topic Startup-Config Equivalent in Firewall and Security Management

Startup-Config Equivalent

Joshua_Wright — Mon, 19 Feb 2018 20:57:58 GMT

Does Check Point have an equivalent to the Cisco startup config that can be checked?

I understand that you can issue a "show configuration" to see what I understand to be the equivalent of the "show running-config" on a Cisco device.
I ask this as I know that you need to save the config in order for it to be kept in the event of a reboot and I would like to be able to monitor this status.

We use Solarwinds for our configuration monitoring on Cisco devices and that compares the Startup-config to the running-config to check if there are any unsaved changes and perform a diff on these. It would be nice if there was an equivalent way to do the same with the Check Points.

I understand that the "show config-state" command will show me if there are unsaved changes, but not allow me to compare those changes.

Any ideas?

Re: Startup-Config Equivalent

PhoneBoy — Tue, 20 Feb 2018 05:58:08 GMT

When you're using the WebUI, pretty much every change you make is saved automatically.

When you're using the CLI, there is an explicit "save config" step.

Which means, if you're trying to track configuration changes, you need to take a different approach.

The boot configuration is in /config/active.

If you want to see if this is changed at all, you should probably grab this periodically and diff it.

That should be pretty trivial.

If you want to see if the RUNNING configuration is different than the SAVED configuration, it's a bit more complicated.

The tool that will give you output that more closely matches what's in /config/active is a tool called dbget and it's described here: How to use dbget and dbset on Gaia OS

As far as I know, even with dbget, you can't dump the entire running config, only specific entries or specific trees.

However, using a bit of scripting, I imagine it's possible to pull out which items have changed configuration since the last save.

Re: Startup-Config Equivalent

Joshua_Wright — Thu, 22 Mar 2018 16:43:45 GMT

Thanks Dameon, the tracking of changes I have ok with Solarwinds NCM, it's just the startup vs running I am having an issue with.

Thanks for the heads up on the gbget tool - I wasn't aware of this. Unfortunately it doesn't look like it will accomplish what I am after without a lot of custom manipulation.

I think that I will just settle on checking the SNMP value to ensure that there are not unsaved changes.

Re: Startup-Config Equivalent

Hash1212 — Thu, 20 Jul 2023 04:29:35 GMT

Hi Team,

Is it possible to show , take backup and restore of both running and startup config from ansible in checkpoint? If possible, how can I achieve it?

Re: Startup-Config Equivalent

PhoneBoy — Thu, 20 Jul 2023 12:44:56 GMT

Ansible is used to describe the configuration you want, not to perform tasks like take a backup.
Backup best practices are: https://support.checkpoint.com/results/sk/sk108902
In practice, there are very few areas where the "running" config and the "saved" configuration will differ.