CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 15 of 15

Thread: Upgrade_export for DR

  1. #1
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Upgrade_export for DR

    Hi Guys,

    I've posted in DR as well but here goes.

    I have v little linix knowledge and as such I am having trouble running upgrade_export to enable me to get a full bakup for DR purposes..

    Can anybody help!!??

    Cheers

    G

  2. #2
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Upgrade_export for DR

    Could you be more specific with "I am having trouble running upgrade_export" - what exactly is happening when you try to run that?

  3. #3
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Re: Upgrade_export for DR

    Thanks for getting back!

    Well, from what I understand (there does not seem to be a definitve answer in any documentation I've read )- running upgrade_export on our checkpoint installation will effectively take a snapshot of the firewall config to be 'exported' to another enforcement module. In my case I'll keep a copy of this somewhere safe so inthe event of disaster I can 'import' the 'export' into a new installation - apologies if I am getting this wrong I am new to checkpoint.

    The main problem I have is running the command when I'm consoled up to the crossbeam which is ruinning Linux. My lack of knowledge of both linux and checkpoint has conspired to stand in my way!!

    Any help much appreciated

    G

  4. #4
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,009
    Rep Power
    15

    Default Re: Upgrade_export for DR

    Quote Originally Posted by goldie View Post
    Thanks for getting back!

    Well, from what I understand (there does not seem to be a definitve answer in any documentation I've read )- running upgrade_export on our checkpoint installation will effectively take a snapshot of the firewall config to be 'exported' to another enforcement module. In my case I'll keep a copy of this somewhere safe so inthe event of disaster I can 'import' the 'export' into a new installation - apologies if I am getting this wrong I am new to checkpoint.

    The main problem I have is running the command when I'm consoled up to the crossbeam which is ruinning Linux. My lack of knowledge of both linux and checkpoint has conspired to stand in my way!!

    Any help much appreciated

    G

    no idea how crossbeam works but on all *nix platforms and windows upgradetools can be found in
    $FWDIR/bin/upgrade_tools

    so try doing:

    cd $FWDIR/bin/upgrade_tools
    ./upgrade_export (with switches needed)

  5. #5
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Upgrade_export for DR

    Just thinking of something - do you have a separate firewall management system? That's the one you want to back up with upgrade_export. That will back up policies and objects.

    Don't run upgrade_export on the modules if they're just enforcement modules.

    I don't use Crossbeam, but you will need to have a backup of the system config e.g. routing, interfaces. Look at the Crossbeam documentation for that.

    Then if you need to restore from backup, you setup the Crossbeam box, restore your interfaces/routing from backup, then push policy again. Easy.

  6. #6
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Re: Upgrade_export for DR

    OK so we're getting somewhere, I've found the upgrade_tools directory

    Many thanks. I'm going to have a play round and shoud be able to do what I want now. I'll let you know the outcome.....

    G

  7. #7
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Re: Upgrade_export for DR

    Another quick question - if i was to run the checkpoint 'backup' utility, where would i run the command from??

    Cheers

  8. #8
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Upgrade_export for DR

    What OS are you using? SPLAT? I thought you were using Crossbeam?

    Check Point's 'backup' is only available on SPLAT.

    Doesn't matter where you run it from. By default it dumps the backup to /var/CPbackup/backups/

    On SPLAT it backs up both OS and Check Point information. You can completely restore that system with the SPLAT CD and the backup file.

  9. #9
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Re: Upgrade_export for DR

    Quote Originally Posted by northlandboy View Post
    Just thinking of something - do you have a separate firewall management system? That's the one you want to back up with upgrade_export. That will back up policies and objects.

    Don't run upgrade_export on the modules if they're just enforcement modules.

    I don't use Crossbeam, but you will need to have a backup of the system config e.g. routing, interfaces. Look at the Crossbeam documentation for that.

    Then if you need to restore from backup, you setup the Crossbeam box, restore your interfaces/routing from backup, then push policy again. Easy.
    RE: your last post - yep it's a crossbeam box running Linux.

    The smartdash is installed on another server (windows 2000). Once the policy has been configured (on the other server) it's pushed down onto the Crossbeam

    Surely i want to run the upgrade export on the crossbeam, not the windows server with smartdash installed??

