Restorepoint can use SCP, SSH, telnet and TFTP to retrieve the configuration.
Usage scenario: Restorepoint and SmartCenter failure
The Check Point SmartCenter is an integral component in a Check Point firewall deployment; it enables organisations to perform all aspects of security management via a single, unified console.
However, even if the SmartCenter contains all the security policy information for all the gateways, it does not store critical configuration information about a SecurePlatform-based appliance, in particular:
- Gateway interface IP addresses (although this information is available in the SmartCenter, it cannot be "pushed" by the SmartCenter to the gateway)
- Routing tables
- SIC Certificates
- SSH keys
- Local Secureplatform administrator accounts
In practice, the SmartCenter can only install a security policy on a new gateway (for instance, in a disaster recovery scenario) after all the interfaces and routing tables have been configured, and the SIC trust have been established.
In a disaster scenario where the SmartCenter server needs to be rebuilt from scratch, the lack of a full configuration backup could make the difference between being back up and running in a few minutes and an extended outage. For example, the lack of a backup of the SIC data will require re-initialising SIC on the SmartCenter, and reset/re-initialise SIC on all gateways (which causes a gateway restart).
Restorepoint performs a full configuration backup, and can restore on to a newly installed Secureplatform server, making it virtually identical to the original server before the failure.
Restorepoint can back up the following:
- Full Backup: the full Check Point and O/S configuration. This is recommended for disaster recovery because it includes both the operating system and network configuration, and the Check Point software configuration (for example security policy, objects, SIC, revision control database, etc). Unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.
- OS Config: Allows saving Gaia OS configuration settings as a ready-to-run CLI script. This allows you review your current setup and quickly restore the Gaia OS configuration. When restoring, these commands are read from the configuration file and executed. Restorepoint uses the clienv on-failure continue clish command, so if conflicting settings are encountered (for instance, an attempt to create an already existing user account), the restore will continue, but the conflicting setting may not restore. This is caused by the Gaia CLI and is not a limitation of Restorepoint.
- Snapshot: The snapshot creates a binary image of the entire root disk partition. This includes Check Point products, configuration, and operating system. The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will not be saved. Note that snapshots can be very large. Starting in R77.10, exporting an image from one machine and importing that image on another machine of the same type is supported. Restoring from a snapshot is not yet supported in Restorepoint.
- DB Export: The backup created by the Check Point migration tools. This can only be used on SmartCenters, and can be used for hardware migration or software upgrades. Logs can optionally be backed up by ticking the Include Logs checkbox.
- CP Info: the CP Info output, which can be used to submit software/hardware debugging information to Check Point. Not that you must have the latest version of the CP Info tool installed (at the time of writing, this is build 914000191).
- Additional Files: You can also backup custom files which are not normally included in the Check Point backup. Restorepoint requires full path names.
Notes: - Restorepoint uses SSH to connect to the device. When transferring the backup, Restorepoint uses a secondary connection either in the same direction (if SCP is selected), or a back-connection from the device back to Restorepoint (if SSH is selected).
- If you select SCP, the user account used to connect to the device must be a full administrator with the "bash" shell:
- navigate to User Management->Users in the Gaia UI and create or edit a user account
- change the user shell from /etc/cli.sh to /bin/bash
- ensure that the user is assigned the adminRole
- tick the Command Line check box under Access Mechanisms.
- When restoring, you must ensure that the target system is running the same software version and hotfixes than the system from which backup was taken. Even if the full backup normally contains all the hotfixes, restoring to a different version may still fail. This is a Check Point restriction, which may be overridden if required (dbset backup:override_hfs ); please contact Technical Support if you need further information.
- When restoring, a reboot is not usually needed, because the Check Point configuration is reloaded on completion. However, a reboot may be necessary, for instance, to reload the operating system network settings.
- After restoring a firewall module, the connection between Restorepoint and the device may be terminated, because the security policy is reloaded (or the gateway rebooted). In this case, Restorepoint tries to reconnect to the device and verify that the restorepoint operation was successful.
- Restorepoint can update the Deployment Agent software and install Hotfixes; these must be imported in the Device Software screen. Hotfixes must be CPUSE packages. Software update has been tested with R77.30.
- Please ensure that port 22/tcp (for SSH) is not blocked by any firewalls in either direction between Restorepoint and the device. You will also need to enable SSH in the Gaia UI under System Management->Host Access.
- If you are backing up or restoring a Check Point SmartCenter, please ensure that no SmartCenter clients are connected to the device, otherwise the operation will fail because the configuration is locked.
