Setting up cron jobs in Unix and Solaris
cron is a unix, solaris utility that allows tasks to be automatically run in the background at regular intervals by the cron daemon. These tasks are often termed as cron jobs in unix , solaris. Crontab (CRON TABle) is a file which contains the schedule of cron entries to be run and at specified times.
This document covers following aspects of Unix cron jobs
1. Crontab Restrictions
2. Crontab Commands
3. Crontab file – syntax
4. Crontab Example
5. Crontab Environment
6. Disable Email
7. Generate log file for crontab activity
1. Crontab Restrictions
You can execute crontab if your name appears in the file /usr/lib/cron/cron.allow. If that file does not exist, you can use
crontab if your name does not appear in the file /usr/lib/cron/cron.deny.
If only cron.deny exists and is empty, all users can use crontab. If neither file exists, only the root user can use crontab. The allow/deny files consist of one user name per line.
2. Crontab Commands
export EDITOR=vi ;to specify a editor to open crontab file.
crontab -e Edit your crontab file, or create one if it doesn’t already exist.
crontab -l Display your crontab file.
crontab -r Remove your crontab file.
crontab -v Display the last time you edited your crontab file. (This option is only available on a few systems.)
3. Crontab file
Crontab syntax :
A crontab file has five fields for specifying day , date and time followed by the command to be run at that interval.
* * * * * command to be executed
- - - - -
| | | | |
| | | | +----- day of week (0 - 6) (Sunday=0)
| | | +------- month (1 - 12)
| | +--------- day of month (1 - 31)
| +----------- hour (0 - 23)
+------------- min (0 - 59)
* in the value field above means all legal values as in braces for that column.
The value column can have a * or a list of elements separated by commas. An element is either a number in the ranges shown above or two numbers in the range separated by a hyphen (meaning an inclusive range).
Notes
A. ) Repeat pattern like /2 for every 2 minutes or /10 for every 10 minutes is not supported by all operating systems. If you try to use it and crontab complains it is probably not supported.
B.) The specification of days can be made in two fields: month day and weekday. If both are specified in an entry, they are cumulative meaning both of the entries will get executed .
4. Crontab Example
A line in crontab file like below removes the tmp files from /home/someuser/tmp each day at 6:30 PM.
30 18 * * * rm /home/someuser/tmp/*
Changing the parameter values as below will cause this command to run at different time schedule below :
min hour day/month month day/week Execution time
30 0 1 1,6,12 * – 00:30 Hrs on 1st of Jan, June & Dec.
0 20 * 10 1-5 –8.00 PM every weekday (Mon-Fri) only in Oct.
0 0 1,10,15 * * – midnight on 1st ,10th & 15th of month
5,10 0 10 * 1 – At 12.05,12.10 every Monday & on 10th of every month
:
Note : If you inadvertently enter the crontab command with no argument(s), do not attempt to get out with Control-d. This removes all entries in your crontab file. Instead, exit with Control-c.
5. Crontab Environment
cron invokes the command from the user’s HOME directory with the shell, (/usr/bin/sh).
cron supplies a default environment for every shell, defining:
HOME=user’s-home-directory
LOGNAME=user’s-login-id
PATH=/usr/bin:/usr/sbin:.
SHELL=/usr/bin/sh
Users who desire to have their .profile executed must explicitly do so in the crontab entry or in a script called by the entry.
6. Disable Email
By default cron jobs sends a email to the user account executing the cronjob. If this is not needed put the following command At the end of the cron job line .
>/dev/null 2>&1
7. Generate log file
To collect the cron execution execution log in a file :
30 18 * * * rm /home/someuser/tmp/* > /home/someuser/cronlogs/clean_tmp_dir.log
Thursday, May 26, 2011
SSL VPN on a Check Point Gateway
Create a new network object. This will be used as the remote users IP address. Name this "net_office-mode-IPs"
Within the Check Point Object under Tolopogy > VPN Domain add your local domain.
Within the Check Point Object under Remote Access make the following changes : Enable Support Vistor Mode
Within the Check Point Object under Office Mode - Select "Allow Office Mode to all users". Add this new network object under Manual (Allocate IP address from Network)
Within the Check Point Object Under Client VPN - Tick Support Clientless VPN. Under Certificate for gateway authentication select ICA_CERT.
Within the Check Point Object under SSL Clients - Tick the SSL Network Extender and select the ICA_CERT as the The gateway authenticates with this certificate.
Within the VPN community Tab under your Remote Access community. Add your Gateway as a paricipating gateway.
Within the Users Tab create your users and add these to a new user group.
Create a Rule for to allow access from your usergroups to your internal hosts (local encryption domain) and select your Remote Access Community
Within the Check Point Object under Tolopogy > VPN Domain add your local domain.
Within the Check Point Object under Remote Access make the following changes : Enable Support Vistor Mode
Within the Check Point Object under Office Mode - Select "Allow Office Mode to all users". Add this new network object under Manual (Allocate IP address from Network)
Within the Check Point Object Under Client VPN - Tick Support Clientless VPN. Under Certificate for gateway authentication select ICA_CERT.
Within the Check Point Object under SSL Clients - Tick the SSL Network Extender and select the ICA_CERT as the The gateway authenticates with this certificate.
Within the VPN community Tab under your Remote Access community. Add your Gateway as a paricipating gateway.
Within the Users Tab create your users and add these to a new user group.
Create a Rule for to allow access from your usergroups to your internal hosts (local encryption domain) and select your Remote Access Community
check which CP components are installed with the 'cpprod_util' command
admin]# cpprod_util CPPROD_GetKeyValues products 0
Wednesday, May 25, 2011
LDAP Configuration
Proceed as follows:
In SmartDashboard, select "Policy > Global Properties > SmartDirectory" and enable "Use SmartDirectory".
Create a node object. (In SmartDashboard, select 'Manage > Network Objects > New > Node > Host'.) Type in a descriptive name and the IP address of the LDAP Server.
Create a user template to represent the LDAP users. (Select 'Manage > Users and Administrators > New > Template'.) You need to enter the name and configure the authentication method to "Check Point Password". (No other modification is mandatory here.)
Create an LDAP account unit. (Select 'Manage > Servers and OPSEC applications > New > LDAP Account Unit'.)
In the General Tab: Enter the LDAP Account Unit name, set the profile to Microsoft_AD, and select both the 'CRL Retrieval' and the 'User management' options.
