One aspect of the Check Point SecurePlatform OS that I struggle to get my head around is backups. There are a few different options, and during the course of researching an upgrade I came across the best explanation I’ve seen yet. I’ve decided to grab a copy of the relevant text and post it in my blog for future reference here.
I cannot take any credit for this information, it is taken directly from a post on this very informative site: http://blog.sekiur.com. So, a big thank you to the blog’s author Jose Vicente Ortega.
Oversimplified Executive Summary
- upgrade_export contains just Check Point configuration
- A backup is an upgrade_export plus SPLAT OS configuration
- A snapshot is a backup plus binary files, both Check Point and SPLAT OS
- As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since it contains the most info and an upgrade_export would be the worst, since you’d have to manually restore the most stuff.
- It doesn’t backup any OS (i.e. SPLAT) settings, it only backup up CheckPoint settings
- It will let you export on one OS and then import on a different OS (i.e. go from Windows to SPLAT)
- You can upgrade_import on different hardware (i.e. go from IBM to HP)
- You can restore an export from an older version to a newer version of CheckPoint. A SPLAT backup/restore requires that you have the exact same versions. Note that when upgrading from an older to newer version, you must use the newer version’s upgrade_export utility to create the export file.
- It restores the product list as well. The SPLAT restore command won’t restore the Check Point settings if you don’t have the exact same products (and product versions) installed.
- A SPLAT backup will back up both the SPLAT OS settings as well as the CheckPoint settings
- Basically it’s an upgrade_export with OS settings added in
- Restoring a backup file requires the exact same software installation. I.e. you can’t restore a backup from R55 on to R60 (the HFA level must match as well). The installed product list must match as well. Note that you can still restore the OS settings even if your installed Check Point product list doesn’t match.
- The SPLAT OS settings are hardware specific. If you restore the system settings you must restore on the same hardware. However, if you only restore the Check Point settings you can restore on different hardware. Restoring just the Check Point settings is essentially the same thing as doing an “upgrade_import” of an exported file.
- A snapshot is even better than a backup since it contains binary files. I.e. you can revert from R60 to R55 with a snapshot. The downside to this is that a snapshot file is much larger than an upgrade_export or backup file.
- A snapshot can also roll you forward for minor software changes. For example if I revert from R60 HFA05 to HFA01 I can later revert back to R60 HFA05 from R60 HFA01
- A snapshot cannot revert to a newer major release of Check Point. I.e. you can’t revert from R55 to R60.
- If you’re reinstalling SPLAT on the same hardware you don’t have to install any HFA’s or change any configuration. Simply reverting to your saved snapshot file will restore all configurations and HFAs. The only stipulation is that the major software version must match. I.e. a R60 snapshot file will only work on a R60 install (regardless of HFA level).
- You can only revert on the same hardware, since the snapshot file contains hardware specific SPLAT settings.
An exception to the rules
If you’re feeling lucky I’ve noticed that you can actually restore a backup file or snapshot file on different hardware as long as you:
- Delete “/etc/sysconfig/hwconf” (this is automatically re-created during the reboot)
- In the case of a snapshot file also delete “/etc/modules.conf
**Backups don’t contain this file
**modules.conf controls which drivers are loaded
**This is be automatically re-created during the reboot
- Remove the “hwaddr” lines from /etc/sysconfig/netconf.C
You must remove the hwaddr lines since the firewall will use the MAC addresses stored in the snapshot/backup file, not your network card’s physical MAC addresses. You can verify which MAC addresses you’re using with these commands:
- ifconfig | grep HWaddr – This shows which MACs you’re currently using
- grep hwaddr /etc/sysconfig/hwconf -This should contains your NICs’ physical MAC addresses. If in doubt, delete this file, reboot and this file will be automatically created on startup.
- grep hwaddr /etc/sysconfig/netconf.C -This shows which MACs your server is configured to use. If there are no “hwaddr” lines, then your NIC’s physical MACs will be used. If there are no “hwaddr” lines you can create them by running “cpnetconf store“.
- To remove the hwaddr lines in “/etc/sysconfig/netconf.C” run these commands:cd /etc/sysconfig cpstop mv netconf.C netconf.C.old grep -v hwaddr netconf.C.old >netconf.C rm /etc/sysconfig/hwconf reboot