Note: The presented bellow backup and recovery procedures will work only if both Management
Servers are on the same OS. All presented bellow actions are on the Management Server only
(SmartCenter Server).
BACKUP
1. Backup the following files:
$FWDIR/conf/Objects_5_0.C
$FWDIR/conf/rulebases_5_0.fws
$FWDIR/conf/fgrulebases_5_0.fws (if FloodGate-1 is used)
$FWDIR/conf/slprulebases_5_0.fws
$FWDIR/conf/fwauth.NDB
Note: On Windows machines fwauth.NDB file is only the pointer to the real user database file, for
example, fwauth.NDB145. In this case take the real database file -fwauth.NDB145, and rename it to
fwauth.NDB.
2. The ICA and SIC related files that should be copied are:
$FWDIR/conf/InternalCA.*
$FWDIR/conf/ICA*.*
$CPDIR/conf/sic_cert.p12
3. In addition to the above files, you also need to backup and import the following:
(Unix)
/opt/CPshared/registry/HKLM_registry.data
Note: Copy everything under 'SIC'.
(Windows)
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SIC
Note: Export this key and then import it on the target machine.
4. From NG FP2, you should also copy all the files from:
$FWDIR/conf/crls
RECOVERY
1. Install new FireWall-1 NG Management Server.
2. Stop the FireWall-1 NG Management Server (cpstop).
3. Copy the backup files to the $FWDIR/conf $CPDIR/conf directories respectively, and
registry files as presented above.
4. Start the FireWall-1 management machine.(cpstart).
TROUBLESHOOTING
Manual policy file compilation
(Unix),
fwm –g .W
(Windows)
fw m –g .W
Internal Certificate Authority database reset
1. fw sic_reset
Note: 'fwm sic_reset' format on FP2 and above. If Firewall object has IKE certificates defined it is
necessary to delete them (using Policy Editor or manually in object_5_0.C).
2. Re-initialize the Internal Certificate Authority (use cpconfig
CA).
3. Restart Check Point Services (cpstart).
Restoration of a corrupted rulebases file
1. Run 'cpstop'.
2. Backup $FWDIR/conf/object_5_0.C
3. Run $FWDIR/bin/fw cpmi_upgrade (it will create a new rulebases_5_0.fws based on the
rulebases.fws)
4. Copy object_5_0.C from to backup to $FWDIR/conf.
5. Run 'cpstart'.
TIPs for MIGRATING FIREWALL-1 CONFIGURATION TO DIFFERENT PLATFORM OR
SOFTWARE VERSION
Note: All presented bellow actions are on Management Server only
*network objects*
copy old objects to new configuration:
fw confmerge old_objects_5_0.C new_objects_5_0.C > objects_5_0.C
where:
- old_objects_5_0.C - objects from old system
- new_objects_5_0.C - objects from new installed system
- objects_5_0.C - target objects database ($FWDIR/conf/objects_5_0.C)
*users*
in old system export user database to a file
fwm dbexport -f filename.txt
in new system recreate users groups manually
in new system import user database to a file
fwm dbimport -r -m -f filename.txt
*security policy*
copy rulebases.fws file or *.W files
Note:
If rules are not seen in GUI compile *.W policy files as presented above. It is also reasonable
to recreate rules manually in Policy Editor.
*diagnose*
fw checkobj
NG UPGRADE PROCEDURE FROM 4.1 VERSION
1. Run the Upgrade Verifier Utility (pre upgrade verifier). It can be downloaded from Check
Point Web site.
2. On a new machine install VPN-1/FW-1 (e.g. FP1, FP2, FP3).
3. From Check Point Web site download upgrade.4.3.tgz file, unzip it on new Firewall
machine. Then verify if the required FPx directory was created (e.g. upgrade/FP3). If not
manually create the directory (e.g. upgrade/FP3).
4. Place the following 4.1 files under upgrade/4.1
a. objects.C
b. fwauth.NDB
Note:
On Windows machines this file is only the pointer to the real database file, e.g. fwauth.NDB144. In this case take
the real database file (fwauth.NDB144), rename it to fwauth.NDB and put it in the \upgrade\4.1 directory.
c. rulebases.fws
d. fgrulebases.fws (if FloodGate-1 is installed)
5. Stop the FireWall-1 (cpstop)
6. Go to the /upgrade directory and run:
(Windows)
upgrade.bat \upgrade FP3 4.1 (upgrade from 4.1 to FP3)
(Unix)
upgrade.csh /upgrade FP3 4.1 (upgrade from 4.1 to FP3)
7. Start the FireWall (cpstart).
8. Run the Upgrade Verifier Utility (post upgrade verifier). It can be downloaded from Check
Point Web site.
Additional notes:
1. The upgrade script will backup any modified file into /upgrade/backup/ directory.
2. If you are moving from a Windows machine to Unix do dos2unix (UNIX command) on objects.C and
rulebases.fws
3. In order to keep other configuration files (e.g. gui-clients, masters) copy from 4.1 system
$FWDIR/conf directory to NG system $FWDIR/conf the following files:
- xlate.conf,
- aftpd.conf,
- smtp.conf,
- sync.conf,
- masters,
- clients,
- fwmusers,
- gui-clients,
- slapd.conf,
- serverkeys,
- product.conf.
No comments:
Post a Comment