In the Servers Tab: Click 'Add' and specify the node object, created previously, from the drop down list. Leave the port as "389", specify the login DN (i.e. cn=useraccount, cn=users, DC=Domain, DC=org) and specify the password for the specified login. The 'Read data from this server' and 'Write data to this server' options are both selected. (Do not select the Encryption tab as this is relevant for encrypted SSL.) Click 'OK' and 'Add' and then specify 'Early Version Compatibility server' from the drop-down list.(Same object created earlier.)
In the Objects management tab: The 'Manage objects on' is enabled on the previously defined Node object (that represents the LDAP/MSAD server). Click 'fetch branches'. (This must work before the LDAP authentication works.) You should see the AD branches appear. The 'prompt for password' option is not selected, and the 'Return entries' is set at its default value of "500".
In the Authentication tab: The 'Use common group path for queries' option is not selected. The 'Allowed authentication schemes' selected must include the 'Check Point Password' scheme. The 'Users default template' option should be selected. Choose the user template that was created previously. All other options are not selected/checked.
Create the necessary LDAP group. (Select 'Manage > Users and Administrators > New > LDAP Group'.) Enter the LDAP group name, and specify the previously created LDAP Account Unit. The "Group's scope" is set to "All Account-Unit's Users".
Create a rule specifying the above LDAP group, as the source. (When you right click on the 'SOURCE' column, specify 'Add Users Access'.) The destination and service in this example are set to "ANY". The VPN column is set to the Remote Access VPN community (Secure client/Secure Remote). The Action is "ACCEPT" and Track is set to "LOG".
In SmartDashboard, select "Policy > Global Properties > SmartDirectory" and enable "Use SmartDirectory".
Create a node object. (In SmartDashboard, select 'Manage > Network Objects > New > Node > Host'.) Type in a descriptive name and the IP address of the LDAP Server.
Create a user template to represent the LDAP users. (Select 'Manage > Users and Administrators > New > Template'.) You need to enter the name and configure the authentication method to "Check Point Password". (No other modification is mandatory here.)
Create an LDAP account unit. (Select 'Manage > Servers and OPSEC applications > New > LDAP Account Unit'.)
In the General Tab: Enter the LDAP Account Unit name, set the profile to Microsoft_AD, and select both the 'CRL Retrieval' and the 'User management' options.
In the Servers Tab: Click 'Add' and specify the node object, created previously, from the drop down list. Leave the port as "389", specify the login DN (i.e. cn=useraccount, cn=users, DC=Domain, DC=org) and specify the password for the specified login. The 'Read data from this server' and 'Write data to this server' options are both selected. (Do not select the Encryption tab as this is relevant for encrypted SSL.) Click 'OK' and 'Add' and then specify 'Early Version Compatibility server' from the drop-down list.(Same object created earlier.)
In the Objects management tab: The 'Manage objects on' is enabled on the previously defined Node object (that represents the LDAP/MSAD server). Click 'fetch branches'. (This must work before the LDAP authentication works.) You should see the AD branches appear. The 'prompt for password' option is not selected, and the 'Return
In the Authentication tab: The 'Use common group path for queries' option is not selected. The 'Allowed authentication schemes' selected must include the 'Check Point Password' scheme. The 'Users default template' option should be selected. Choose the user template that was created previously. All other options are not selected/checked.
Create the necessary LDAP group. (Select 'Manage > Users and Administrators > New > LDAP Group'.) Enter the LDAP group name, and specify the previously created LDAP Account Unit. The "Group's scope" is set to "All Account-Unit's Users".
Create a rule specifying the above LDAP group, as the source. (When you right click on the 'SOURCE' column, specify 'Add Users Access'.) The destination and service in this example are set to "ANY". The VPN column is set to the Remote Access VPN community (Secure client/Secure Remote). The Action is "ACCEPT" and Track is set to "LOG".
Tuesday, May 24, 2011
Creating a Certificate Based Site to Site VPN between 2 Check Points Gateways
Site A
Create VPN Community
Within your Gateway Object add you local domain to "Topology | VPN Domain | Manually Defined"
Within Network Objects create a Externally Managed VPN gateway (For Site B) and add its local domain.
Goto the VPN communities Tab and Right Click "Site To Site" and select "New" then "Mesh".
Give your Communitiy a name
Select "Accept all encypted traffic"
Within Participates add your Gateways.
Click Ok.
Export the Certificate
Within the Servers and OPSEC applications tab right click "Servers > Trusted CAs > Internal CA" and select "New > CA > Trusted > New CA > Trusted."
Enter a name for your Certificate (such as VPN-CERT)
Under the Certificate Authority TYpe choose "External Check Point CA"
Click the External Check Point CA tab and select "Save As".
Save the Certificate
Site B
Create VPN Community
Within your Gateway Object add you local domain to "Topology | VPN Domain | Manually Defined".
Within Network Objects create a Externally Managed VPN gateway (For Site A) and add its local domain.
Goto the VPN communities Tab and Right Click "Site To Site" and select "New" then "Mesh".
Give your Communitiy a name
Select "Accept all encypted traffic"
Within Participates add your Gateways.
Click Ok.
Import the Certificate
Within the Servers and OPSEC applications tab right click Servers and select "New > CA > Trusted"
Enter a name such as VPN-CERT.
Under the Certificate Authority TYpe choose "External Check Point CA".
Click the External Check Point CA tab and select "Get".
Import the previously saved certificate from Site A.
Create VPN Community
Within your Gateway Object add you local domain to "Topology | VPN Domain | Manually Defined"
Within Network Objects create a Externally Managed VPN gateway (For Site B) and add its local domain.
Goto the VPN communities Tab and Right Click "Site To Site" and select "New" then "Mesh".
Give your Communitiy a name
Select "Accept all encypted traffic"
Within Participates add your Gateways.
Click Ok.
Export the Certificate
Within the Servers and OPSEC applications tab right click "Servers > Trusted CAs > Internal CA" and select "New > CA > Trusted > New CA > Trusted."
Enter a name for your Certificate (such as VPN-CERT)
Under the Certificate Authority TYpe choose "External Check Point CA"
Click the External Check Point CA tab and select "Save As".
Save the Certificate
Site B
Create VPN Community
Within your Gateway Object add you local domain to "Topology | VPN Domain | Manually Defined".
Within Network Objects create a Externally Managed VPN gateway (For Site A) and add its local domain.
Goto the VPN communities Tab and Right Click "Site To Site" and select "New" then "Mesh".
Give your Communitiy a name
Select "Accept all encypted traffic"
Within Participates add your Gateways.
Click Ok.
Import the Certificate
Within the Servers and OPSEC applications tab right click Servers and select "New > CA > Trusted"
Enter a name such as VPN-CERT.
Under the Certificate Authority TYpe choose "External Check Point CA".
Click the External Check Point CA tab and select "Get".
Import the previously saved certificate from Site A.
Monday, May 23, 2011
Negate Cell
1.It says match on anything BUT what you've got in the cell.
A classic use of the rule might be:
Src: h-web_proxy - Dst: NEGATED g-internal_networks - Service: http, https.
This says "the web proxy is allowed to connect to anywhere OTHER THAN our internal networks, on http and https.
2.It just does a reverse of what it would be normally.
ie
you create a rule that allows
src = internal net
dst = any
srv = http(negate)
action = accept
Instead of allowing http out to the Internet, it allows everything but http out to the internet.
It is quite common to see a group defined that contains all of the internal and dmz networks and then negate that group in the destination column to allow internet access.
This therefore allows access to anywhere but the networks group.
A classic use of the rule might be:
Src: h-web_proxy - Dst: NEGATED g-internal_networks - Service: http, https.
This says "the web proxy is allowed to connect to anywhere OTHER THAN our internal networks, on http and https.
2.It just does a reverse of what it would be normally.
ie
you create a rule that allows
src = internal net
dst = any
srv = http(negate)
action = accept
Instead of allowing http out to the Internet, it allows everything but http out to the internet.
It is quite common to see a group defined that contains all of the internal and dmz networks and then negate that group in the destination column to allow internet access.
This therefore allows access to anywhere but the networks group.
Rule Base Check Order
1.IP spoofing
2.Network address translation (NAT)
3.Implicit Rules (First)
4.Explicit rules in Rule Base(Not Last"Cleanup Rule")
5.Implicit rule (Before Last Rule,i.e Clean up from explicit)
6.Cleanup (last)
2.Network address translation (NAT)
3.Implicit Rules (First)
4.Explicit rules in Rule Base(Not Last"Cleanup Rule")
5.Implicit rule (Before Last Rule,i.e Clean up from explicit)
6.Cleanup (last)
Friday, May 20, 2011
Checkpoint Commands
1).View connections table: fw tab -t host_table –s
2).To pull the latest policy from the management station: fw fetch
3).The name of the policy installed and the date it was received: fw stat
4).Display cpu, memory, and disk usage: fw ctl pstat
5).Delete all hosts from the connections table: fw tab -t host_ip_addrs –x
6).Display logs on the firewall for a specific IP: fw log –n –ft | grep
7).Troubleshoot source/destination access issues: fw monitor -m test -e 'accept
src=x.x.x.x and dst=y.y.y.y;'
8).Manage VPN connections : vpn tu
9).Turn on debugging for VPN: vpndebug on and
vpn debug ikeon
This will create 2 files in $FWDIR/logs.
1.vpnd.elg
2. ike.elg
Turn off:
vpndebug off and
vpn debug ikeoff
10).Display SIC key: cp_conf sic get
11).High Availabiliy: cphaprob stat -display HA status
cphaprob -i -display HA interface stats
cphastop/cphastart -stop/start HA
12).View license key installed: cplic print
2).To pull the latest policy from the management station: fw fetch
3).The name of the policy installed and the date it was received: fw stat
4).Display cpu, memory, and disk usage: fw ctl pstat
5).Delete all hosts from the connections table: fw tab -t host_ip_addrs –x
6).Display logs on the firewall for a specific IP: fw log –n –ft | grep
7).Troubleshoot source/destination access issues: fw monitor -m test -e 'accept
src=x.x.x.x and dst=y.y.y.y;'
8).Manage VPN connections : vpn tu
9).Turn on debugging for VPN: vpndebug on and
vpn debug ikeon
This will create 2 files in $FWDIR/logs.
1.vpnd.elg
2. ike.elg
Turn off:
vpndebug off and
vpn debug ikeoff
10).Display SIC key: cp_conf sic get
11).High Availabiliy: cphaprob stat -display HA status
cphaprob -i -display HA interface stats
cphastop/cphastart -stop/start HA
12).View license key installed: cplic print
Basic difference between the Central and Local License
Local license is binded with ip address of the gateway. You can change the ip address for the license only for 5 times by default. This means if your isp changes the ip you have to change the license if you have used external ip for licenseing.
Central license is attached to management server ip and licenses are attached to the gateway from the management server. So there is no dependency for the gateway ip.Manageability is better.
Central license is attached to management server ip and licenses are attached to the gateway from the management server. So there is no dependency for the gateway ip.Manageability is better.
Tuesday, May 17, 2011
SecurePlatform Backup and Restore Commands
SecurePlatform provides a command line or Web GUI capability for conducting backups of your system
settings and products configuration.
The backup utility can store backups either locally on the SecurePlatform machine hard drive, or remotely
to a TFTP server or an SCP server. The backup can be performed on request, or it can be scheduled to
take place at set intervals.
The backup files are kept in tar gzip format (.tgz). Backup files, saved locally, are kept in
/var/CPbackup/backups.
The restore utility is used for restoring SecurePlatform settings and/or product configurations from backup
files.
Expert permissions are required to perform the backup and restore procedures.
SecurePlatform provides the option of backing up the entire SecurePlatform operating system and all of its
products using the snapshot command.
A snapshot of the system can be taken manually using the snapshot command or automatically during an
upgrade procedure using the SafeUpgrade option.
Having a snapshot of the entire operating system enables you to restore SecurePlatform if needed. Similar
to Backup and Restore, the Snapshot and Revert features ensure easy maintenance and management,
even if a situation arises that demands that you undo an upgrade and revert to a previous deployment.
The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots.
Alternatively, snapshots can be stored locally.
settings and products configuration.
The backup utility can store backups either locally on the SecurePlatform machine hard drive, or remotely
to a TFTP server or an SCP server. The backup can be performed on request, or it can be scheduled to
take place at set intervals.
The backup files are kept in tar gzip format (.tgz). Backup files, saved locally, are kept in
/var/CPbackup/backups.
The restore utility is used for restoring SecurePlatform settings and/or product configurations from backup
files.
Expert permissions are required to perform the backup and restore procedures.
SecurePlatform provides the option of backing up the entire SecurePlatform operating system and all of its
products using the snapshot command.
