CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: ?? Possible To Image a SPLAT System ??

  1. #1
    Join Date
    2009-01-14
    Posts
    37
    Rep Power
    0

    Default ?? Possible To Image a SPLAT System ??

    Is it possible to image a SPLAT system with Acronis or the like to use it for re-imaging other systems or to use in case of hardware failure?

    Looking for a way to get my configuration on a new server identical to the old configuration from my existing server and a way to get around this issue the next time.

    Thanks.

  2. #2
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    12

    Default Re: ?? Possible To Image a SPLAT System ??

    Personally, if you use the same servers with hardware RAID 1, get it configured, let the array settle down and sync, then just yank a drive.

    When you want to bring up the new system, put that drive in bay 0.

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: ?? Possible To Image a SPLAT System ??

    I've seen this method.

    Just be sure to reset the Random seed (" Random Pool") under cpconfig.
    Otherwise, the cloned firewall will generate the same random numbers as the original system..

  4. #4
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: ?? Possible To Image a SPLAT System ??

    Quote Originally Posted by alienbaby View Post
    I've seen this method.

    Just be sure to reset the Random seed (" Random Pool") under cpconfig.
    Otherwise, the cloned firewall will generate the same random numbers as the original system..
    The OP did say that it was for hardware failure, so we have to assume he intends on shelving the drive for that enforcement point only.
    There's no place like 127.0.0.1

  5. #5
    Join Date
    2009-01-14
    Posts
    37
    Rep Power
    0

    Default Re: ?? Possible To Image a SPLAT System ??

    Actually I was hoping to do 2 things:

    1) image the existing operating firewall in my HA so I can use that image to recreate the failed firewall
    2) have an archived image to have on the shelf in case I experience any other failures.

    But unfortunately each of my firewalls are running on a RAID 5, so 'borrowing' a portion of the mirrored set won't work for me.

    And yes, I was lucky enough to have 2 of the drives in my array fail.

    I'll have to look into resetting the "random pool".
    Last edited by absolutezero273c; 2010-03-30 at 10:27.

  6. #6
    Join Date
    2009-10-23
    Posts
    58
    Rep Power
    11

    Default Re: ?? Possible To Image a SPLAT System ??

    As you are running on SPLAT, I would consider the built in "snapshot" command as an option.

    I have scripted snapshot backups on a weeky basis and scp them to a backup server. Restoring these snapshots on a spare hardware (same type) takes me about 20min (first install SPLAT from installation image, then copy file from backup server via LAN, then revert). Restoring an old snapshot on an running system is even faster.


    Regards,
    Hartmut

  7. #7
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: ?? Possible To Image a SPLAT System ??

    Quote Originally Posted by HartmutB View Post
    (first install SPLAT from installation image, then copy file from backup server via LAN, then revert).
    Does the new box (with the exact same hardware) also need to be running the exact same version? Given the nature of snapshot, I would think not since it should restore previously installed tweaks or HFA's.
    Last edited by lammbo; 2010-03-31 at 13:45.
    There's no place like 127.0.0.1

  8. #8
    Join Date
    2009-10-23
    Posts
    58
    Rep Power
    11

    Default Re: ?? Possible To Image a SPLAT System ??

    Quote Originally Posted by lammbo View Post
    Does the new box (with the exact same hardware) also need to be running the exact same version? Given the nature of snapshot, I would think not since it should restore previously installed tweaks or HFA's.
    You are correct with the last statement. In the past, I had an R65 (without HFAs) installation media (BTW: never seen a "CP produced copy" of an installation media past R65, only available via downloads ...) and now a clean R70(.0) installation CD.

    With both media, I could and can restore the most recent snapshot of the same family (R70.1, R70.20 with R70 media) without first installing HFAs. And no need to install any fw components from CD (saves time). They will come back with the revert of the snapshot.


    Just a litte history: We have two All-in-One-Firewalls based on Dell 2850 with RAID-1. At the time of hardware purchase, it was no big difference in price between getting 2 machines with fast response hardware service and getting 3 machines with basic "next day hardware replacement". So we bought 3 of them.

    Now, I have a spare machine to test updates and - if successfull - simply swap disks to the live system. Needed time for the live update is only for shutting down the firewall, replacing disks and start again.
    Of cause, with an "unattached" spare machine, you can't test connectivity, but you can check for update errors, logs, etc. And if there's a problem with the upgraded system in "real life", you can simply swap it back to the non updated disks before.
    And of course you've got a spare machine, if you have broken hardware, too.

    For this way of updating, if have done a lot of snapshots and reverts and like this concept a lot ...

    Regards,
    Hartmut

  9. #9
    Join Date
    2008-11-10
    Posts
    83
    Rep Power
    12

    Default Re: ?? Possible To Image a SPLAT System ??

    Sorry to resurrect an old thread, but I had a related question and didn't want to create a new thread. Can I create an R65 snapshot, export it to disk, do a clean install of R75 and if it fails, copy the R65 snapshot back to the R75 box and revert to R65?

    Thanks.

  10. #10
    Join Date
    2009-10-23
    Posts
    58
    Rep Power
    11

    Default Re: ?? Possible To Image a SPLAT System ??

    Almost.

    To restore (revert) the R65 snapshot, you need a running R65 system. You can't revert it with the R75 machine.

    So, you first have to install a clean R65 from CD (no additionl packages needed, simply the "basics"), copy your snapshot file (from a save offline place) to the snapshot folder and then revert. Some may say, that the restore system needs the same HFA level as the snapshot, my experience tells me, that you don't need to apply any HFA to do a sucessfull revert.


    Regards,
    Hartmut

  11. #11
    Join Date
    2008-11-10
    Posts
    83
    Rep Power
    12

    Default Re: ?? Possible To Image a SPLAT System ??

    That's exactly what I needed to know. Thanks a bunch.

  12. #12
    Join Date
    2006-02-02
    Location
    US
    Posts
    274
    Rep Power
    14

    Default Re: ?? Possible To Image a SPLAT System ??

    Quote Originally Posted by HartmutB View Post
    Some may say, that the restore system needs the same HFA level as the snapshot, my experience tells me, that you don't need to apply any HFA to do a sucessfull revert.
    Those people would be wrong. The entire registry is recovered using the snapshot command, so any HFAs and HFs that have been installed prior to running the snapshot command will be "pre-installed" with the revert. This is one of the things that makes it so beautiful.

Similar Threads

  1. Urgent: Help needed with migrating NGx R65 CMA from Solaris 9 system to SPLAT system
    By cciesec2006 in forum Provider-1 (Multi-Domain Management)
    Replies: 7
    Last Post: 2007-12-26, 09:58
  2. NGX R65 Image
    By tdvit in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 8
    Last Post: 2007-10-02, 09:41
  3. IP530 image age ?
    By Joe T in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 14
    Last Post: 2006-11-11, 23:12
  4. Best IPSO image for R55
    By ddiniz in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2006-07-31, 10:29
  5. image R60
    By abcdef in forum Linux
    Replies: 4
    Last Post: 2006-04-01, 13:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •