CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: DR Questions

  1. #1
    Join Date
    2007-02-20
    Posts
    1
    Rep Power
    0

    Default DR Questions

    Hi, I have some DR questions and I'm hoping to get some insight.

    We currently three Nokia's all running NGX R60. One is an IP350 facing the Internet, and the other two are clustered (VRRP) IP380s in front of production equipment. All three are managed by me using a Provider-1 interface loaded on a machine at a remote location. I RDP to the remote machine, launch P-1, yada, yada, yada. I wasn't involved in the initial setup and don't know much about Provider-1 other than some obvious things. At some point this year, I will be clawing back management of these and Ill have some questions about that then, but for now my questions are about DR.

    In the event of a disaster, or a DR test (one upcoming in August), how do I recover these devices at a DR site? I will have the following hardware waiting for me at the DR site:

    An IP350 with the same memory/CPU and Interfaces as the one in production.
    A single IP380 with the same memory/CPU and Interfaces as the one in production. No plan on recovering the cluster in a DR scenario.


    Should I be using a full Nokia backup/restore since I will have same hardware or is rebuilding the Nokia boxes manually and using upgrade_export/import the way to go?

    Are there things I should do ahead of time to the production configurations to prepare for this? Im thinking of things like how do I prepare my management station at the DR site since it wont be a P-1 station and wont have the same IP as the P-1 station currently in production.

    Will I run into licensing issues after restoring?

    Any other insight would be appreciated.

  2. #2
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: DR Questions

    The Nokia backup/restore works fairly well for the device settings in my experience, but I'll issue this warning: DO NOT restore a Nokia config to a different build of IPSO. If you're not running the exact build of IPSO on the DR equipment, it could cause you serious stress, just when you don't need it. It is my understanding that the Nokia tool is primarily for when you need to replace a box of the same build. I have experienced this abnormal behavior myself not knowing better - it wasn't fun.

    Now, understand that this was several builds back (3.8, build ???) so maybe Nokia has fixed this since then. Anyone else feel free to correct if you can varify Nokia has fixed this.

    Where is your management? Is it on any of those gateways or do you have a separate box for it? Upgrade_export/import should be fine in any case, but it has been my experience that a separate MGMT server (Win 2003) makes it much easier to do.

    1 more note for DR - Make sure that all of your CP installs are at the exact level of your current equipment before starting restores of anything. Apply the HFA before restoring (if it will even work without them).

    Licenses will be restored with your database. You may have to 'remove' and then re-attach the licenses again to enforcement gateways. Your SmartCewnter will think that they are already applied following the restore.
    Last edited by lammbo; 2007-04-17 at 16:36.
    There's no place like 127.0.0.1

  3. #3
    Join Date
    2006-12-20
    Posts
    91
    Rep Power
    13

    Default Re: DR Questions

    Have to stress that you need the exact built & HF on the DR box. Because the DR box will "think" those HF has been applied after the restoration, which is not, and would not allow you to apply the HFA again and it would cause some of the problems.

Similar Threads

  1. Latest Questions for CCSE NGX -(101 questions)
    By Amit_U in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 34
    Last Post: 2010-09-16, 11:11
  2. A Few NAT Questions
    By dave_walsh in forum NAT (Network Address Translation)
    Replies: 8
    Last Post: 2008-06-17, 19:46
  3. Two more questions..
    By tayo1 in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 2
    Last Post: 2007-07-06, 04:36
  4. Latest Questions -CCSE-NGX (101-questions for free)
    By Amit_U in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 5
    Last Post: 2006-12-18, 23:53
  5. A few questions
    By Check in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 2
    Last Post: 2006-09-02, 01:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •