This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
RCordova
Participant
‎2022-01-05 05:57 AM

Running script in production. Backup or Snapshot?

I need to add over 200 new IP objects to our management station. I have tested my script in a non-prod environment and it works fine but I'm still a little reluctant to run it on our production mgmt station. As a precaution should I backup or take a snapshot before running the script?

0 Kudos
11 Replies
Kaspars_Zibarts
Authority
Authority
‎2022-01-05 06:17 AM

If you feel "reluctant", then best is to backup or snapshot. Alternatively, do no publish changes with script, verify manually before publishing, thus you have an option to discard! 🙂 Can always try to revert revision too. So you do have options 🙂

the_rock
Champion
Champion
‎2022-01-05 06:21 AM

I honestly cant recall last time I ever told anyone to do snapshot, always backup. But, if you are reluctant and worried, then maybe do both, just to be on safe side. Below link might help clear any differences/confusion.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-01-05 06:28 AM

A backup should be plenty, I always download the backup file off the system via browser beforehand just in case something strange happens.  A snapshot is an image of the whole system other than Firewall Traffic Logs & the SmartEvent database; I think it is pretty unlikely that running your script will corrupt the underlying Gaia OS in which case a snapshot would be needed to recover.  Snapshots are normally employed prior to in-place upgrades (especially between major code versions) where the chances of the upgrade failing and leaving the system in a corrupt state are nonzero.

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
0 Kudos
RCordova
Participant
‎2022-01-05 08:43 AM
In response to Timothy_Hall

Thanks all for the replies. I will just go with a backup. Appreciate the feedback.

0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2022-01-05 10:32 AM

Hi @RCordova,

The statement does not apply 100% to your case.

Backup -> If you want to change the hardware of the system.  -> Restore should be performed under the same GAIA software R8x.x + same JHF.

Snapshot -> If you want to use the same hardware. -> Restore should be performed under the same hardware.

Migrate Export vs. Migrate Server Export -> If you want to back up the "Management Server Database"  -> Restore the Check Point database and all management server files (tabel.def, user.def,...) on the same SW + JHF release.

I would use a snapshot or a migrate server export here. Snapshot is the easiest way if you have destroyed your management server;-)

clish > add snapshot <snapshot name>

If something goes wrong with your script:

clish > set snapshot revert <snapshot name>

0 Kudos
genisis__
Advisor
‎2022-01-05 02:55 PM
In response to HeikoAnkenbrand

I agree.

We do backups as a matter of routine, however if I'm doing adhoc tasks such as HFA or adding objects via scripts, then I find it's pretty quick to do a migrate export.

I generally do a snapshot when doing major upgrades; as mentioned by Tim, store things offline if that is a option. 

In fact if you can do a migrate export, then import into VM, test using the live data in a contained environment so you know the results.

0 Kudos
JozkoMrkvicka
Leader
Leader
‎2022-01-05 11:36 PM

As everything was clarified and should be clear, I will try to use this thread to ask one off-topic question to all of you:

We all are doing backus, snapshots, migrate exports, save configuration to the file...

Do you really TEST them ? To restore backup, snapshot, migrate import, load configuration ?

I mean, we are all paranoid in case of failure - thats the case we are doing these backup things...

But what in case we really need to perform rollback ? Are you periodically testing backup methods in PRODUCTION ?

Are we 100% sure that we can rely on these backup methods in production and are we sure they will be restored successfully ?

Kind regards,
Jozko Mrkvicka
Ruan_Kotze
Advisor
‎2022-01-05 11:54 PM
In response to JozkoMrkvicka

We host customer environments with MDS, thus we do scheduled testing (every two weeks) in an offline environment.  We use CP backups, backups via hypervisor (MDS environment is virtualized) as well as DB exports.  We also use a fantastic little product called Unimus to do clish backups. 

Overkill perhaps, but it makes me sleep well at night and  the resultant increase in effort is minimal.

I've had issues in high-pressure situations with snapshots (not the fault of the technology but a process error on our side) so whilst they work and have their place, it is not something we do as a rule currently. Of course it is still done automatically with major version upgrades.

A failure to restore our environment will have very severe financial and reputational impact for us, so we take this seriously.

_Val_
Admin
Admin
‎2022-01-06 12:25 AM
In response to JozkoMrkvicka

Very good point. Testing backups and snapshots periodically is must, to make sure they are actionable. Very few people actually do.

JozkoMrkvicka
Leader
Leader
‎2022-01-06 06:57 AM
In response to _Val_

Some auditors may require evidence that you have successfully tested the backup restoration process (maybe even in production).

Kind regards,
Jozko Mrkvicka
0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2022-01-06 06:53 AM
In response to JozkoMrkvicka

I do that often enough as we replicate production environment in the lab, so to get the latest MDS for example, I would do backup restore 🙂 

Gateways, not that often.. 🙂