topic When to perform Database update in checkpoint GW in Firewall and Security Management

When to perform Database update in checkpoint GW

RBS56505 — Sun, 30 May 2021 07:38:19 GMT

Hi All,

Im new to checkpoint and have some queries.

What are the few occasions when we need to perform database update ?

What are the few common changes we cannot perform on a GW through Management server if we have physical Gateway vs Virtual system.

I have come to know that route addition on vsx can be done via Smart dash board.

On Physical GW, we need to do it via cli or Gateway GUI

Re: When to perform Database update in checkpoint GW

PhoneBoy — Mon, 31 May 2021 02:47:49 GMT

What do you mean by "database update" exactly?
Screenshots of exactly what you're talking about might be helpful.

In general, there are a couple of differences between VSX and regular gateways:

You can't "reboot" a single VS (only the entire chassis)
If you need to make any changes to static routing, this is done via SmartConsole (dynamic routing can be configured via clish, I believe)
Any troubleshooting involving a VS means you need to switch into the VS context (vsenv X or set virtual-system X)
VSX gateway interface changes require disabling VSX mode temporarily (see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92425)
You cannot manipulate VS objects with the API (some manipulation can be done with the vsx_provisioning_tool)
Some features are not supported on VSX: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk79700

There are possibly others, but those are the ones that immediately come to mind.

Re: When to perform Database update in checkpoint GW

RBS56505 — Mon, 31 May 2021 06:57:43 GMT

Hello Sir,

Thank you for your response.

First of all my used term is wrong. It should be "install database"

I dont have a a snapshot however let me give some background here.

We are migrating our checkpoint infrastructure to R80.30

As a interim steps, we are migrating all our existing infrastructure to a new R77.30.

Now while migrating one of the Mgt Server (managing 4 GWs) , there was OPSEC server(SKYBOX).

They did reset that communication for OPSEC server. My understanding is they initiated SIC from new Mgt Server.

Corresponding changes at SKYBOX is pending. (New CMA IP etc)

Now they kept saying that until we install updates this will not work.

My understanding is when we migrated to new Mgt server, we did install policy and that includes install database.

Am i wrong ?

Re: When to perform Database update in checkpoint GW

G_W_Albrecht — Mon, 31 May 2021 07:28:30 GMT

No - see Security Management R81 Administration Guide, e.g. p166:

Installing the User Database

When you make changes to user definitions through SmartConsole, they are saved to the user database on the Security Management Server. User authentication methods and encryption keys are also saved in this database. The user database does not contain information about users defined externally to the Security Gateway (such as users in external User Directory groups), but it does contain information about the external groups themselves (for example, on which Account Unit the external group is defined). Changes to external groups take effect only after the policy is installed, or the user database is downloaded from the Security Management Server.

You must choose to install the policy or the user database, based on the changes you made:

n Install the policy, if you modified additional components of the Policy Package (for example, added new Security Policy rules) that are used by the installation targets

n Install the user database, if you only changed the user definitions or the administrator definitions - from the Menu, select Install Database

The user database is installed on:

n Security Gateways - during policy installation

n Check Point hosts with one or more Management Software Blades enabled - during database installation

You can also install the user database on Security Gateways and on a remote server, such as a Log Server, from the command line interface on the Security Management Server.