A snapshot of the system can be taken manually using the snapshot command or automatically during an
upgrade procedure using the SafeUpgrade option.
Having a snapshot of the entire operating system enables you to restore SecurePlatform if needed. Similar
to Backup and Restore, the Snapshot and Revert features ensure easy maintenance and management,
even if a situation arises that demands that you undo an upgrade and revert to a previous deployment.
The snapshot and revert commands can use a TFTP server or an SCP server to store snapshots.
Alternatively, snapshots can be stored locally.
Check Point VPN-1/FireWall-1 TCP and UDP Ports used by Check Point R70
http://www.fw-1.de/aerasec/r70/ports-r70.html
Acceleration and Clustering Software Blade
The Check Point Acceleration and Clustering Software Blade delivers a set of advanced technologies, SecureXL and ClusterXL, that work together to maximize performance and security in high-performance environments. These work with CoreXL, which is included with the blade containers, to form the foundation of the Open Performance Architecture, which delivers throughput designed for data center applications and the high levels of security needed to protect against today’s application-level threats.
SecureXL: Security acceleration
Patented SecureXL is a technology interface that accelerates multiple, intensive security operations, including operations that are carried out by Check Point’s Stateful Inspection firewall. Using SecureXL, the firewall offloads operations to a performance-optimized software or hardware device, dramatically increasing throughput.
CoreXL: Multicore acceleration
As the first security technology to fully leverage general-purpose multi-core processors, CoreXL introduces advanced core-level load balancing that increases throughput for the deep inspection required to achieve intrusion prevention and high throughput on the firewall. With CoreXL, high performance and high security can be achieved simultaneously.
ClusterXL: Smart Load Balancing
ClusterXL provides high availability and load sharing that keeps businesses running without interruption. ClusterXL distributes traffic between clusters of redundant gateways, combining the computing capacity of multiple machines to increase total throughput. In the event of a gateway or network failure, connections are seamlessly redirected to a designated backup, maintaining business continuity.
Key Benefits
Enables organizations to deploy the highest levels of application security at the highest-performance levels without compromise
Delivers predictable performance as new threats appear
Accelerates performance for multimedia or transaction-oriented applications
Transparent failover for business continuity
Effective load distribution that scales at the processor and system level
Easy Software Blade deployment
SecureXL: Security acceleration
Patented SecureXL is a technology interface that accelerates multiple, intensive security operations, including operations that are carried out by Check Point’s Stateful Inspection firewall. Using SecureXL, the firewall offloads operations to a performance-optimized software or hardware device, dramatically increasing throughput.
CoreXL: Multicore acceleration
As the first security technology to fully leverage general-purpose multi-core processors, CoreXL introduces advanced core-level load balancing that increases throughput for the deep inspection required to achieve intrusion prevention and high throughput on the firewall. With CoreXL, high performance and high security can be achieved simultaneously.
ClusterXL: Smart Load Balancing
ClusterXL provides high availability and load sharing that keeps businesses running without interruption. ClusterXL distributes traffic between clusters of redundant gateways, combining the computing capacity of multiple machines to increase total throughput. In the event of a gateway or network failure, connections are seamlessly redirected to a designated backup, maintaining business continuity.
Key Benefits
Enables organizations to deploy the highest levels of application security at the highest-performance levels without compromise
Delivers predictable performance as new threats appear
Accelerates performance for multimedia or transaction-oriented applications
Transparent failover for business continuity
Effective load distribution that scales at the processor and system level
Easy Software Blade deployment
Top Ten Tips for Managing Your Firewall
This article discusses the Top ten tips that you can implement to best manage and fine tune your firewall. The purpose of this article is to get the best performance out of your firewall and increased security to your network.
1. Use the latest version of the OS software available for your particular firewall. Install the latest patches and if possible/applicable, the latest software version available.
2. Use a stealth Rule at the top of the rule base.
What is a stealth rule? A stealth rule is a rule which disallows any communication to the firewall itself from unauthorized networks/hosts. It is a rule to protect the firewall itself from attacks.
3. Place the most commonly used or accessed rules on the top of the rule base. When a packet reaches a firewall it gets checked against the rulebase of the firewall from top down. Once it matches a rule, it is either accepted, denied or acted upon depending on what the action defined is. So it is best to place the most accessed rules on top of the rule base so that it need not get matched against all the rules in rule base. This would decrease load on the firewall.
4. Keep the rulebase as simple as possible. Do not allow access to anything and everything. Give access only if it is needed or required.
5. Use object groups where possible and combine similar rules into one rule. This would keep the rule base short and simple and thus reduce the load on the firewall.
6. If your network is using VPN, then give preference to use AES 128 where ever possible. Some firewalls like the popular Checkpoint Firewall, recommend AES 128 over 3DES and AES 256, in terms of firewall load and performance issues. Check with your firewall manufacturer which encryption would provide best performance on the given make, taking into consideration that security is also one of your main priorities.
7. Keep logging to a minimum. Example: If you have a couple of busy web servers, then logging each and every http connection might bring in addition load onto the firewall and also fill up the log server quickly.
8. Try to implement High Availability if your budget would allow that. This would reduce the down time of your network considerably. If a firewall is down it would mean that pretty much most of your operations are down. If High Availability is implemented, then even if the primary were to fail, the secondary would take over. Firewall Clustering is something which can provide your firewall both redundancy and load sharing. Check with the manufacturer if it is available.
9. If there are too many VPN connections that need to connect to your network, then try to get a dedicated VPN device. How many connections are too many connections? Check the firewall manufacturer’s manual. Another way of doing it is checking the load on the firewall – memory, cpu utilization etc.
10. End your rule base with a clean up rule or a ANY ANY DENY rule. Try to also log this rule. This would assist you in analyzing the dropped connections in case you ever attacked or even while simple troubleshooting.
1. Use the latest version of the OS software available for your particular firewall. Install the latest patches and if possible/applicable, the latest software version available.
2. Use a stealth Rule at the top of the rule base.
What is a stealth rule? A stealth rule is a rule which disallows any communication to the firewall itself from unauthorized networks/hosts. It is a rule to protect the firewall itself from attacks.
3. Place the most commonly used or accessed rules on the top of the rule base. When a packet reaches a firewall it gets checked against the rulebase of the firewall from top down. Once it matches a rule, it is either accepted, denied or acted upon depending on what the action defined is. So it is best to place the most accessed rules on top of the rule base so that it need not get matched against all the rules in rule base. This would decrease load on the firewall.
