Upgrade_export for DR

[goldie]

Hi Guys,

I've posted in DR as well but here goes.

I have v little linix knowledge and as such I am having trouble running upgrade_export to enable me to get a full bakup for DR purposes..

Can anybody help!!??

Cheers

G

[northlandboy]

Could you be more specific with "I am having trouble running upgrade_export" - what exactly is happening when you try to run that?

[goldie]

Thanks for getting back!

Well, from what I understand (there does not seem to be a definitve answer in any documentation I've read )- running upgrade_export on our checkpoint installation will effectively take a snapshot of the firewall config to be 'exported' to another enforcement module. In my case I'll keep a copy of this somewhere safe so inthe event of disaster I can 'import' the 'export' into a new installation - apologies if I am getting this wrong I am new to checkpoint.

The main problem I have is running the command when I'm consoled up to the crossbeam which is ruinning Linux. My lack of knowledge of both linux and checkpoint has conspired to stand in my way!!

Any help much appreciated

G

[abusharif]

Quote:

Originally Posted by goldie

Thanks for getting back!

Well, from what I understand (there does not seem to be a definitve answer in any documentation I've read )- running upgrade_export on our checkpoint installation will effectively take a snapshot of the firewall config to be 'exported' to another enforcement module. In my case I'll keep a copy of this somewhere safe so inthe event of disaster I can 'import' the 'export' into a new installation - apologies if I am getting this wrong I am new to checkpoint.

The main problem I have is running the command when I'm consoled up to the crossbeam which is ruinning Linux. My lack of knowledge of both linux and checkpoint has conspired to stand in my way!!

Any help much appreciated

G

no idea how crossbeam works but on all *nix platforms and windows upgradetools can be found in
$FWDIR/bin/upgrade_tools

so try doing:

cd $FWDIR/bin/upgrade_tools
./upgrade_export (with switches needed)

[northlandboy]

Just thinking of something - do you have a separate firewall management system? That's the one you want to back up with upgrade_export. That will back up policies and objects.

Don't run upgrade_export on the modules if they're just enforcement modules.

I don't use Crossbeam, but you will need to have a backup of the system config e.g. routing, interfaces. Look at the Crossbeam documentation for that.

Then if you need to restore from backup, you setup the Crossbeam box, restore your interfaces/routing from backup, then push policy again. Easy.

[goldie]

OK so we're getting somewhere, I've found the upgrade_tools directory

Many thanks. I'm going to have a play round and shoud be able to do what I want now. I'll let you know the outcome.....

G

[goldie]

Another quick question - if i was to run the checkpoint 'backup' utility, where would i run the command from??

Cheers

[northlandboy]

What OS are you using? SPLAT? I thought you were using Crossbeam?

Check Point's 'backup' is only available on SPLAT.

Doesn't matter where you run it from. By default it dumps the backup to /var/CPbackup/backups/

On SPLAT it backs up both OS and Check Point information. You can completely restore that system with the SPLAT CD and the backup file.

[goldie]

Quote:

Originally Posted by northlandboy

Just thinking of something - do you have a separate firewall management system? That's the one you want to back up with upgrade_export. That will back up policies and objects.

Don't run upgrade_export on the modules if they're just enforcement modules.

I don't use Crossbeam, but you will need to have a backup of the system config e.g. routing, interfaces. Look at the Crossbeam documentation for that.

Then if you need to restore from backup, you setup the Crossbeam box, restore your interfaces/routing from backup, then push policy again. Easy.

RE: your last post - yep it's a crossbeam box running Linux.

The smartdash is installed on another server (windows 2000). Once the policy has been configured (on the other server) it's pushed down onto the Crossbeam

Surely i want to run the upgrade export on the crossbeam, not the windows server with smartdash installed??

Thanks

G

[northlandboy]

You know there's 3 components to Check Point, right? There's the GUI clients - i.e. SmartDashboard, which can run on pretty much any Windows box. Then there's the management server, which is what SmartDashboard connects to. The last bit is the enforcement module, which actually does the firewalling.

You can combine them, to some degree - e.g. you might have your Crossbeam firewall being both the enforcement module, and the management server.

All rulebases and objects are stored on the management server. At compile time they are pushed to the enforcement module.

If you want to back up the rules, objects, etc. then you need to do an upgrade_export on whatever server it is that you connect to with SmartDashboard - this is not necessarily the same as the server where SmartDashboard is installed. That way if you lost that server, you can restore your rulebases, etc. from backup.

If you have a firewall that is just an enforcement module, you don't need to backup the Check Point information on there - you can always just push that out again. You do need to have a backup of the routes/interface config - read your Crossbeam documentation.

So can you please identify for us, which server is which component?
* Where is your management server, and what OS is it?
* Which one is doing the enforcement - the Crossbeam?

[goldie]

Right, there are 2 pieces of kit involved here.

1. Crossbeam box running linux
2. Win 2000 server which has the smart dashboard installed on it

When I fire up the smartdash GUI and enter the user/ pass, the smart center server IP is the IP of the Crossbeam (internal network) port.

So in answer to your questions.
1. Our management server is on the Crossbeam and it's running Linux
2 The Crossbeam is doing the enforcing

Cheers

[northlandboy]

Right, now we're getting somewhere.

Run upgrade_export on the Crossbeam box to create a backup of your Check Point configuration.

Find out what utilities you should use on Crossbeam for backup, to back up that config - interfaces, routes, etc.

Now try and do a restore onto another piece of kit. Document the process.

[goldie]

Nice one cheers

[Fabsta]

Just FYOI - In regards to the crossbeam - you will have a management IP for the Criossbeam itself- The crossbeam smarts live in a custom built shell that lies above the linus OS and manipulates it. The shell is very similar to the Cisco IOS command space. If you do a 'sho runn', you will see all the crossbeam config - this is the part that you must save - just like a cisco, cut and paste the config into notepad - save that file (this obviously doesnt save passwords etc).

I assume you have inherited this crossbeam solution - perhaps contact reseller or crossbema on advice in a DR scenario. The one problem about Crossbeam is that it uses proprietary blades, so if you dont have a redundant blade sitting in the Xbeam, then you will have to wait for the reseller to deliver one to you - If the blade fails, then you will either need a new cold standy one there or wait until one is shipped to you - that would be the first area I would look at confirming (SLA's etc). You can have the option of HA and Load-sharing with a redundant blade (if you so have the funds - not cheap).

Peace!
Fab