Solved

How to backup checkpoint Firewall

Posted on 2013-01-07
9
3,769 Views
Last Modified: 2013-11-07
How to backup checkpoint (UTM-1 450 C2-C)

This FW is an old unit but core unit. This unit handles our FW/DMZ/URL-filtering/ClientVPN. I am new to Checkpoint, how do I properly backup the whole unit and its configurations.  I am using SmartDashboard R70 to connect to the device. Since it is different from the ASA ASDM, I wanted to know how to see the detailed list of the Access list and routing table.
0
Comment
Question by:mkanagar
  • 3
  • 3
  • 3
9 Comments
 
LVL 20

Assisted Solution

by:netcmh
netcmh earned 75 total points
ID: 38753340
Have you read http://www.checkpoint.com/smb/help/utm1/8.0/453.htm ?

From the above page:

Click Setup in the main menu, and click the Tools tab.

The Tools page appears.
Click Export.

 A standard File Download dialog box appears.
Click Save.

The Save As dialog box appears.
Browse to a destination directory of your choice.
Type a name for the configuration file and click Save.

The *.cfg configuration file is created and saved to the specified directory.
0
 
LVL 14

Assisted Solution

by:grimkin
grimkin earned 225 total points
ID: 38753874
Hi.

There are a few different ways of doing this:

1) Backup through the web gui - this will allow you to take as config backup which you can then restore to a new install on the same (or same model of) machine. Obviously its a good idea to move the backups off to a different location.

2) Snapshot through the web gui - this will create a system snapshot which you can then revert to, again using the web gui

3) An upgrade export - this will backup the internal CA and firewall configuration but not OS level stuff, i.e. interface config, hostname etc. This can then be used to create your smartcenter on a different machine and / or platform - this is essential for disaster recovery. Details for this are available on the knowledge base but generally you will go into the $FWDIR/bin/upgrade_tools/ directory and run the following: "migrate export mybackupname" - this creates mybackupname.tgz which you can then move off the machine to keep for a disaster recovery situation.

Hope this helps.

G
0
 

Author Comment

by:mkanagar
ID: 38760545
Thanks. Currently I only have access to this through "checkpoint SmartDashboard". Is there a way I can backup using the smartDashboard?
0
 
LVL 14

Assisted Solution

by:grimkin
grimkin earned 225 total points
ID: 38762045
Hi,

In short, no. You need to have access to the operating system, not just the checkpoint software. This means either webgui or ssh / console. You can perform a database revision which backs up th current set of firewall rules and objects but again you need os level access to move it off the machine.

Hath.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mkanagar
ID: 38763803
I wll try to get the ssh working. If get it working, what is the command I need to use to backup the entire system and configuration. Thanks.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 38765357
Using ssh, you can console in and run the command backup. The backup will be found in /var/log/CPbackup/backups
0
 
LVL 14

Accepted Solution

by:
grimkin earned 225 total points
ID: 38766635
You can use the backup command from either standard or expert mode via ssh. To get a list of the options, use the "--h" switch as shown below. You can also have this backup automatically moved off the machine via TFTP / FTP / SCP.

Hope this helps

G

[Expert@trinity]# backup --h
usage:
backup  [-h] [-d] [-l]  [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [--tftp <ServerIP> [-path <Path>] [<Filename>]]
                [--scp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
                [--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
                [--file [-path <Path>] [<Filename>]]


where:
        -d                              Show debug messages
        -l, --logs                      Back up log files
        -h, --help                      Show this help information
        -t, --tftp                      Transfer backup package to TFTP server
        -s, --scp                       Transfer backup package to SCP server
        -v, --ftp                       Transfer backup package to FTP server
        -f, --file                      Specify local backup package filename
        -e, --sched                     Configure scheduled backup operation
        -p, --purge                     Purge local backup packages older than DAYS
[Expert@fwtest]#
0
 

Author Comment

by:mkanagar
ID: 38852315
I still have issue connecting other than the dashboard. Getting some planned-downtime soon, going to play with this coming weekend to see if I can back it up.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 39631694
Thanks for the grade. Good luck.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now