    Thanks

    G

  10. #10
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Upgrade_export for DR

    You know there's 3 components to Check Point, right? There's the GUI clients - i.e. SmartDashboard, which can run on pretty much any Windows box. Then there's the management server, which is what SmartDashboard connects to. The last bit is the enforcement module, which actually does the firewalling.

    You can combine them, to some degree - e.g. you might have your Crossbeam firewall being both the enforcement module, and the management server.

    All rulebases and objects are stored on the management server. At compile time they are pushed to the enforcement module.

    If you want to back up the rules, objects, etc. then you need to do an upgrade_export on whatever server it is that you connect to with SmartDashboard - this is not necessarily the same as the server where SmartDashboard is installed. That way if you lost that server, you can restore your rulebases, etc. from backup.

    If you have a firewall that is just an enforcement module, you don't need to backup the Check Point information on there - you can always just push that out again. You do need to have a backup of the routes/interface config - read your Crossbeam documentation.

    So can you please identify for us, which server is which component?
    * Where is your management server, and what OS is it?
    * Which one is doing the enforcement - the Crossbeam?

  11. #11
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Re: Upgrade_export for DR

    Right, there are 2 pieces of kit involved here.

    1. Crossbeam box running linux
    2. Win 2000 server which has the smart dashboard installed on it

    When I fire up the smartdash GUI and enter the user/ pass, the smart center server IP is the IP of the Crossbeam (internal network) port.

    So in answer to your questions.
    1. Our management server is on the Crossbeam and it's running Linux
    2 The Crossbeam is doing the enforcing

    Cheers

  12. #12
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Upgrade_export for DR

    Right, now we're getting somewhere.

    Run upgrade_export on the Crossbeam box to create a backup of your Check Point configuration.

    Find out what utilities you should use on Crossbeam for backup, to back up that config - interfaces, routes, etc.

    Now try and do a restore onto another piece of kit. Document the process.

  13. #13
    Join Date
    2006-10-08
    Posts
    23
    Rep Power
    0

    Default Re: Upgrade_export for DR

    Nice one cheers

  14. #14
    Join Date
    2006-07-17
    Posts
    10
    Rep Power
    0

    Default Re: Upgrade_export for DR

    Just FYOI - In regards to the crossbeam - you will have a management IP for the Criossbeam itself- The crossbeam smarts live in a custom built shell that lies above the linus OS and manipulates it. The shell is very similar to the Cisco IOS command space. If you do a 'sho runn', you will see all the crossbeam config - this is the part that you must save - just like a cisco, cut and paste the config into notepad - save that file (this obviously doesnt save passwords etc).

    I assume you have inherited this crossbeam solution - perhaps contact reseller or crossbema on advice in a DR scenario. The one problem about Crossbeam is that it uses proprietary blades, so if you dont have a redundant blade sitting in the Xbeam, then you will have to wait for the reseller to deliver one to you - If the blade fails, then you will either need a new cold standy one there or wait until one is shipped to you - that would be the first area I would look at confirming (SLA's etc). You can have the option of HA and Load-sharing with a redundant blade (if you so have the funds - not cheap).

    Peace!
    Fab

  15. #15
    Join Date
    2008-11-04
    Posts
    2
    Rep Power
    0

    Default Re: Upgrade_export for DR

    hi anyone,Who knows LPI certified in the subject where to download . thanx

Similar Threads

  1. upgrade_export
    By kr_madan in forum Miscellaneous
    Replies: 1
    Last Post: 2008-08-05, 00:28
  2. upgrade_export R60 to R65
    By anthonws in forum Installing And Upgrading
    Replies: 4
    Last Post: 2008-07-25, 13:35
  3. upgrade_export
    By garfield in forum Check Point Backup Procedures
    Replies: 2
    Last Post: 2007-10-09, 06:06
  4. Upgrade_export for DR
    By goldie in forum Check Point Backup Procedures
    Replies: 1
    Last Post: 2006-12-21, 01:09
  5. Upgrade_export
    By 1q2w3e in forum Installing And Upgrading
    Replies: 1
    Last Post: 2006-02-15, 12:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •