PDA

View Full Version : Backup rulebase, objects and logs - R77.30 Gaia



oharek
2016-03-26, 17:52
Hello,

I have a Checkpoint Smart 210 Manager using image R77.30 but now I have purchased a new Checkpoint Smart 3050 Manager also using image R77.30

What’s the best approach to lift the current rulebase, objects and logs across to the new manager - maybe some sort of backup and restore?

regards,
Kevin:cool:

jflemingeds
2016-03-26, 18:03
Hello,

I have a Checkpoint Smart 210 Manager using image R77.30 but now I have purchased a new Checkpoint Smart 3050 Manager also using image R77.30

What’s the best approach to lift the current rulebase, objects and logs across to the new manager - maybe some sort of backup and restore?

regards,
Kevin:cool:

Download the latest migration tools for R77.30. Build the 3050 with the same hostname and IP as the old box (its important because certs have hostnames in them). Put the migration tools on both boxes. Do an export on the 210 and a import on the 3050. Make sure you have the same patches on both if you have any.

Its pretty easy just run through the process a few times on the 3050 until you think you've got it right. Then you can basically power down the 210 and power up the 3050 without much fuss.

BTW figure out if you want to keep logs as this process will *not* restore them by default unless you pass the optional -l flag. If you don't care about logs don't worry about it. If you do look up the audit logs as well.

Then just to be safe keep the 210 around for a little while in case you need something off it.

bhavinjbhatt
2016-04-28, 10:45
on smart-210
1. save gaia config from clish
2. download latest migrate tools, extract in a temp directory
3. run migrate export filename.tgz
4. copy gaia config and filename.tgz of the box

on smart 3050
1. import gaia config and filename.tgz
2. extract the latest migrate tools on the smart 3050
3. load configuration <gai config file from smart 210>
4. save config
5. now import the filename.tgz using the newly extracted migrate tools
6. once done , reboot...
7. login to smartdashboard as you would normally do.
8. reset SIC to firewalls and push policy

Hope this helps

cheers
Bhav

oharek
2016-04-28, 16:16
on smart-210
1. save gaia config from clish
2. download latest migrate tools, extract in a temp directory
3. run migrate export filename.tgz
4. copy gaia config and filename.tgz of the box

on smart 3050
1. import gaia config and filename.tgz
2. extract the latest migrate tools on the smart 3050
3. load configuration <gai config file from smart 210>
4. save config
5. now import the filename.tgz using the newly extracted migrate tools
6. once done , reboot...
7. login to smartdashboard as you would normally do.
8. reset SIC to firewalls and push policy

Hope this helps

cheers
Bhav

Thanks for the advice

I intend to do this changeover to the new server next week. If i follow this i know i wont be far away from success

cheers
Kevin

oharek
2016-05-04, 16:24
on smart-210
1. save gaia config from clish
2. download latest migrate tools, extract in a temp directory
3. run migrate export filename.tgz
4. copy gaia config and filename.tgz of the box

on smart 3050
1. import gaia config and filename.tgz
2. extract the latest migrate tools on the smart 3050
3. load configuration <gai config file from smart 210>
4. save config
5. now import the filename.tgz using the newly extracted migrate tools
6. once done , reboot...
7. login to smartdashboard as you would normally do.
8. reset SIC to firewalls and push policy

Hope this helps

cheers
Bhav

Bhav,

I need to have the Checkpoint Smart3050 patched with the same Hotfixes as the Smart210. Is their a directory somewhere on the Checkpoint Smart210 that i can FTP the hotfixes off to a server and get a copy of them. If i could do that then i could easily import them onto my new Checkpoint Smart3050, run them and start a fresh migrate /import


Thanks
Kevin

marclh
2016-05-04, 16:46
Bhav,

I need to have the Checkpoint Smart3050 patched with the same Hotfixes as the Smart210. Is their a directory somewhere on the Checkpoint Smart210 that i can FTP the hotfixes off to a server and get a copy of them. If i could do that then i could easily import them onto my new Checkpoint Smart3050, run them and start a fresh migrate /import


Thanks
Kevin

If you run the command "cpinfo -y all" you can see what hotfixes are installed on your device. From there you can request them from CP support if you didn't save a local copy.

Also, one thing to note. If you do a migrate export (this is with the migration tools mentioned above) a SIC reset on your gateways should not be necessary.

oharek
2016-05-04, 17:27
If you run the command "cpinfo -y all" you can see what hotfixes are installed on your device. From there you can request them from CP support if you didn't save a local copy.

Also, one thing to note. If you do a migrate export (this is with the migration tools mentioned above) a SIC reset on your gateways should not be necessary.

I'll give that a go tomorrow - cheers Kevin

oharek
2016-05-13, 13:30
i have rebuilt checkpoint smart 3050
i did a migrate export from the checkpoint smart 210 box
i did a migrate import into the checkpoint smart 3050 box
i have downloaded the latest patches for the checkpoint smart 3050 from the web

when i try to login to smart dashboard on the checkpoint smart 3050 box (which has the original IP address) its says i dont have a valid license but i have contacted checkpoint and got a new valid license for this box. I have CPSB-NPM & CPSB-LOGS in my new license so it should be ok

Q. Any ideas why i cant login IE saying i don't have a valid license

jflemingeds
2016-05-14, 15:03
i have rebuilt checkpoint smart 3050
i did a migrate export from the checkpoint smart 210 box
i did a migrate import into the checkpoint smart 3050 box
i have downloaded the latest patches for the checkpoint smart 3050 from the web

when i try to login to smart dashboard on the checkpoint smart 3050 box (which has the original IP address) its says i dont have a valid license but i have contacted checkpoint and got a new valid license for this box. I have CPSB-NPM & CPSB-LOGS in my new license so it should be ok

Q. Any ideas why i cant login IE saying i don't have a valid license

Mu guess is the license from the 210 got imported. Licensing in the checkpoint appliances is based on the MAC of the MGMT interface not the IP address (pretty sure at least!).

Can you respond with the following.

ifconfig Mgmt
cplic print -x

oharek
2016-05-14, 16:24
[Expert@UTM-MGR:0]# ifconfig Mgmt
Mgmt Link encap:Ethernet HWaddr 00:1C:7F:42:8E:8B
inet addr:192.168.12.155 Bcast:192.168.12.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3557143 errors:0 dropped:0 overruns:0 frame:0
TX packets:1309399 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4837287880 (4.5 GiB) TX bytes:132819313 (126.6 MiB)


[Expert@UTM-MGR:0]# cplic print -x
Host Expiration Signature Features
192.168.12.150 never a6XP2GX2gKZGhrGT9LvzPUuoK7LKVD9jvk9r CPSM-C-3 CPSB-NPM CPSB-EPM CPSB-LOGS CK-7C1C8E0E23BD
192.168.12.150 never axY6jZuXiZFmjcGffhPR3rjtoHwyfdzeeBSi CPAP-SM210X CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-PRVS CPSB-SME-10 CPSB-RPRT-N-C1000 CPSB-COMP-25 CPSB-COMP-25 CK-00-1C-7F-41-C3-4F
192.168.12.150 never abUevw8FzcJ5J4KxrvLCB3xevit8mN2FdyXi cpap-sm210x cpsb-npm cpsb-epm cpsb-logs cpsb-prvs cpsb-comp-25 cpsb-sme-10 cpsb-rprt-n-c1000 CK-00-1C-7F-41-C3-4F


192.168.12.150 is the LIVE checkpoint
192.168.12.155 is the new box i have done the migrate/import on and then tried to change the mgt port to 192.168.12.150 and login


thanks for any advice
Kevin

jflemingeds
2016-05-14, 16:40
[Expert@UTM-MGR:0]# ifconfig Mgmt
Mgmt Link encap:Ethernet HWaddr 00:1C:7F:42:8E:8B
inet addr:192.168.12.155 Bcast:192.168.12.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3557143 errors:0 dropped:0 overruns:0 frame:0
TX packets:1309399 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4837287880 (4.5 GiB) TX bytes:132819313 (126.6 MiB)


[Expert@UTM-MGR:0]# cplic print -x
Host Expiration Signature Features
192.168.12.150 never a6XP2GX2gKZGhrGT9LvzPUuoK7LKVD9jvk9r CPSM-C-3 CPSB-NPM CPSB-EPM CPSB-LOGS CK-7C1C8E0E23BD
192.168.12.150 never axY6jZuXiZFmjcGffhPR3rjtoHwyfdzeeBSi CPAP-SM210X CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-PRVS CPSB-SME-10 CPSB-RPRT-N-C1000 CPSB-COMP-25 CPSB-COMP-25 CK-00-1C-7F-41-C3-4F
192.168.12.150 never abUevw8FzcJ5J4KxrvLCB3xevit8mN2FdyXi cpap-sm210x cpsb-npm cpsb-epm cpsb-logs cpsb-prvs cpsb-comp-25 cpsb-sme-10 cpsb-rprt-n-c1000 CK-00-1C-7F-41-C3-4F


192.168.12.150 is the LIVE checkpoint
192.168.12.155 is the new box i have done the migrate/import on and then tried to change the mgt port to 192.168.12.150 and login


thanks for any advice
Kevin

Yeah, so go into usercenter and detach whatever blades you want to migrate off the 210. Then add them to the license for the 3050.

You'll want to delete all the licenses listed above. I don't know what i was thinking, licenses is still attached to IP as well.

Once you have all the blades on the new 3050 license download it and upload it to the .155 address (make sure to use the .155 address).

If you run into any problems call/email account services. Licensing is one of the main issues they address.

you can delete licenses with this command

cplic del "Signature"

Where Signature is the "abUevw8FzcJ5J4KxrvLCB3xevit8mN2FdyXi" looking string.

972 444 6500 option 5 (i think)
accountservices@checkpoint.com