topic AWS PAYG Security Management Server Backup in API / CLI Discussion

AWS PAYG Security Management Server Backup

jwayne5000 — Thu, 22 Feb 2024 15:51:42 GMT

Hello,

We are trying to backup our Check Point Security Management Server at regular intervals via a scheduled script (or better solution if it exists?). We are using the Check Point Security Management Server appliance from the AWS Marketplace and are using the PAYG licensing model. We are also running version R81.20.

Question:

Can we use the Management API to export the management database? I found this API call which appears to be very similar to the migrate_server export CLI command:

https://sc1.checkpoint.com/documents/latest/APIs/#web/export-management~v1.9.1%20

The one thing I'm not sure of is licensing - I don't see an option to exclude licenses. Since we are on PAYG, we have to exclude the license on export/import when using the migrate_server command (although I think the exclude license option is only on the import side now). In the past, I have successfully upgraded our SMS from version R81.10 to R81.20 using the migrate_server export/import commands successfully.

This SK mentions using migrate_server but I didn't see anything for using the Management API:

How to back up Security Gateways and Security Management Servers deployed in a Public Cloud (Azure, AWS, GCP, OCI)

https://support.checkpoint.com/results/sk/sk169814

This SK notes the importance of excluding the license on export/import if you are on PAYG licensing model:

How to perform Advanced Upgrade for CloudGuard Management version in AWS, Azure, or GCP (Side-by-Side upgrade)

https://support.checkpoint.com/results/sk/sk155632

Re: AWS PAYG Security Management Server Backup

jwayne5000 — Tue, 12 Mar 2024 14:07:10 GMT

Is this something I should open a support ticket for?

Re: AWS PAYG Security Management Server Backup

Amir_Senn — Tue, 12 Mar 2024 15:05:33 GMT

Try to use GAIA API for run-script:

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#cli/run-script~v1.7%20

You can execute commands.

Another solution, you can add a script that does that, add it to script repository on the MGMT and use it from repository.

Also, we have a dedicated solution for scheduled snapshot management if it helps you.

Re: AWS PAYG Security Management Server Backup

PhoneBoy — Tue, 12 Mar 2024 15:20:30 GMT

The management API does allow export/import of configuration similar to migrate_server.
However, I don't see an option to exclude the export/import of licensing using the API or if the licensing even comes across as part of this process.
Paging @Omer_Kleinstern

Re: AWS PAYG Security Management Server Backup

sorinstf — Thu, 14 Mar 2024 19:38:17 GMT

I'm using a scheduled script to backup MDS r81.20 running on an AWS EC2 instance (BYOL in our case). it was created using

mds_backup -b -d DESTINATIONFOLDER -l

and then it uploads it to S3.

-b Batch mode - executes without asking anything.
-d <Target Directory>
Specifies the output directory.
If not specified explicitly, the backup file is saved to the current directory.

Tip : check this out! you already have a script on the Cloudguard instance to connect to S3 bucket.

[Expert@mds:0]# /usr/bin/s3
usage: s3 [-h] [-i] [-k KMS-KEY-ID] [-r REGION] [-p] [-s DURATION[:METHOD]]
PATH [DATA]

Does anyone have a script to backup security logs for a defined period? let's say script to check and archive logs created in the past 90 days, then ship them to a remote location?

Re: AWS PAYG Security Management Server Backup

PhoneBoy — Thu, 14 Mar 2024 20:08:19 GMT

The Linux "find" command can pull out files older than X days and can execute commands based on the result.
The following is a single line that will automatically back up any files older than 90 days via scp to a system:

find $FWDIR/log/*.log* $FWDIR/log/*.adtlog* -mtime +90 -exec /bin/scp {} myuser@192.0.2.33:/disk/mybackup \;