine. Let's you exported a SCS config unter SPLAT you can import it at a new SCS running on Windows.

[chillyjim]

For most folks an upgrade_export plus copies of:

/etc/password
/etc/shadow
/etc/scpusers
/etc/syscong/netconfig.C <Check the name, but its close>

Will give you what you want and it is portable across hardware where (give or take interface names) where a backup/snapshot isn't.

[srahman]

Hello,

Can anyone please tell me how I can run upgrade_export on a NGX management station?

Will this carry the full policy from the management station?

Thank you.

[chillyjim]

Adjust as needed for OS....


cd $FWDIR/bin/upgrade_tools
./upgrade_export /var/tmp/my_export

This gets you all of the "Check Point" config, Policies; objects; ICA; SIC; users; etc.

[srahman]

Many thanks.

[srahman]

Hi, Can anyone please give me a full detail list of all the items I need to backup manually from a Firewall Management rebuild (NGX), Solaris box. Currently I am having problems running the upgrade_export command.

The list so far is:

config, Policies; objects; ICA; SIC ....

ie do I take a backup of all the object.* ?

Thank you in advance.

[Yasushi Kono]

One additional aspect which should be taken into account:

upgrade_export is more flexible in respect of the operating system and CP version to be used in the future: You could use the output file of upgrade_export and do an upgrade_import to a totally different operating system or CP version (as far as you do an upgrade and not a downgrade!). This is something missing in the backup utility.

The command upgrade_export is only applicable to systems on which you have installed a SmartCenter server (i. e.: a standalone installation (FW + SmartCenter on one box) or distributed with SmartCenter only). Should you have a Firewall-only box, this command cannot be used!

You should tar the $FWDIR and $CPShared directory. And not to forget the user database (/etc/passwd) and static routes, and eventually other configuration files for TCP/IP settings (DNS, NTP, ...).

Kind regards,
Yasushi

(For those who are familiar with German language: Check out Galileo Computing : Buch : Check Point VPN-1 Power)

[light]

Hi all,

when we take backup using "upgread_export" does it take backup of the routes which are added to the management server?

if not does any other way to take back up of static route apart from coying the route file.

[chillyjim]

No it doesn't. That information is kept in /etc/sysconfig/netconfig.c

[Bob_Zimmerman]

Quote:

Originally Posted by srahman

Hi, Can anyone please give me a full detail list of all the items I need to backup manually from a Firewall Management rebuild (NGX), Solaris box. Currently I am having problems running the upgrade_export command.

The list so far is:

config, Policies; objects; ICA; SIC ....

ie do I take a backup of all the object.* ?

Thank you in advance.

It depends on how much you are willing to potentially lose and rebuild. Your rules are stored in the rulebases_5_0.fws, your objects in the objects_5_0.C, and your users in the fwauth.NDB. On a Windows SmartCenter, fwauth.NDB is a pointer to somewhere else. 'fwauth.NDB18' or something like that with a number at the end.

I've been told by support that those three (or four) are enough to recover your policy and so forth, but you will need to create a new ICA and reestablish SIC with everything. They didn't tell me what needs to be backed up to keep the ICA.

[longhill]

So to make a complete backup do:

1) upgrade_export
2) Copy of sysconfig / netconfig.c for the route

It's right?

[longhill]

So to make a complete backup do:

1) upgrade_export

2)/etc/password
/etc/shadow
/etc/scpusers
/etc/syscong/netconfig.C
for all enforce module.

It's right?