backup question

[technick22]

I presently run an upgrade_export on my SC manually, which i understand is all i need if system needs to be rebuilt.

I also have three FW-1 SPLAT firewalls (two clustered and one alone) in which i connect to web interface and run the backup command and store on TFTP server.

My question...

Is this all that is required, or should i also run upgrade_export on the firewalls themselves?

Thanks
Nick

[rokudan]

You should only need to run the upgrade_export on SmartCenter system, or if it is SPLAT the backup function would get the FW1 config, as well the system config, maybe saving you some setup time in the event you need to restore. Where as an upgrade_export would only get your FW config, not the OS... If your SC system is a Windows/Solaris/Etc... type box, you will want to run some sort of system backup as well in case you have any special routes, ip setups, etc... If it is a SPLAT, you could use it's scheduled backup process to do pretty much the same thing.

[technick22]

My SC is running on a Windows 2003 server.
And Splat is running on all three firewalls.

And if i understand you correctly all i need is upgrade_export to be run on my SC and backup (web interface function) to be run on my SPLAT firewalls.

If this is accurate than it is exactly what i'm presently doing. Mind you it's a manual process right now, but it still does the task :)

On my Windows SC server, what else do i need to backup (using third party backup software)?

[rokudan]

You can get away fine with just the upgrade_export from the Windows server, but just make sure you note your ip and any routes you have added to that box. Usually not a big deal, but in a large environment you may have a few routes to get to various gateways... As well you have to reconfigure the box as a bastion host, meaning lock it down by removing services, patching everything, etc... So sometimes a full backup, can ease that process...

[RayPesek]

Also note that in order for the SPLAT backup to be restored properly, you need to reinstall SPLAT and the last HFA you applied first. If you don't do that, some of the files restored will be from a later HFA than what you built up for recovery.

Of course, in order to install the HFA you also need to run sysconfig and install whatever Check Point packages were installed before doing the HFA and the backup restore.

If you try to apply the correct HFA after you do the restore, it won't do anything because it thinks it's already installed. That will cause issues because the binaries won't match the config files. If you run the version commands, it will say the HFA is installed but it's not.

So make sure you know what the latest HFA is that's installed on the firewalls as well as any non-HFA hotfixes, if any. Also make sure you know what Check Point packages are installed.

Restoring the SmartCenter with upgrade_import is a lot easier because it's platform-independent.

Ray

[Thorpuse]

This is also where the snapshot command can be handy on SPLAT. If you take a snapshot after installing HFAs, you can use the snapshot to revert to the HFA version before running your latest backup or upgrade_import. Makes the DR document easier, because you don't need to include the product install and HFA install process before the data restore process.

[technick22]

damn....much more complicated than i thought. There should be a sticky with what should be done to fully backup and restore the different platforms.

I think it would help alot of people

[lammbo]

Quote:

Originally Posted by rokudan

You can get away fine with just the upgrade_export from the Windows server, but just make sure you note your ip and any routes you have added to that box.

Also note the FQDN as your certs are generated using this.