How To – Back up and restore Check Point SecurePlatform Gateways and Managemement servers

By | April 23, 2012

This blog post details how to back up and restore Check Point Security Management Servers and Security Gateways running on the SecurePlatform OS, on Open Server hardware.

There are two types of backup available – Snapshot and Backup.

**note** it is recommended to only carry out backup procedures during a maintenance window due to the performance impact it will have on the device and the fact that the snapshot process will stop and re-start the Check Point services. Also, be aware that backing up a management server will fail if any SmartConsole connections are active.

Also, there is a third backup option for Management servers, called Upgrade Export which is used when you are upgrading to a newer version of the OS.  For a fantastic overview of all the options, take a look at this post on the excellent CP Shared forum.

 

Snapshot

A snapshot takes an image of the whole system, including device drivers, HFA’s and Hotfixes.  Typical scenarios where you would want to use the snapshot method would be:

  •  You are about to make a major change to the system eg. software upgrade. Take a snapshot prior to the upgrade and if it all goes horribly wrong you can always reset the box back to the exact state it was in before you broke it (useful to prevent tears/tantrums in the early hours of the morning during your change window)
  • Snapshot after an upgrade, and use it as a means to rebuild the box if it dies. Restore the snapshot and then and add the most recent backup (think of as incremental backups) to get you up and running again.

The snapshot will generate a large file (typically at least 1GB for a SCS) and can only be restored onto the same machine ie. same hardware and OS version.  Remember also to copy the snapshot file off the box to another location on your network, otherwise the snapshot is completely useless if the hard drive fails (the same goes for a backup).

Snapshot via the CLI:

  1. run the command: snapshot
  2. select the location you wish to save the file to, supply any credentials for ftp or scp servers, and supply a name for the snapshot file
  3. if you select a local, the snapshot file will be created in /var/CPsnapshot/snapshots, so copy the file from here into a safe location on your network if you selected the local option in step 2

Rather than follow the menu prompts you you can specify other parameters with the command, such as the name you want to give the file and your remote server details. To see a list of options type snapshot -h.

For example, to take a snapshot and copy it to your TFTP server with the file name “scs_snapshot_20052012”:

[SCS]# snapshot -t 192.168.10.10 scs_snapshot_20052012

To restore from a snapshot:

You can restore a snapshot from a file located in /var/CPsnapshot/snapshots, or from a network location. Simply type the command revert in expert mode, select the source (local, tftp, ftp, scp server) and file name.

As with the snapshot command, you can specify extra options. For a list of options available with this command, type revert -h.

Backup

A backup is very similar to a snaphot, in that in contains all the Check Point configuration, networking settings (routing info etc), but it does not include device drivers, HFA’s and Hotfixes.  The the idea is that you would restore the backup onto onto the same machine ie. same hardware, OS, Check Point version and patch level.

Backups can be run without stopping the Check Point services, and the backup files are typically much smaller than with a snapshot (as they contain only the configuration information).

Backup via the CLI:

  1. run the command: backup
  2. by default the backup file will be created in /var/CPbackup/backups, so copy the file from here into a safe location on your network
  3. as with snapshots, you can supply parameters with the command such as the FTP server details and also schedule a backup.  type backup -h for more info.

To restore from a backup:

In order to restore from a back up, you must first have installed SPLAT and all the required Check Point components and hot fixes etc.  You can restore a backup from a file located in /var/CPbackup/backups, or from a network location. Simply type the command restore, select the source (local, tftp, ftp, scp server) and file name.

Once you’ve selected the back up file to restore from, you can then chose to modify which information to restore, the “system” or “cp_products”.  So for example if you wanted to restore your backup onto new hardware, you could first install the OS, and then just selectively restore the Check Point configuration.

As with the backup command, you can specify extra options. For a list of options available with this command, type restore -h.

Backup via the WebUI:

1.  log onto the device via https://<IP-Address>  (the default port is 443 unless it has been changed to avoid a clash with SSL VPN)

2.  select Device –> Backup –> Back Up Now

3.  select the location you wish to save the file to, supply any credentials for ftp or scp servers, and optionally select to include logs files in the backup.  Then click Apply

4.  click Yes to proceed.  (on a management server note the warning to close GUI clients)

5.  to view the status of the backup, click View Backup Log

 

**note** it is not possible to restore from a backup via the WebUI, it has to be done via the CLI.

7 thoughts on “How To – Back up and restore Check Point SecurePlatform Gateways and Managemement servers

  1. sanam

    this is really usefull…I am into Switching and routing majorly working on cisco and juniper.. Also have been maintaining and implementing rule base on checkpoint R75.46. Now i want to take backup of the configured rules and routing for the Checkpoint Firewall which is up and running.. From the explanation what i understand is this could be done by backup and snapshot..What i am worried is that i have to do it on LIVE running checkpoint firewall. So what u say snapshot will stop all service does it means Firewall will go down or will reboot? If you can send me detailed information it would be appreciable..

    Thanks in advance

    Reply
    1. Rich Bibby Post author

      if you are working on a live box then go for a back up rather than a snap shot. unless you have a HA pair, in which case you could snap shot each one separately. also if your management server is on a separate box to the gateway then a snap shot would only affect the check point services on the management server, not the gateway

      Reply
  2. Ranjith S

    Hi,
    We have a management server on a separate box. Can i execute upgrade export command on mgmt server for taking backup of gateways.
    Or do i need to execute the upgrade export command on individual gateways.

    Regards
    Ranjith

    Reply
    1. Rich Bibby Post author

      Hi Ranjith. I believe you will have to run the ‘upgrade export’ command on the gateways themselves.

      Rich

      Reply
  3. Debadurlav

    Need a Small help, i have a EOL open server, planning to migrate with checkpoint appliances, may I want to know that, is it possible to restore the same configuration back up in new appliance or need to do some changes in configuration file.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *