CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 8 of 8

Thread: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

  1. #1
    Join Date
    2008-02-14
    Posts
    36
    Rep Power
    0

    Default Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    I'm currently reviewing my backupís policy for our checkpoint estate. I have one management server pushing configs to 4 checkpoint firewalls.

    All of our backups are focused around our management server. I've scheduled a weekly backup of our management server. We also have recent snapshots and upgrade exports.

    Do I need snapshots and upgrade exports of the actual FW nodes?? I seem to remember that the nodes aren't that important as long as you've got the management server backed up. If the node failed, you'd just have to reinstall SPLAT, reset SIC and push the policy.

    I'd appreciate any advice.

  2. #2
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default

    Yes, backup the firewalls. But not with snapshots or upgrade_export. Use the backup command.

    What you want backed up on the firewall is the routing and addressing. Plus maybe any other custom changes you've made

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    Quote Originally Posted by northlandboy View Post
    Yes, backup the firewalls. But not with snapshots or upgrade_export. Use the backup command.

    What you want backed up on the firewall is the routing and addressing. Plus maybe any other custom changes you've made
    On the firewalls, you just need to backup a few files:

    1- $FWDIR/boot/modules/fwkern.conf
    2- /etc/sysconfig/netconf.C
    3- /etc/hosts

    All of this can be accomplished with open-source code such as RANCID

  4. #4
    Join Date
    2008-02-14
    Posts
    36
    Rep Power
    0

    Default Re: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    Quote Originally Posted by cciesec2006 View Post

    1- $FWDIR/boot/modules/fwkern.conf
    2- /etc/sysconfig/netconf.C
    3- /etc/hosts

    Brilliant, thanks for the tips.

    So, just to clarify, The standard Checkpoint "backup" won't do everything needed? I still need to look at RANCID??
    Last edited by dazzler; 2012-10-29 at 20:02.

  5. #5
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    It depends if you've made changes to fwkern.conf. I don't think those are included when using 'backup'. (I may be wrong on this).

    If you don't make changes to that file, then a 'backup' will do what you want, with little work required on your part.

    If you're doing something extra, then you will want to look at your own scripts, etc.

  6. #6
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    I recommend the following

    migrate exports on the Management Server
    backup of the Management Server
    backup of the gateways

    web export of the security policies to help document them.
    In addition to the backups, then also document the gateways configuration.
    Also any changes made to the any files, document these as well.

    That way if you have replace anything those small modifications made 6 months ago and not rememberd come back to bite you, then you have them documented.

  7. #7
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    Quote Originally Posted by mcnallym View Post
    Also any changes made to the any files, document these as well.

    That way if you have replace anything those small modifications made 6 months ago and not rememberd come back to bite you, then you have them documented.

    Nobody read documentation. Easier said than done

    That's exactly what RANCID is designed for. It will backup whatever you need to backup.

    That way when it comes time to restore, you do NOT have to remember anything. Just go with whatever you have in RANCID

  8. #8
    Join Date
    2008-02-14
    Posts
    36
    Rep Power
    0

    Default Re: Checkpoint Backups - Do I need to backup my CP nodes or just management server?

    Cheers guys, I've completed backups of all the nodes and also scheduled a weekly backup.

    I'll have a look at RANCID when I get time. Is it easy to setup or do I have to be a master at scripting :(

Similar Threads

  1. Backup Nokia management server
    By gladiatorkev in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2008-09-01, 08:17
  2. CP management server integration with ArcSight ESM
    By gladiatorsword in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 0
    Last Post: 2007-08-29, 09:44
  3. Backup Management Server Licensing
    By usmanashaikh in forum Licensing
    Replies: 3
    Last Post: 2007-01-10, 12:03
  4. CP Management Server IP address issue
    By pfatts in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 8
    Last Post: 2006-10-16, 15:19
  5. CP Newbie Question - How to install management server?
    By cpguy in forum Installing And Upgrading
    Replies: 6
    Last Post: 2006-07-04, 11:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •