Checkpoint – Reinstall SMS using configuration backup
 | Checkpoint – Reinstall SMS using configuration backup |
Last week my smartcenter server became corrupted (the filesystem) and I
could not install any fw policy (checkpoint software could not find some
needed inodes).
Fortunately I perform periodically checkpoint configuration backups (using the migrate export utility) this way -> Checkpoint – Schedule management database backup
These are the steps to get a working SMS again:
- Pre install steps
- Install Checkpoint 1 – Install the GAIA OS
- Install Checkpoint 2 – Install the Checkpoint SW
- Import the Checkpoint configuration backup
- Post install steps
Before install steps
It is evident but we need a new machine to be used as SMS server. As a
best practice, if virtual environment is available, the best solution is
to generate a new virtual machine so the recovery can finished as soon
as possible.
If there is no choice the same machine can be used (I completely
discourage it). Anyway try to save the data (if still can access the old
server) you can miss in another path (scripts, patches…). The backup is
supposed to be in another secure path.
Finally, shut off the old server if still on the network (or change the
network to test one on the virtual machine to isolate it).
After that, get the Checkpoint ISO (the same version that was installed) and run it on the new machine. So the installation starts…
Install Checkpoint 1 – Install the GAIA OS
The boot menu – Install Gaia
Ok, proceed…
Keyboard selection…
Disk partitioning, leave it by default or customize. After the
installation I add a new disk with more space to store the logs so I
dont think much about this configuration…
Choose a password to access via SSH or web GUI to the SMS server
Choose the same management IP as the old server!
Ok, proceed if you sure…
So the GAIA OS packages and software will be installed…
After the installation a reboot is required and then we can access to the GAIA web portal…
Install Checkpoint 2 – Install the Checkpoint SW
The first time configuration lets us configure some basic parameters and finally install the Checkpoint software layer
"Continue with Gaia configuration"
Configure the same parameters as the old server. The hostname is specially important to be the same! (like the management IP)
Again configure the same management IP. (This screenshot shows empty
fields but they are prefilled with the IP configured on the previous
step).
We want to install a "Security Gateway or Security Management"
Date/time. Use ntp if possible (you may configure it later).
Now we select what Checkpoint SW modules will be installed: "Security Management" as "Primary"
username and password to manage the Smarcenter consoles
Filter the access to the Security Management GUI clients
After completed the installation we have a fully functional SMS server but with empty firewall policies, databases, etc…
Import the Checkpoint configuration backup
CONNECT TO THE SMS VIA SSH
Connect via SSH to the SMS server, establish an expert password and enter expert mode
SMS> set expert-password
Enter new expert password:
Enter new expert password (again):
SMS> expert
Enter expert password:
Warning! All configuration should be done through clish
You are in expert mode now.
[Expert@SMS:0]#COPY THE BACKUP FILE
Copy the backup of the Checkpoint configuration to the SMS server (via
SCP for example if the backup is located on another Linux machine)
[Expert@SMS:0]# scp root@MYLINUXSERVER:/var/backups/EXPORTDB_2016-04-18.tgz .
root@MYLINUXSERVER's password:
EXPORTDB_2016-04-18.tgz 4% 19MB 9.3MB/s 00:46 ETA
IMPORT THE BACKUP
This will pause the cp services, import all the configuration policies, databases, objects… and start the services
[Expert@SMS:0]# $FWDIR/bin/upgrade_tools/migrate import EXPORTDB_2016-04-18.tgz
Extracting the database...
The import operation will stop all Check Point services (cpstop).
Do you want to continue? (y/n) [n]? y
cpwd_admin:
Process DASERVICE terminated
cpwd_admin:
Process SMARTLOG_SERVER isn't monitored by cpWatchDog. Stop request aborts
UEPM: Endpoint Security Management isn't activated
Management Portal: Stopping CPWMD
cpwd_admin:
Process CPWMD terminated
Management Portal: Stopping CPHTTPD
cpwd_admin:
Process CPHTTPD terminated
evstop: dbsync stopped
evstop: Stopping product - SmartEvent Server
evstop: Stopping product - SmartEvent Correlation Unit
Check Point SmartEvent Correlation Unit stopped
Check Point SmartEvent Server stopped
Stopping SmartReporter...
Stopping the SmartReporter Server.
Stopping the SmartReporter Log Consolidator.
Stopping SmartReporter Database.
Note: Database shutdown takes a few minutes. rmdstart will fail while
shutdown is in progress.
SmartView Monitor: Management stopped
VPN-1/FW-1 stopped
Multi portal stopped
Local host is not a FireWall-1 module
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation: Stopping PostgreSQL Database
SVN Foundation stopped
Importing files...
The import operation completed successfully.
Do you wish to start Check Point services? (y/n) [y]? y
Post install steps
ADD LOST RULES AND POLICIES
Maybe you have lost changes made between the backup and the crash. If possible (documented, emails…) add those changes
CONFIGURE LOST SERVER PARAMETERS
For example, I had to configure some OS level parameters to make the DHCP Relay work. Fortunately, I documented that change.
RECONFIGURE SCRIPTS AND SCHEDULED TASKS
Dont forget to reconfigure scheduled tasks like backups, logs rotation, ntp time synchronization.
Comments
Post a Comment