CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of Check Point.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 11 of 11

Thread: Backup rulebase, objects and logs - R77.30 Gaia

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    11

    Default Backup rulebase, objects and logs - R77.30 Gaia

    Hello,

    I have a Checkpoint Smart 210 Manager using image R77.30 but now I have purchased a new Checkpoint Smart 3050 Manager also using image R77.30

    What’s the best approach to lift the current rulebase, objects and logs across to the new manager - maybe some sort of backup and restore?

    regards,
    Kevin

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,163
    Rep Power
    7

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by oharek View Post
    Hello,

    I have a Checkpoint Smart 210 Manager using image R77.30 but now I have purchased a new Checkpoint Smart 3050 Manager also using image R77.30

    What’s the best approach to lift the current rulebase, objects and logs across to the new manager - maybe some sort of backup and restore?

    regards,
    Kevin
    Download the latest migration tools for R77.30. Build the 3050 with the same hostname and IP as the old box (its important because certs have hostnames in them). Put the migration tools on both boxes. Do an export on the 210 and a import on the 3050. Make sure you have the same patches on both if you have any.

    Its pretty easy just run through the process a few times on the 3050 until you think you've got it right. Then you can basically power down the 210 and power up the 3050 without much fuss.

    BTW figure out if you want to keep logs as this process will *not* restore them by default unless you pass the optional -l flag. If you don't care about logs don't worry about it. If you do look up the audit logs as well.

    Then just to be safe keep the 210 around for a little while in case you need something off it.
    Last edited by jflemingeds; 2016-03-28 at 15:48. Reason: slight correction

  3. #3
    Join Date
    2014-10-27
    Posts
    130
    Rep Power
    3

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    on smart-210
    1. save gaia config from clish
    2. download latest migrate tools, extract in a temp directory
    3. run migrate export filename.tgz
    4. copy gaia config and filename.tgz of the box

    on smart 3050
    1. import gaia config and filename.tgz
    2. extract the latest migrate tools on the smart 3050
    3. load configuration <gai config file from smart 210>
    4. save config
    5. now import the filename.tgz using the newly extracted migrate tools
    6. once done , reboot...
    7. login to smartdashboard as you would normally do.
    8. reset SIC to firewalls and push policy

    Hope this helps

    cheers
    Bhav
    Bhav

  4. #4
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    11

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by bhavinjbhatt View Post
    on smart-210
    1. save gaia config from clish
    2. download latest migrate tools, extract in a temp directory
    3. run migrate export filename.tgz
    4. copy gaia config and filename.tgz of the box

    on smart 3050
    1. import gaia config and filename.tgz
    2. extract the latest migrate tools on the smart 3050
    3. load configuration <gai config file from smart 210>
    4. save config
    5. now import the filename.tgz using the newly extracted migrate tools
    6. once done , reboot...
    7. login to smartdashboard as you would normally do.
    8. reset SIC to firewalls and push policy

    Hope this helps

    cheers
    Bhav
    Thanks for the advice

    I intend to do this changeover to the new server next week. If i follow this i know i wont be far away from success

    cheers
    Kevin

  5. #5
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    11

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by bhavinjbhatt View Post
    on smart-210
    1. save gaia config from clish
    2. download latest migrate tools, extract in a temp directory
    3. run migrate export filename.tgz
    4. copy gaia config and filename.tgz of the box

    on smart 3050
    1. import gaia config and filename.tgz
    2. extract the latest migrate tools on the smart 3050
    3. load configuration <gai config file from smart 210>
    4. save config
    5. now import the filename.tgz using the newly extracted migrate tools
    6. once done , reboot...
    7. login to smartdashboard as you would normally do.
    8. reset SIC to firewalls and push policy

    Hope this helps

    cheers
    Bhav
    Bhav,

    I need to have the Checkpoint Smart3050 patched with the same Hotfixes as the Smart210. Is their a directory somewhere on the Checkpoint Smart210 that i can FTP the hotfixes off to a server and get a copy of them. If i could do that then i could easily import them onto my new Checkpoint Smart3050, run them and start a fresh migrate /import


    Thanks
    Kevin

  6. #6
    Join Date
    2015-07-08
    Posts
    7
    Rep Power
    0

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by oharek View Post
    Bhav,

    I need to have the Checkpoint Smart3050 patched with the same Hotfixes as the Smart210. Is their a directory somewhere on the Checkpoint Smart210 that i can FTP the hotfixes off to a server and get a copy of them. If i could do that then i could easily import them onto my new Checkpoint Smart3050, run them and start a fresh migrate /import


    Thanks
    Kevin
    If you run the command "cpinfo -y all" you can see what hotfixes are installed on your device. From there you can request them from CP support if you didn't save a local copy.

    Also, one thing to note. If you do a migrate export (this is with the migration tools mentioned above) a SIC reset on your gateways should not be necessary.

  7. #7
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    11

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by marclh View Post
    If you run the command "cpinfo -y all" you can see what hotfixes are installed on your device. From there you can request them from CP support if you didn't save a local copy.