4. Keep the rulebase as simple as possible. Do not allow access to anything and everything. Give access only if it is needed or required.
5. Use object groups where possible and combine similar rules into one rule. This would keep the rule base short and simple and thus reduce the load on the firewall.
6. If your network is using VPN, then give preference to use AES 128 where ever possible. Some firewalls like the popular Checkpoint Firewall, recommend AES 128 over 3DES and AES 256, in terms of firewall load and performance issues. Check with your firewall manufacturer which encryption would provide best performance on the given make, taking into consideration that security is also one of your main priorities.
7. Keep logging to a minimum. Example: If you have a couple of busy web servers, then logging each and every http connection might bring in addition load onto the firewall and also fill up the log server quickly.
8. Try to implement High Availability if your budget would allow that. This would reduce the down time of your network considerably. If a firewall is down it would mean that pretty much most of your operations are down. If High Availability is implemented, then even if the primary were to fail, the secondary would take over. Firewall Clustering is something which can provide your firewall both redundancy and load sharing. Check with the manufacturer if it is available.
9. If there are too many VPN connections that need to connect to your network, then try to get a dedicated VPN device. How many connections are too many connections? Check the firewall manufacturer’s manual. Another way of doing it is checking the load on the firewall – memory, cpu utilization etc.
10. End your rule base with a clean up rule or a ANY ANY DENY rule. Try to also log this rule. This would assist you in analyzing the dropped connections in case you ever attacked or even while simple troubleshooting.
How to fix Check Point High Availability State Synchronization
The purpose of this article is to show how to fix state sync Issues in a Checkpoint High Availability environment. In a HA configuration, one firewall acts as the primary and the other a secondary firewall. This is also known as a Master-Backup scenario.The state tables of the Master is replicated onto the secondary firewall only if state sync is working between the two firewalls. Where the sync is broken, in case of a failover the existing sessions will be dropped. The sync can stop working for several reasons. These are a few ways of fixing the sync between two firewalls:
This is how you check if the sync is working or not:
CheckpointFW[admin]# cphaprob stat
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 down <----------------This shows that the sync is broken
CheckpointFW[admin]#
You can try the same command "cphaprob stat" on the Master and Backup firewalls to see on which
firewall they sync is broken.
In normal cases, the broken sync can be fixed by a cpstop;cpstart.
CheckpointFW[admin]# cpstop
FW: stopping VPN-1 module -- OK
FireWall-1: Warning - FireWall-1 does not enforce any policy
FW-1: disabling IP forwarding. To enable run: "ipsofwd on "
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
CheckpointFW[admin]#
CheckpointFW[admin]# cpstart
cpstart: Start product - SVN Foundation
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
cpstart: Start product - FireWall-1
FireWall-1: starting external VPN module -- OK
Generating tmp/cphamacs file ...
Generating tmp/cphaips file ...
Restoring previous problem notification devices statuses.
FireWall-1: Starting fwd
Installing Security Policy fwpolicy on all.all@CheckpointFW
If the issue is fixed, you will get the following results for the "cphaprob stat" command
CheckpointFW[admin]# cphaprob stat
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 active <-------This shows that the sync is established
CheckpointFW[admin]#
If the problem is not fixed, then you can try to disable and enable the "Check Point High
Availability/State Synchronization" from cpconfig utility.
This is how you do it:
CheckpointFW[admin]# cpconfig
This program will let you re-configure your VPN-1 & FireWall-1 configuration.
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) :6
Configuring Disable Check Point High Availability/State Synchronization...
=============================================
High Availability module is currently enabled.
Would you like to disable the High Availability module (y/n) [y] ?
MAC removal on IPSO is not supported.
The uninstall process of CPHA macs has failed.: Interrupted system call
Check Point High Availability/State Synchronization was disabled successfully
You have changed the High Availability configuration.
Would you like to stop the High Availability Module now? (y/n) [y] ?
*************************************************************
The High Availability module is now disabled.
cpconfig will now end. To continue, please run cpconfig again.
*************************************************************
CheckpointFW[admin]#
CheckpointFW[admin]# cphaprob stat
HA module not started.
CheckpointFW[admin]#
CheckpointFW[admin]# cpconfig
This program will let you re-configure your VPN-1 & FireWall-1 configuration.
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) :6
Configuring Enable Check Point High Availability/State Synchronization...
===================================
High Availability module is currently disabled.
Would you like to enable the High Availability module (y/n) [y] ?
Restoring previous problem notification devices statuses.
Check Point High Availability/State Synchronization was enabled successfully
---------------------------------------
You have changed the High Availability configuration.
Would you like to restart High Availability Module now so that your changes will take effect? (y/n)
[y] ?
Note that the 'start' parameter is obsolete.
Use /opt/CPfw1-50-03/bin/cphastart -h for usage
Restoring previous problem notification devices statuses.
*************************************************************
The High Availability module is now enabled.
cpconfig will now end. To continue, please run cpconfig again.
*************************************************************
CheckpointFW[admin]#
You can check the status of sync state again using cphaprob stat command. If it is not fixed, run cpstop;cpstart again.
If the problem is still not fixed, try rebooting the firewalls.
This is how you check if the sync is working or not:
CheckpointFW[admin]# cphaprob stat
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 down <----------------This shows that the sync is broken
CheckpointFW[admin]#
You can try the same command "cphaprob stat" on the Master and Backup firewalls to see on which
firewall they sync is broken.
In normal cases, the broken sync can be fixed by a cpstop;cpstart.
CheckpointFW[admin]# cpstop
FW: stopping VPN-1 module -- OK
FireWall-1: Warning - FireWall-1 does not enforce any policy
FW-1: disabling IP forwarding. To enable run: "ipsofwd on "
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
CheckpointFW[admin]#
CheckpointFW[admin]# cpstart
cpstart: Start product - SVN Foundation
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
cpstart: Start product - FireWall-1
FireWall-1: starting external VPN module -- OK
Generating tmp/cphamacs file ...
Generating tmp/cphaips file ...
Restoring previous problem notification devices statuses.
FireWall-1: Starting fwd
Installing Security Policy fwpolicy on all.all@CheckpointFW
If the issue is fixed, you will get the following results for the "cphaprob stat" command
CheckpointFW[admin]# cphaprob stat
Working mode: Service
Number Unique Address State
1 192.168.1.1 active
2 (local) 192.168.1.2 active <-------This shows that the sync is established
CheckpointFW[admin]#
If the problem is not fixed, then you can try to disable and enable the "Check Point High
Availability/State Synchronization" from cpconfig utility.
