Support Center > Search Results > SecureKnowledge Details
How to back up your system on SecurePlatform
Solution

Table of Contents

  • Backup procedures
    • Snapshot
      • Snapshot via CLI on Open Servers
      • Snapshot via WebUI on UTM-1 and Power-1 appliances
    • Backup
      • Backup via CLI on Open Servers / UTM-1 and Power-1 appliances
      • Backup via WebUI on UTM-1 and Power-1 appliances
    • migrate export and migrate import
      • On SecurePlatform and Linux
      • On Windows
    • Additional backup issues
      • Database Revision Control
      • Routing and interface information
  • Recommended backup schedule
  • Verifying the procedure
Important Note: Check Point strongly recommends upgrading to Gaia (Check Point's next generation operating system for security applications).

Backup procedures

Check Point provides three different procedures for backing up (and restoring) the operating system and networking parameters on your appliances.

  • Snapshot (Revert)
  • Backup (Restore)
  • upgrade_export

Each of these procedures backs up certain parameters and has relative advantages (such as: file size, speed, and portability), which are fully described in this article, together with detailed instructions as to how to carry out each procedure.

 

Snapshot

The snapshot utility backs up everything, including the drivers.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).

 

Snapshot via CLI on Open Servers

To take a snapshot via the command line interface (CLI):

From the command line, run snapshot

  • Running snapshot without any flags will use default backup settings and put the file in: /var/CPsnapshot/snapshots
  • You can use additional flags to designate a different file name, or select a TFTP/FTP server.
  • Run 'snapshot -h' for help or to list the flags.

Note- Performing snapshot can take a long time and could interrupt your services. Thus, it is recommended to conduct a snapshot during a maintenance window.

 

Reverting to a snapshot

The revert command restores the system from snapshot file.

To revert to a snapshot:

From the command line, run revert

  • Run 'revert -h' for help

 

Snapshot via WebUI on UTM-1 and Power-1 appliances

On the UTM-1 and Power-1 appliances, the snapshot can only be performed from WebUI (not via CLI), and the file cannot be transferred to a different appliance.

To create a snapshot via the WebUI:

  1. Open Internet Explorer web browser and login to https://IP_address_of_appliance:4434
  2. From the 'Appliance' menu, select 'Image Management'.

  3. Click Create. The 'Create Image' window is displayed.

  4. Optionally, in the Description field, enter a description and click Apply. The status is displayed.

 

Reverting to a snapshot

Reverting on UTM-1 and Power-1 Appliances

To restore the system to a previous snapshot:

  • Login to the same place, select the required snapshot and click Revert.

 

Backup

The SecurePlatform backup utility described below backs up your Check Point configuration and your networking/OS system parameters (such as routing) .

  • The backup utility can be used to backup both your firewall and management modules.
  • The resulting file will be smaller than the one generated by snapshot, but still pretty big.
  • Backup does not include the drivers, and can be restored to different machine (as opposed to snapshot, which cannot). However, it is recommended using the backup for restore to the same machine since it includes information such as MAC addresses of the NIC interfaces. (Note: Since MAC address gets restored as well, customers should be advised prior to restoring to make a note of original MAC (or get the information about original MAC address from dmesg) on the new box, so it can be changed later on.)
  • You only can restore it to the same OS, same Check Point version and patch level.

Note: Gaia's Backup feature allows backing up the configuration of the Gaia OS and of the Security Management server database, or restoring a previously saved configuration. See sk91400 - System Backup and Restore feature in Gaia.

Backup via CLI on Open Server / UTM-1 and Power-1 appliances

To make a backup

From the command line, run backup

  • Running backup without any flags will use default backup settings and put the file in /var/CPbackup/backups

    Note - On UTM-1 and Power-1 appliances, the location will be /var/log/CPbackup/backups

  • You can use additional flags to designate a different file name, or select a TFTP/FTP server.
  • Run 'backup -h' for help or to list the flags.

Note- Performing backup can take a long time and could interrupt your services. Thus, it is recommended to conduct a backup during a maintenance window.

On Open Servers:

On UTM-1 and Power-1 and Smart-1 appliances:

 

Restoring from a backup

Important: You only can restore backup to the same OS, same Check Point version and patch level, i.e. installed hotfixes.

The restore command restores the system from backup file.

To restore from a backup:

From the command line, run restore

  • Run 'restore -h' for help.

 

Backup via WebUI on UTM-1 and Power-1 appliances

It is also possible to create backup from the WebUI interface.

To make a backup:

  1. Open Internet Explorer web browser and login to https://IP_address_of_appliance:4434
  2. From the Appliance menu, select Backup and Restore.

  3. Select a device from the option buttons shown and click Apply.
  4. You can either perform the backup now or you can create a schedule for a backup.

 

migrate export and migrate import

'migrate export' tool backs up all Check Point configurations, independent of hardware, OS or Check Point version, but does not include OS information.
You can use this utility to backup Check Point configuration on the management station.
If you change the Check Point version you can only go up, in other words you can upgrade not downgrade.
The file will be much smaller (depending on the size of your policy), and if the system is not running on a highly loaded CPU, you can do a backup on a live system without interruption of the services.
 

Scheduling

As listed in the help of migrate tool, the export can be executed non-interactively for automatic scheduled by using the ┬ľn flag.

./migrate export -help

Use the migrate utility to export and import Check Point Security Management Server database.

Usage: migrate <ACTION> [OPTIONS] <FILE>

Action (required parameter):

export - exports database.

import - imports database.

Options (optional parameters):

-l - Export/import SmartView Tracker logs.

Note: only closed logs are exported/imported.

-n - Run non-interactively

Note - When migrating between 2 different major versions, you should use Migration Tool of the higher version - i.e., when upgrading from R71 to R75, "R75 Management Server migration tools" should be used on R71.

Clarification: 

There is one binary that for historic reasons exists in the machine with 3 different names:

  • migrate
  • upgrade_export
  • upgrade_import

As of R80.20, the last two names will be removed from the ISO, and only the binary named migrate will remain. 

On SecurePlatform and Linux

To export:

# cd $FWDIR/bin/upgrade_tools
# ./upgrade_export filename

To import:

# cd $FWDIR/bin/upgrade_tools
# ./upgrade_import filename

Note - upgrade_import will stop Check Point services.

 

On Windows

To export:

# cd %FWDIR%\bin\upgrade_tools
# upgrade_export filename

To import:

# upgrade_import filename

Additional backup issues

Database Revision Control

This utility creates a version of your current policies, object database, IPS updates, etc. It is useful for minor changes or edits that you perform in SmartDashboard.

It cannot be used to restore your system in case of failure.

To perform database revision control:

In SmartDashboard -> 'File' menu -> Database Revision Control -> Create

You can also create a version upon every policy installation.

 

Routing and interface information

The following information is useful to have on hand as a reference, if you are attempting to restore a configuration, especially if your gateway module has a heavy routing table.

  • Copy of /etc/sysconfig/netconf.C
  • Copy of your routing and interface information

To create a copy of your routing and interface information:

# netstat -rn > routes.txt
# ipconfig -a > ipconfig.txt
# ifconfig > ifconfig.txt

Notes:

  • The '>' command creates those txt files by piping the original commands output to where you send it to. If you don't specify full path but only a file name, the file will be saved in the folder you are currently in.
  • ipconfig /all > ipconfig.txt is the correct command for Windows.

Recommended backup schedule

  • Snapshot - at least once, or before major change (for example: an upgrade), during a maintenance window.
  • Backup - every couple of months, depending how frequently you perform changes in your network/policy. Also before every major change, during a maintenance window.
  • upgrade_export - every month or more often, depending on how frequently you perform changes in your network/policy. Also important before upgrade or migration. Can be run outside a maintenance window.

Verifying the procedure

We always recommend to periodically test your backups for possible corruption issues, or just to practice the restore process.

For this purpose, it is not possible to use snapshots. However you can use backup and upgrade_export.

 


 

Related Solutions and Documentation:

Applies To:
  • This SK replaces sk42329
  • Text from sk105385 relevant to SecurePlatform is presented in sk54100

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment