backup/restore of Checkpoint Enforcement Module

[cciesec2006]

Hi All,

How does one go about backing up checkpoint Secureplatform Enforcement
Modules? Since upgrade_export does not work on Enforcement Module.
What is the best practice in backing up Enforcement module?

with "backup" command?

Thanks.

[manrag]

Hi, you can use the backup command that will take all of the OS (routes, ip addresses....) information and the Checkpoint configuration.

You can also use the snapshot command that will take a complete image of the system, but taking this Snapshot will take your enforcement module out of service for some time.

PD: The upgrade_export should work on an enforcement module, but that will only take you the Checkpoint info (SIC, Security Policy...) not any OS info.

[cciesec2006]

Are you sure that upgrade_export works on enforcement modules? See
below:

[Expert@splat]# cd /var/tmp
[Expert@splat]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006
[Expert@splat]# find / -name upgrade_export
/opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_export
/sysimg/CPwrapper/linux/linux22/upgrade_export
/sysimg/CPwrapper/linux/Actions/upgrade_export
[Expert@splat]# /opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_export test


You are required to close all Check Point clients before the Export operation begins.
If the export fails, stop Check Point services and run the upgrade_export command again.
Press ENTER when ready..

Checking the existence of necessary files...
Copying files to temp dir...
Building configuration file...
Error: Failed to read local configuration info
[Expert@splat]#

How do you explain that?

Thanks

[melipla]

Quote:

Originally Posted by cciesec2006

How do you explain that?

There's a couple bugs in R65 HFA 2 / HFA 1, a broken upgrade_export was one of them. See sk33878, which links you to a Hotfix for the Hotfix ;)

HTH

[cciesec2006]

HotFix applied and the problem is fixed. Thanks.

[cciesec2006]

I spoke too soon. On the SmartCenter with hfa_02 and NO patch, I can
perform upgrade_export fine without issue, as seen below:

[root@FiremonRCC-lab tmp]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006
[root@FiremonRCC-lab tmp]# /opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_export xxx


You are required to close all Check Point clients before the Export operation begins.
If the export fails, stop Check Point services and run the upgrade_export command again.
Press ENTER when ready..

Checking the existence of necessary files...
Copying files to temp dir...
Building configuration file...
Compressing the files...


The export operation finished successfully.

Note: /var/tmp/tmp/xxx.tgz contains your Security configuration, it is highly recommended to delete it after completing the process.
[root@FiremonRCC-lab tmp]#

I get error on Enforcement Modules with upgrade_export without the patch.

What the hell....

[manrag]

One explanation can be that you applied different HFA 02 for R65 on the management and module.
The first HFA_02 that checkpoint released had the bug, few days after that they released another HFA_02 that had the bug fixed.

That could be why it failed on the Module and not on the SCS.

[RayPesek]

"Error: Failed to read local configuration info"

The other thing that will cause the above error is running the commands with the NIC disconnected, for whatever reason.

Ray

[melipla]

Quote:

Originally Posted by cciesec2006

I get error on Enforcement Modules with upgrade_export without the patch.

...that's what the patch is for, to fix upgrade_export. While the patch claims its for all R65 HFA 02 installations, I'm not surprised that your smartcenter server works without the patch. SCS contains a lot more datafiles than enforcement modules, Check Point probably wrote a hook in upgrade_export for a SCS only datafile--by mistake of course. Maybe that's why they didn't catch it during the QA process, after all no one does upgrade_exports for enforcement modules ;)