This is how you do it:
CheckpointFW[admin]# cpconfig
This program will let you re-configure your VPN-1 & FireWall-1 configuration.
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) :6
Configuring Disable Check Point High Availability/State Synchronization...
=============================================
High Availability module is currently enabled.
Would you like to disable the High Availability module (y/n) [y] ?
MAC removal on IPSO is not supported.
The uninstall process of CPHA macs has failed.: Interrupted system call
Check Point High Availability/State Synchronization was disabled successfully
You have changed the High Availability configuration.
Would you like to stop the High Availability Module now? (y/n) [y] ?
*************************************************************
The High Availability module is now disabled.
cpconfig will now end. To continue, please run cpconfig again.
*************************************************************
CheckpointFW[admin]#
CheckpointFW[admin]# cphaprob stat
HA module not started.
CheckpointFW[admin]#
CheckpointFW[admin]# cpconfig
This program will let you re-configure your VPN-1 & FireWall-1 configuration.
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) :6
Configuring Enable Check Point High Availability/State Synchronization...
===================================
High Availability module is currently disabled.
Would you like to enable the High Availability module (y/n) [y] ?
Restoring previous problem notification devices statuses.
Check Point High Availability/State Synchronization was enabled successfully
---------------------------------------
You have changed the High Availability configuration.
Would you like to restart High Availability Module now so that your changes will take effect? (y/n)
[y] ?
Note that the 'start' parameter is obsolete.
Use /opt/CPfw1-50-03/bin/cphastart -h for usage
Restoring previous problem notification devices statuses.
*************************************************************
The High Availability module is now enabled.
cpconfig will now end. To continue, please run cpconfig again.
*************************************************************
CheckpointFW[admin]#
You can check the status of sync state again using cphaprob stat command. If it is not fixed, run cpstop;cpstart again.
If the problem is still not fixed, try rebooting the firewalls.
How to restart the fwd process in Checkpoint Firewalls
There are times when you have to restart the fwd deamon. You might have to restart this in case the firewall starts logging locally, or you encounter a runaway process where the firewall experiences high CPU, or other instances where the firewall might start dropping packets for not so well known reasons.You can use this command to restart the Firewall deamon, fwd process using the watchdog services.
There a few ways of restarting the fwd process. This is one of the best ways of doing it.
Stop fwd:
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
Start fwd:
cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
Example:
CheckpointFW[admin]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
cpwd_admin:
Process FWD (pid=1336) stopped with command 'fw kill fwd'. Exit code 0.
CheckpointFW[admin]# ps -aux | grep fwd
root 626 0.0 0.1 256 1076 ?? Is 22Sep06 0:00.01 /opt/CPfw1-R55p/bin/ifwd
CheckpointFW[admin]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
cpwd_admin:
Process FWD process has been already terminated
CheckpointFW[admin]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
cpwd_admin:
Process FWD started successfuly (pid=24095)
CheckpointFW[admin]#
CheckpointFW[admin]#
CheckpointFW[admin]# ps -aux | grep fwd
root 24095 12.3 1.2 21204 25008 ?? Ds 4:11AM 0:01.36 fwd (fw)
root 626 0.0 0.1 256 1076 ?? Is 22Sep06 0:00.01 /opt/CPfw1-R55p/bin/ifwd
root 24148 0.0 0.0 404 224 p0 S+ 4:11AM 0:00.01 grep fwd
CheckpointFW[admin]# exit
Note: This would reset the existing VPN tunnels. So please check the existing VPN tunnels using the
VPN tu command before using the this command.
There are also other ways to restart the fwd deamon. Another way of doing it is to kill the fwd
process.
You can also use the fwstop, fwstart command to restart the fwd process.
There a few ways of restarting the fwd process. This is one of the best ways of doing it.
Stop fwd:
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
Start fwd:
cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
Example:
CheckpointFW[admin]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
cpwd_admin:
Process FWD (pid=1336) stopped with command 'fw kill fwd'. Exit code 0.
CheckpointFW[admin]# ps -aux | grep fwd
root 626 0.0 0.1 256 1076 ?? Is 22Sep06 0:00.01 /opt/CPfw1-R55p/bin/ifwd
CheckpointFW[admin]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
cpwd_admin:
Process FWD process has been already terminated
CheckpointFW[admin]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
cpwd_admin:
Process FWD started successfuly (pid=24095)
CheckpointFW[admin]#
CheckpointFW[admin]#
CheckpointFW[admin]# ps -aux | grep fwd
root 24095 12.3 1.2 21204 25008 ?? Ds 4:11AM 0:01.36 fwd (fw)
root 626 0.0 0.1 256 1076 ?? Is 22Sep06 0:00.01 /opt/CPfw1-R55p/bin/ifwd
root 24148 0.0 0.0 404 224 p0 S+ 4:11AM 0:00.01 grep fwd
CheckpointFW[admin]# exit
Note: This would reset the existing VPN tunnels. So please check the existing VPN tunnels using the
VPN tu command before using the this command.
There are also other ways to restart the fwd deamon. Another way of doing it is to kill the fwd
process.
You can also use the fwstop, fwstart command to restart the fwd process.
Thursday, May 5, 2011
How to back up your system
Backup procedures
Check Point provides three different procedures for backing up (and restoring) the operating system and networking parameters on your appliances.
Snapshot (Revert)
Backup (Restore)
upgrade_export
Each of these procedures backs up certain parameters and has relative advantages (such as: file size, speed, and portability), which are fully described in this chapter, together with detailed instructions as to how to carry out each procedure.
Snapshot
The snapshot utility backs up everything, including the drivers, and is available only on SecurePlatform.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).
Snapshot via CLI on Open Servers
To take a snapshot via the command line interface (CLI):
From the command line, run snapshot
Running snapshot without any flags will use default backup settings and put the file in: /var/CPsnapshot/snapshots
You can use additional flags to designate a different file name, or select a TFTP/FTP server
Use snapshot -h for help or to list the flags
Note - Performing snapshot can take a long time and could interrupt your services. Thus, it is recommended to conduct a snapshot during a maintenance window.
Reverting to a snapshot
The revert command restores the system from snapshot file.
To revert to a snapshot:
From the command line, run revert
Use revert -h for help
Snapshot via WebUI on UTM-1 and Power-1 appliances
On the UTM-1 and Power-1 appliances the snapshot can only be performed from WebUI (not via CLI), and the file cannot be transferred to a different appliance.
To create a snapshot via the WebUI:
From your desktop open a browser and login to: https://:4434
From the Appliance menu, select Image Management.
Click Create. The Create Image window is displayed.
Optionally, in the Description field, enter a description and click Apply. The status is displayed..
Reverting to a snapshot
Reverting on UTM-1 and Power-1 Appliances
To restore the system to a previous snapshot:
Login to the same place, select the required snapshot and click Revert.
Backup
The backup utility backs up your Check Point configuration and your networking/OS system parameters (such as routing), and it is only available on SecurePlatform.
The backup utility can be used to backup both your firewall and management modules.
The resulting file will be smaller than the one generated by snapshot, but still pretty big.
Backup does not include the drivers, and can be restored to different machine (as opposed to snapshot, which cannot). However, it recommended using the backup for restore to the same machine since it includes information such us MAC addresses of the NIC interfaces.
You only can restore it to the same OS, same Check Point version and patch level.
Backup via CLI on Open Servers
To make a backup
From the command line, run backup
Running backup without any flags will use default backup settings and put the file in /var/CPbackup/backups
Note - On UTM-1 and Power-1 appliances the location will be /var/log/CPbackup/backups
You can use additional flags to designate a different file name, or select a TFTP/FTP server
Use backup -h for help or to list the flags
Note - Performing backup can take a long time and could interrupt your services. Thus, it is recommended to conduct a backup during a maintenance window.
On open servers:
On UTM-1 and Power-1 appliances:
Restoring from a backup
The restore command restores the system from backup file.
To restore from a backup:
From the command line, run restore
Use restore -h for help
Backup via WebUI on UTM-1 and Power-1 appliances
It is also possible to create backup from the WebUI interface.
To make a backup:
From your desktop open a browser and login to:
https://:4434
From the Appliance menu, select Backup and Restore.
Select a device from the option buttons shown and click Apply.
You can either perform the backup now or you can create a schedule for a backup.
Note - Backup cannot be restored from the WebUI, only from the command line interface.
Upgrade_export and upgrade_import
Upgrade_tools backs up all Check Point configurations, independent of hardware, OS or Check Point version, but does not include OS information.
You can use this utility to backup Check Point configuration on the management station.
If you change the Check Point version you can only go up, in other words you can upgrade not downgrade.
The file will be much smaller (depending on the size of your policy), and if the system is not running on a highly loaded CPU you can do a backup on a live system without interruption of the services.
This utility can be used only on command line and cannot be scheduled.
On SecurePlatform and Linux
To export:
cd $FWDIR/bin/upgrade_tools
./upgrade_export filename
To import:
cd $FWDIR/bin/upgrade_tools
./upgrade_import filename
Note - upgrade_import will stop the services.
On Windows
To export:
cd %FWDIR%\bin\upgrade_tools
upgrade_export filename
To import:
upgrade_import filename
Additional backup issues
There are additional backup options that we recommend that you consider:
Database Revision Control
This utility creates a version of your current policies, object database, IPS updates, etc. It is useful for minor changes or edits that you perform in the dashboard.
It cannot be used to restore your system in case of failure.
To perform database revision control:
In the dashboard-> File ->Database revision control -> Create
You can also create a version upon every policy installation.
Routing and interface information
This information is useful to have on hand as a reference if you are attempting to restore a configuration especially if your gateway module has a heavy routing table.
To create a copy of your routing and interface information:
netstat -rn > routes.txt
ipconfig -a > ipconfig.txt
ifconfig > ifconfig.txt
copy of /etc/sysconfig/netconf.C
Recommended backup schedule
Snapshot - at least once or before major change (for example: an upgrade), during a maintenance window
Backup - every couple of months, depending how frequently you perform changes in your network/policy. Also before every major change, during a maintenance window
upgrade_export - every month or more often, depending on how frequently you perform changes in your network/policy. Also important before upgrade or migration. Can be run outside a maintenance window.
Verifying the procedure
We always recommend to periodically test you backups for possible corruption issues or just to practice the restore process.
For this purpose, it is not possible to use snapshots. However you can use backup and upgrade_export.
Check Point provides three different procedures for backing up (and restoring) the operating system and networking parameters on your appliances.
Snapshot (Revert)
Backup (Restore)
upgrade_export
Each of these procedures backs up certain parameters and has relative advantages (such as: file size, speed, and portability), which are fully described in this chapter, together with detailed instructions as to how to carry out each procedure.
Snapshot
The snapshot utility backs up everything, including the drivers, and is available only on SecurePlatform.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).
Snapshot via CLI on Open Servers
To take a snapshot via the command line interface (CLI):
From the command line, run snapshot
Running snapshot without any flags will use default backup settings and put the file in: /var/CPsnapshot/snapshots
You can use additional flags to designate a different file name, or select a TFTP/FTP server
Use snapshot -h for help or to list the flags
Note - Performing snapshot can take a long time and could interrupt your services. Thus, it is recommended to conduct a snapshot during a maintenance window.
Reverting to a snapshot
The revert command restores the system from snapshot file.
To revert to a snapshot:
From the command line, run revert
Use revert -h for help
Snapshot via WebUI on UTM-1 and Power-1 appliances
On the UTM-1 and Power-1 appliances the snapshot can only be performed from WebUI (not via CLI), and the file cannot be transferred to a different appliance.
To create a snapshot via the WebUI:
From your desktop open a browser and login to: https://:4434
From the Appliance menu, select Image Management.
Click Create. The Create Image window is displayed.
Optionally, in the Description field, enter a description and click Apply. The status is displayed..
Reverting to a snapshot
Reverting on UTM-1 and Power-1 Appliances
To restore the system to a previous snapshot:
Login to the same place, select the required snapshot and click Revert.
Backup
The backup utility backs up your Check Point configuration and your networking/OS system parameters (such as routing), and it is only available on SecurePlatform.
The backup utility can be used to backup both your firewall and management modules.
The resulting file will be smaller than the one generated by snapshot, but still pretty big.
Backup does not include the drivers, and can be restored to different machine (as opposed to snapshot, which cannot). However, it recommended using the backup for restore to the same machine since it includes information such us MAC addresses of the NIC interfaces.
You only can restore it to the same OS, same Check Point version and patch level.
Backup via CLI on Open Servers
To make a backup
From the command line, run backup
Running backup without any flags will use default backup settings and put the file in /var/CPbackup/backups
Note - On UTM-1 and Power-1 appliances the location will be /var/log/CPbackup/backups
You can use additional flags to designate a different file name, or select a TFTP/FTP server
Use backup -h for help or to list the flags
Note - Performing backup can take a long time and could interrupt your services. Thus, it is recommended to conduct a backup during a maintenance window.
On open servers:
On UTM-1 and Power-1 appliances:
Restoring from a backup
The restore command restores the system from backup file.
To restore from a backup:
From the command line, run restore
Use restore -h for help
Backup via WebUI on UTM-1 and Power-1 appliances
It is also possible to create backup from the WebUI interface.
To make a backup:
From your desktop open a browser and login to:
https://
From the Appliance menu, select Backup and Restore.
Select a device from the option buttons shown and click Apply.
You can either perform the backup now or you can create a schedule for a backup.
Note - Backup cannot be restored from the WebUI, only from the command line interface.
Upgrade_export and upgrade_import
Upgrade_tools backs up all Check Point configurations, independent of hardware, OS or Check Point version, but does not include OS information.
You can use this utility to backup Check Point configuration on the management station.
If you change the Check Point version you can only go up, in other words you can upgrade not downgrade.
The file will be much smaller (depending on the size of your policy), and if the system is not running on a highly loaded CPU you can do a backup on a live system without interruption of the services.
This utility can be used only on command line and cannot be scheduled.
On SecurePlatform and Linux
To export:
cd $FWDIR/bin/upgrade_tools
./upgrade_export filename
To import:
cd $FWDIR/bin/upgrade_tools
./upgrade_import filename
Note - upgrade_import will stop the services.
On Windows
To export:
cd %FWDIR%\bin\upgrade_tools
upgrade_export filename
To import:
upgrade_import filename
Additional backup issues
There are additional backup options that we recommend that you consider:
Database Revision Control
This utility creates a version of your current policies, object database, IPS updates, etc. It is useful for minor changes or edits that you perform in the dashboard.
It cannot be used to restore your system in case of failure.
To perform database revision control:
In the dashboard-> File ->Database revision control -> Create
You can also create a version upon every policy installation.
Routing and interface information
This information is useful to have on hand as a reference if you are attempting to restore a configuration especially if your gateway module has a heavy routing table.
To create a copy of your routing and interface information:
netstat -rn > routes.txt
ipconfig -a > ipconfig.txt
ifconfig > ifconfig.txt
copy of /etc/sysconfig/netconf.C
Recommended backup schedule
Snapshot - at least once or before major change (for example: an upgrade), during a maintenance window
Backup - every couple of months, depending how frequently you perform changes in your network/policy. Also before every major change, during a maintenance window
upgrade_export - every month or more often, depending on how frequently you perform changes in your network/policy. Also important before upgrade or migration. Can be run outside a maintenance window.
Verifying the procedure
We always recommend to periodically test you backups for possible corruption issues or just to practice the restore process.
For this purpose, it is not possible to use snapshots. However you can use backup and upgrade_export.
How to backup a SecurePlatform machine
Backing up your system
Note: Database updates that were applied after the system image was created are not restored when reverting to an older image.
On Open Servers, follow these steps:
Log in to the machine via SSH.
Run the snapshot command.
Follow the instructions on the screen.
Note: Snapshot creation temporarily stops Check Point services. This may result in system downtime of about 20 minutes.
On Power-1 and UTM-1 appliances, follow these steps:
Log in to the WebUI.
From the left menu, select 'Appliance' > 'Image Management'.
Click the 'Create' button.
Fill the 'Description' field.
Click the 'Apply' button.
A pop-up message appears, click 'Yes'.
Note: Database updates that were applied after the system image was created are not restored when reverting to an older image.
On Open Servers, follow these steps:
Log in to the machine via SSH.
Run the snapshot command.
Follow the instructions on the screen.
Note: Snapshot creation temporarily stops Check Point services. This may result in system downtime of about 20 minutes.
On Power-1 and UTM-1 appliances, follow these steps:
Log in to the WebUI.
From the left menu, select 'Appliance' > 'Image Management'.
Click the 'Create' button.
Fill the 'Description' field.
Click the 'Apply' button.
A pop-up message appears, click 'Yes'.
How to resolve fwm crashing when connecting with the SmartDashboard GUI client.
1. cpstop
2. Back up $FWDIR/conf/CPMILinksMgr.db and $FWDIR/conf/CPMILinksMgr.db.private
3. Delete $FWDIR/conf/CPMILinksMgr.db and $FWDIR/conf/CPMILinksMgr.db.private
4. Back up $FWDIR/conf/applications.C and $FWDIR/conf/applications.C.backup
5. Delete $FWDIR/conf/applications.C and $FWDIR/conf/applications.C.backup
6. cpstart
The $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C files will be automatically regenerated after restarting the SmartCenter and logging in in the SmartDashBoard GUI client.
2. Back up $FWDIR/conf/CPMILinksMgr.db and $FWDIR/conf/CPMILinksMgr.db.private
3. Delete $FWDIR/conf/CPMILinksMgr.db and $FWDIR/conf/CPMILinksMgr.db.private
4. Back up $FWDIR/conf/applications.C and $FWDIR/conf/applications.C.backup
5. Delete $FWDIR/conf/applications.C and $FWDIR/conf/applications.C.backup
6. cpstart
The $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C files will be automatically regenerated after restarting the SmartCenter and logging in in the SmartDashBoard GUI client.
Users Database is lost: unable to reload, Cannot load objects database errors
To resolve the problem, perform the following:
Run the cpstop command on the Security gateway.
Backup the files in the $FWDIR/database directory on the Security gatewayand then delete them.
Do not delete the folders inside this directory.
Run the cpstart command.
Install the Security Policy or Data Base after this.
Note:
Use this solution on the Security gateway only. Do not delete the content of the $FWDIR/database directory on the SmartCenter server.
Run the cpstop command on the Security gateway.
Backup the files in the $FWDIR/database directory on the Security gatewayand then delete them.
Do not delete the folders inside this directory.
Run the cpstart command.
Install the Security Policy or Data Base after this.
Note:
Use this solution on the Security gateway only. Do not delete the content of the $FWDIR/database directory on the SmartCenter server.
Subscribe to:
Posts (Atom)