    Also, one thing to note. If you do a migrate export (this is with the migration tools mentioned above) a SIC reset on your gateways should not be necessary.
    I'll give that a go tomorrow - cheers Kevin

  8. #8
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    11

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    i have rebuilt checkpoint smart 3050
    i did a migrate export from the checkpoint smart 210 box
    i did a migrate import into the checkpoint smart 3050 box
    i have downloaded the latest patches for the checkpoint smart 3050 from the web

    when i try to login to smart dashboard on the checkpoint smart 3050 box (which has the original IP address) its says i dont have a valid license but i have contacted checkpoint and got a new valid license for this box. I have CPSB-NPM & CPSB-LOGS in my new license so it should be ok

    Q. Any ideas why i cant login IE saying i don't have a valid license

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,163
    Rep Power
    7

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by oharek View Post
    i have rebuilt checkpoint smart 3050
    i did a migrate export from the checkpoint smart 210 box
    i did a migrate import into the checkpoint smart 3050 box
    i have downloaded the latest patches for the checkpoint smart 3050 from the web

    when i try to login to smart dashboard on the checkpoint smart 3050 box (which has the original IP address) its says i dont have a valid license but i have contacted checkpoint and got a new valid license for this box. I have CPSB-NPM & CPSB-LOGS in my new license so it should be ok

    Q. Any ideas why i cant login IE saying i don't have a valid license
    Mu guess is the license from the 210 got imported. Licensing in the checkpoint appliances is based on the MAC of the MGMT interface not the IP address (pretty sure at least!).

    Can you respond with the following.

    ifconfig Mgmt
    cplic print -x

  10. #10
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    11

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    [Expert@UTM-MGR:0]# ifconfig Mgmt
    Mgmt Link encap:Ethernet HWaddr 00:1C:7F:42:8E:8B
    inet addr:192.168.12.155 Bcast:192.168.12.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:3557143 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1309399 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:4837287880 (4.5 GiB) TX bytes:132819313 (126.6 MiB)


    [Expert@UTM-MGR:0]# cplic print -x
    Host Expiration Signature Features
    192.168.12.150 never a6XP2GX2gKZGhrGT9LvzPUuoK7LKVD9jvk9r CPSM-C-3 CPSB-NPM CPSB-EPM CPSB-LOGS CK-7C1C8E0E23BD
    192.168.12.150 never axY6jZuXiZFmjcGffhPR3rjtoHwyfdzeeBSi CPAP-SM210X CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-PRVS CPSB-SME-10 CPSB-RPRT-N-C1000 CPSB-COMP-25 CPSB-COMP-25 CK-00-1C-7F-41-C3-4F
    192.168.12.150 never abUevw8FzcJ5J4KxrvLCB3xevit8mN2FdyXi cpap-sm210x cpsb-npm cpsb-epm cpsb-logs cpsb-prvs cpsb-comp-25 cpsb-sme-10 cpsb-rprt-n-c1000 CK-00-1C-7F-41-C3-4F


    192.168.12.150 is the LIVE checkpoint
    192.168.12.155 is the new box i have done the migrate/import on and then tried to change the mgt port to 192.168.12.150 and login


    thanks for any advice
    Kevin

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,163
    Rep Power
    7

    Default Re: Backup rulebase, objects and logs - R77.30 Gaia

    Quote Originally Posted by oharek View Post
    [Expert@UTM-MGR:0]# ifconfig Mgmt
    Mgmt Link encap:Ethernet HWaddr 00:1C:7F:42:8E:8B
    inet addr:192.168.12.155 Bcast:192.168.12.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:3557143 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1309399 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:4837287880 (4.5 GiB) TX bytes:132819313 (126.6 MiB)


    [Expert@UTM-MGR:0]# cplic print -x
    Host Expiration Signature Features
    192.168.12.150 never a6XP2GX2gKZGhrGT9LvzPUuoK7LKVD9jvk9r CPSM-C-3 CPSB-NPM CPSB-EPM CPSB-LOGS CK-7C1C8E0E23BD
    192.168.12.150 never axY6jZuXiZFmjcGffhPR3rjtoHwyfdzeeBSi CPAP-SM210X CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-PRVS CPSB-SME-10 CPSB-RPRT-N-C1000 CPSB-COMP-25 CPSB-COMP-25 CK-00-1C-7F-41-C3-4F
    192.168.12.150 never abUevw8FzcJ5J4KxrvLCB3xevit8mN2FdyXi cpap-sm210x cpsb-npm cpsb-epm cpsb-logs cpsb-prvs cpsb-comp-25 cpsb-sme-10 cpsb-rprt-n-c1000 CK-00-1C-7F-41-C3-4F


    192.168.12.150 is the LIVE checkpoint
    192.168.12.155 is the new box i have done the migrate/import on and then tried to change the mgt port to 192.168.12.150 and login


    thanks for any advice
    Kevin
    Yeah, so go into usercenter and detach whatever blades you want to migrate off the 210. Then add them to the license for the 3050.

    You'll want to delete all the licenses listed above. I don't know what i was thinking, licenses is still attached to IP as well.

    Once you have all the blades on the new 3050 license download it and upload it to the .155 address (make sure to use the .155 address).

    If you run into any problems call/email account services. Licensing is one of the main issues they address.

    you can delete licenses with this command

    cplic del "Signature"

    Where Signature is the "abUevw8FzcJ5J4KxrvLCB3xevit8mN2FdyXi" looking string.

    972 444 6500 option 5 (i think)
    accountservices@checkpoint.com

Similar Threads

  1. GAiA System backup with Logs Files
    By abc150781 in forum R77.20
    Replies: 0
    Last Post: 2015-03-13, 04:16
  2. How to export all the Objects in 75.40(GAIA) to R77.20(GAIA)??.
    By muralidkosaraju in forum R75.40 (GAiA)
    Replies: 3
    Last Post: 2014-10-10, 14:55
  3. Replies: 2
    Last Post: 2014-05-27, 13:30
  4. NAT Rule numbers inconsistencies between logs and rulebase
    By Bingoig11 in forum NAT (Network Address Translation)
    Replies: 0
    Last Post: 2013-06-18, 05:34
  5. How to export rulebase, objects, NAT into excel format
    By antonyso88 in forum SmartDashboard
    Replies: 3
    Last Post: 2008-11-06, 11:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •