Check Point provides three different procedures for backing up (and restoring) the operating system and networking parameters on your appliances.
- Snapshot (Revert)
- Backup (Restore)
- upgrade_export
Each of these procedures backs up certain parameters and has relative advantages (such as: file size, speed, and portability), which are fully described in this chapter, together with detailed instructions as to how to carry out each procedure.
Snapshot
The snapshot utility backs up everything, including the drivers, and is available only on SecurePlatform.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).
Snapshot via CLI on Open Servers
To take a snapshot via the command line interface (CLI):
From the command line, run snapshot
- Running snapshot without any flags will use default backup settings and put the file in:/var/CPsnapshot/snapshots
- You can use additional flags to designate a different file name, or select a TFTP/FTP server
- Use snapshot -h for help or to list the flags
Note - Performing snapshot can take a long time and could interrupt your services. Thus, it is recommended to conduct a snapshot during a maintenance window.
Reverting to a snapshot
The revert command restores the system from snapshot file.
To revert to a snapshot:
From the command line, run revert
- Use revert -h for help
Snapshot via WebUI on UTM-1 and Power-1 appliances
On the UTM-1 and Power-1 appliances the snapshot can only be performed from WebUI (not via CLI), and the file cannot be transferred to a different appliance.
To create a snapshot via the WebUI:
- From your desktop open a browser and login to: https://:4434
- From the Appliance menu, select Image Management.
- Click Create. The Create Image window is displayed.
- Optionally, in the Description field, enter a description and click Apply. The status is displayed..
Reverting to a snapshot
Reverting on UTM-1 and Power-1 Appliances
To restore the system to a previous snapshot:
- Login to the same place, select the required snapshot and click Revert.
Backup
The backup utility backs up your Check Point configuration and your networking/OS system parameters (such as routing), and it is only available on SecurePlatform.
- The backup utility can be used to backup both your firewall and management modules.
- The resulting file will be smaller than the one generated by snapshot, but still pretty big.
- Backup does not include the drivers, and can be restored to different machine (as opposed to snapshot, which cannot). However, it recommended using the backup for restore to the same machine since it includes information such us MAC addresses of the NIC interfaces.
- You only can restore it to the same OS, same Check Point version and patch level.
Backup via CLI on Open Servers
To make a backup
From the command line, run backup
- Running backup without any flags will use default backup settings and put the file in/var/CPbackup/backups
Note - On UTM-1 and Power-1 appliances the location will be /var/log/CPbackup/backups
- You can use additional flags to designate a different file name, or select a TFTP/FTP server
- Use backup -h for help or to list the flags
Note - Performing backup can take a long time and could interrupt your services. Thus, it is recommended to conduct a backup during a maintenance window.
On open servers:
On UTM-1 and Power-1 appliances:
Restoring from a backup
The restore command restores the system from backup file.
To restore from a backup:
From the command line, run restore
- Use restore -h for help
Backup via WebUI on UTM-1 and Power-1 appliances
It is also possible to create backup from the WebUI interface.
To make a backup:
- From your desktop open a browser and login to:
https://:4434 - From the Appliance menu, select Backup and Restore.
- Select a device from the option buttons shown and click Apply.
- You can either perform the backup now or you can create a schedule for a backup.
Note - Backup cannot be restored from the WebUI, only from the command line interface.
Upgrade_export and upgrade_import
Upgrade_tools backs up all Check Point configurations, independent of hardware, OS or Check Point version, but does not include OS information.
You can use this utility to backup Check Point configuration on the management station.
If you change the Check Point version you can only go up, in other words you can upgrade not downgrade.
The file will be much smaller (depending on the size of your policy), and if the system is not running on a highly loaded CPU you can do a backup on a live system without interruption of the services.
This utility can be used only on command line and cannot be scheduled.
On SecurePlatform and Linux
To export:
cd $FWDIR/bin/upgrade_tools
./upgrade_export filename
To import:
cd $FWDIR/bin/upgrade_tools
./upgrade_import filename
Note - upgrade_import will stop the services.
On Windows
To export:
cd c:/windows/fw1/bin
./upgrade_export filename
To import:
./upgrade_import filename
Additional backup issues
There are additional backup options that we recommend that you consider:
Database Revision Control
This utility creates a version of your current policies, object database, IPS updates, etc. It is useful for minor changes or edits that you perform in the dashboard.
It cannot be used to restore your system in case of failure.
To perform database revision control:
In the dashboard-> File ->Database revision control -> Create
You can also create a version upon every policy installation.
Routing and interface information
This information is useful to have on hand as a reference if you are attempting to restore a configuration especially if your gateway module has a heavy routing table.
To create a copy of your routing and interface information:
netstat -rn > routes.txt
ipconfig -a > ipconfig.txt
ifconfig > ifconfig.txt
copy of /etc/sysconfig/netconf.C
Recommended backup schedule
- Snapshot - at least once or before major change (for example: an upgrade), during a maintenance window
- Backup - every couple of months, depending how frequently you perform changes in your network/policy. Also before every major change, during a maintenance window
- upgrade_export - every month or more often, depending on how frequently you perform changes in your network/policy. Also important before upgrade or migration. Can be run outside a maintenance window.
Verifying the procedure
We always recommend to periodically test you backups for possible corruption issues or just to practice the restore process.
For this purpose, it is not possible to use snapshots. However you can use backup and upgrade_export.
Post a Comment