CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: Database Revision Ques

  1. #1
    Join Date
    2007-05-25
    Posts
    202
    Rep Power
    11

    Default Database Revision Ques

    Hello;

    We have multiple policies on a single smartcenter. When we take a database revision before a policy push; are we backing up ALL policies on this smartcenter?

    I would think that we are only backing up that particular policy that is loaded and all the database objects because the database objects are all the objects across all the policies.

    but the question came up about the revision including all the other policies as well.

    Thanks
    -pat

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,103
    Rep Power
    12

    Default Re: Database Revision Ques

    Quote Originally Posted by pat13b View Post
    Hello;

    We have multiple policies on a single smartcenter. When we take a database revision before a policy push; are we backing up ALL policies on this smartcenter?

    I would think that we are only backing up that particular policy that is loaded and all the database objects because the database objects are all the objects across all the policies.

    but the question came up about the revision including all the other policies as well.

    Thanks
    -pat
    A database revision backs up all objects, settings, and policies. Basically anything you can touch with the SmartDasboard. Which policy package you happen to be working with when taking the revision does not matter.

    Incidentally, the R80 SmartConsole allows more than one policy package to be open at a time via a tabbed view. Very handy.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2007-05-25
    Posts
    202
    Rep Power
    11

    Default Re: Database Revision Ques

    Quote Originally Posted by ShadowPeak.com View Post
    A database revision backs up all objects, settings, and policies. Basically anything you can touch with the SmartDasboard. Which policy package you happen to be working with when taking the revision does not matter.

    Incidentally, the R80 SmartConsole allows more than one policy package to be open at a time via a tabbed view. Very handy.
    Great thanks very much for the clarification on the DB revision, and the info on R80. We are starting to lab up R80.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,103
    Rep Power
    12

    Default Re: Database Revision Ques

    Quote Originally Posted by pat13b View Post
    Great thanks very much for the clarification on the DB revision, and the info on R80. We are starting to lab up R80.
    One other note: one no longer explicitly takes revisions in R80; each published session is automatically its own revision and can be undone/reverted at any time. Also every time a policy is installed to a gateway a copy of it is set aside, and under Installation History one can easily revert a gateway to a previously installed policy if mayhem strikes.

    Just trying to forestall any future question along the lines of "Where is Database Revision Control in R80?". 😀
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2007-05-25
    Posts
    202
    Rep Power
    11

    Default Re: Database Revision Ques

    Quote Originally Posted by ShadowPeak.com View Post
    One other note: one no longer explicitly takes revisions in R80; each published session is automatically its own revision and can be undone/reverted at any time. Also every time a policy is installed to a gateway a copy of it is set aside, and under Installation History one can easily revert a gateway to a previously installed policy if mayhem strikes.

    Just trying to forestall any future question along the lines of "Where is Database Revision Control in R80?". ��

    Thanks again. Was just looking into the difference between r77.x and r80 policy revision stuff because that question did come up in a meeting a little while ago.

    Much appreciated.

    -pat

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,025
    Rep Power
    13

    Default Re: Database Revision Ques

    Wow, nothing to add, Tim summed it up pretty tight... well done
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,103
    Rep Power
    12

    Default Re: Database Revision Ques

    Quote Originally Posted by varera View Post
    Wow, nothing to add, Tim summed it up pretty tight... well done
    Can't take full credit for all that, learned the details from postings by Tomer Sole at the ExchangePoint R80 forum. Anything that Tomer writes over there should be read immediately and thoroughly. Incredible nuggets of information about R80 in his articles.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    231
    Rep Power
    6

    Default Re: Database Revision Ques

    just to be sure, A DB Revision saves as well the SIC trust. So if I create a DB-revision, then perform a SIC reset (because i changed the HW). Then I have to rollback for some reason to my old HW, revert to the previous DB revision and my SIC with the old HW is stiil fine. Correct?

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,103
    Rep Power
    12

    Default Re: Database Revision Ques

    Quote Originally Posted by slowfood27 View Post
    just to be sure, A DB Revision saves as well the SIC trust. So if I create a DB-revision, then perform a SIC reset (because i changed the HW). Then I have to rollback for some reason to my old HW, revert to the previous DB revision and my SIC with the old HW is stiil fine. Correct?
    Restoring a revision in R77.30 only reverts the configuration on the SMS, it does not change anything on the gateways until policy is reinstalled to them. So restoring a database revision will undo any SIC certificate changes/revocations/etc on the SMS itself, but not on the gateways. This is significant because if you have reset SIC on the gateway via cpconfig, established SIC with the gateway, then revert back to a revision prior to when SIC was established with that gateway, SIC between the SMS and the gateway will be broken and you will need to reset it on both sides. I think you get a warning prior to reverting if this situation is present.

    When resetting SIC on the gateway using cpconfig it causes an outage, but there is a downtime-free way to reset SIC on a gateway:

    sk86521: Reset SIC without restarting the firewall process
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  10. #10
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    231
    Rep Power
    6

    Default Re: Database Revision Ques

    Well understodd, and fits perfectly to my needs.
    Remember that we talk about "old" gw HW and "new" gw HW. When we do the SIC reset, it because of the new gw HW. On the old gw HW, we do no SIC-reset, we just move the cables.
    In case we have to do a rollback, it's sufficient to restore the revision on the SMS.

Similar Threads

  1. Database revision control vs user database
    By jgarzam in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 1
    Last Post: 2013-03-01, 02:24
  2. Database Revision Tool
    By Felix001 in forum Check Point Backup Procedures
    Replies: 1
    Last Post: 2010-05-19, 19:35
  3. Database Revision Control
    By JuniorMember in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 2
    Last Post: 2009-10-16, 19:51
  4. Import a Database Revision
    By Jamin79 in forum Check Point Backup Procedures
    Replies: 3
    Last Post: 2008-12-06, 12:00
  5. Exporting a database revision
    By dazzler in forum Check Point Backup Procedures
    Replies: 2
    Last Post: 2008-02-25, 17:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •