This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jwayne5000
Explorer
‎2024-02-22 07:40 AM

AWS PAYG Security Management Server Backup

Hello,

We are trying to backup our Check Point Security Management Server at regular intervals via a scheduled script (or better solution if it exists?). We are using the Check Point Security Management Server appliance from the AWS Marketplace and are using the PAYG licensing model. We are also running version R81.20.

 

Question:

Can we use the Management API to export the management database? I found this API call which appears to be very similar to the migrate_server export CLI command:

https://sc1.checkpoint.com/documents/latest/APIs/#web/export-management~v1.9.1%20

The one thing I'm not sure of is licensing - I don't see an option to exclude licenses. Since we are on PAYG, we have to exclude the license on export/import when using the migrate_server command (although I think the exclude license option is only on the import side now). In the past, I have successfully upgraded our SMS from version R81.10 to R81.20 using the migrate_server export/import commands successfully.

 

This SK mentions using migrate_server but I didn't see anything for using the Management API:

How to back up Security Gateways and Security Management Servers deployed in a Public Cloud (Azure, AWS, GCP, OCI)

https://support.checkpoint.com/results/sk/sk169814

 

This SK notes the importance of excluding the license on export/import if you are on PAYG licensing model:

How to perform Advanced Upgrade for CloudGuard Management version in AWS, Azure, or GCP (Side-by-Side upgrade)

https://support.checkpoint.com/results/sk/sk155632

 

0 Kudos
5 Replies
jwayne5000
Explorer
‎2024-03-12 07:07 AM

Is this something I should open a support ticket for?

0 Kudos
Amir_Senn
Employee
Employee
‎2024-03-12 08:05 AM
In response to jwayne5000

Try to use GAIA API for run-script:

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#cli/run-script~v1.7%20

You can execute commands.

Another solution, you can add a script that does that, add it to script repository on the MGMT and use it from repository.

Also, we have a dedicated solution for scheduled snapshot management if it helps you.

Kind regards, Amir Senn
Preview file
67 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-12 08:20 AM

The management API does allow export/import of configuration similar to migrate_server.
However, I don't see an option to exclude the export/import of licensing using the API or if the licensing even comes across as part of this process.
Paging @Omer_Kleinstern

0 Kudos
sorinstf
Participant
‎2024-03-14 12:38 PM
In response to PhoneBoy

I'm using a scheduled script to backup MDS r81.20  running on an AWS EC2 instance (BYOL in our case). it was created using

mds_backup -b -d DESTINATIONFOLDER -l

 and then it uploads it to S3. 

-b Batch mode - executes without asking anything.
-d <Target Directory>
Specifies the output directory.
If not specified explicitly, the backup file is saved to the current directory.

 Tip : check this out! you already have a script on the Cloudguard instance  to connect to S3 bucket.

[Expert@mds:0]# /usr/bin/s3
usage: s3 [-h] [-i] [-k KMS-KEY-ID] [-r REGION] [-p] [-s DURATION[:METHOD]]
PATH [DATA]

 

Does anyone have a script to backup security logs for a defined period? let's say script to check and archive logs created in the past 90 days, then ship them to a remote location? 



 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-14 01:08 PM
In response to sorinstf

The Linux "find" command can pull out files older than X days and can execute commands based on the result.
The following is a single line that will automatically back up any files older than 90 days via scp to a system:

find $FWDIR/log/*.log* $FWDIR/log/*.adtlog* -mtime +90 -exec /bin/scp {} myuser@192.0.2.33:/disk/mybackup \;

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events