Thursday, May 5, 2011

How to back up your system

Backup procedures
Check Point provides three different procedures for backing up (and restoring) the operating system and networking parameters on your appliances.

Snapshot (Revert)
Backup (Restore)
upgrade_export
Each of these procedures backs up certain parameters and has relative advantages (such as: file size, speed, and portability), which are fully described in this chapter, together with detailed instructions as to how to carry out each procedure.

Snapshot

The snapshot utility backs up everything, including the drivers, and is available only on SecurePlatform.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).

Snapshot via CLI on Open Servers

To take a snapshot via the command line interface (CLI):

From the command line, run snapshot

Running snapshot without any flags will use default backup settings and put the file in: /var/CPsnapshot/snapshots
You can use additional flags to designate a different file name, or select a TFTP/FTP server
Use snapshot -h for help or to list the flags
Note - Performing snapshot can take a long time and could interrupt your services. Thus, it is recommended to conduct a snapshot during a maintenance window.





Reverting to a snapshot

The revert command restores the system from snapshot file.

To revert to a snapshot:

From the command line, run revert

Use revert -h for help








Snapshot via WebUI on UTM-1 and Power-1 appliances

On the UTM-1 and Power-1 appliances the snapshot can only be performed from WebUI (not via CLI), and the file cannot be transferred to a different appliance.

To create a snapshot via the WebUI:

From your desktop open a browser and login to: https://:4434
From the Appliance menu, select Image Management.


Click Create. The Create Image window is displayed.


Optionally, in the Description field, enter a description and click Apply. The status is displayed..


Reverting to a snapshot

Reverting on UTM-1 and Power-1 Appliances

To restore the system to a previous snapshot:

Login to the same place, select the required snapshot and click Revert.


Backup

The backup utility backs up your Check Point configuration and your networking/OS system parameters (such as routing), and it is only available on SecurePlatform.

The backup utility can be used to backup both your firewall and management modules.
The resulting file will be smaller than the one generated by snapshot, but still pretty big.
Backup does not include the drivers, and can be restored to different machine (as opposed to snapshot, which cannot). However, it recommended using the backup for restore to the same machine since it includes information such us MAC addresses of the NIC interfaces.
You only can restore it to the same OS, same Check Point version and patch level.
Backup via CLI on Open Servers

To make a backup

From the command line, run backup

Running backup without any flags will use default backup settings and put the file in /var/CPbackup/backups
Note - On UTM-1 and Power-1 appliances the location will be /var/log/CPbackup/backups

You can use additional flags to designate a different file name, or select a TFTP/FTP server
Use backup -h for help or to list the flags
Note - Performing backup can take a long time and could interrupt your services. Thus, it is recommended to conduct a backup during a maintenance window.

On open servers:



On UTM-1 and Power-1 appliances:



Restoring from a backup

The restore command restores the system from backup file.

To restore from a backup:

From the command line, run restore

Use restore -h for help






Backup via WebUI on UTM-1 and Power-1 appliances

It is also possible to create backup from the WebUI interface.

To make a backup:

From your desktop open a browser and login to:
https://:4434
From the Appliance menu, select Backup and Restore.


Select a device from the option buttons shown and click Apply.
You can either perform the backup now or you can create a schedule for a backup.
Note - Backup cannot be restored from the WebUI, only from the command line interface.

Upgrade_export and upgrade_import

Upgrade_tools backs up all Check Point configurations, independent of hardware, OS or Check Point version, but does not include OS information.
You can use this utility to backup Check Point configuration on the management station.
If you change the Check Point version you can only go up, in other words you can upgrade not downgrade.
The file will be much smaller (depending on the size of your policy), and if the system is not running on a highly loaded CPU you can do a backup on a live system without interruption of the services.
This utility can be used only on command line and cannot be scheduled.

On SecurePlatform and Linux

To export:

cd $FWDIR/bin/upgrade_tools
./upgrade_export filename



To import:

cd $FWDIR/bin/upgrade_tools
./upgrade_import filename

Note - upgrade_import will stop the services.





On Windows

To export:

cd %FWDIR%\bin\upgrade_tools
upgrade_export filename

To import:

upgrade_import filename

Additional backup issues

There are additional backup options that we recommend that you consider:

Database Revision Control

This utility creates a version of your current policies, object database, IPS updates, etc. It is useful for minor changes or edits that you perform in the dashboard.

It cannot be used to restore your system in case of failure.

To perform database revision control:

In the dashboard-> File ->Database revision control -> Create

You can also create a version upon every policy installation.





Routing and interface information

This information is useful to have on hand as a reference if you are attempting to restore a configuration especially if your gateway module has a heavy routing table.

To create a copy of your routing and interface information:

netstat -rn > routes.txt
ipconfig -a > ipconfig.txt
ifconfig > ifconfig.txt
copy of /etc/sysconfig/netconf.C

Recommended backup schedule
Snapshot - at least once or before major change (for example: an upgrade), during a maintenance window
Backup - every couple of months, depending how frequently you perform changes in your network/policy. Also before every major change, during a maintenance window
upgrade_export - every month or more often, depending on how frequently you perform changes in your network/policy. Also important before upgrade or migration. Can be run outside a maintenance window.
Verifying the procedure
We always recommend to periodically test you backups for possible corruption issues or just to practice the restore process.

For this purpose, it is not possible to use snapshots. However you can use backup and upgrade_export.