Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Richard_Friesen
Participant

Solutions for backup/restoring individual MDS Domains.

My team is fairly new to the Checkpoint world, and recently I made the mistake of removing a domain from MDS that had some configuration that we needed.  Our backup solution is provided by Veeam, and we were previously not doing mds_backup operations to backup our MDS environment.  Mistakes were made, fortunately no customer data was affected.


When I got on the phone with support, we came to the conclusion that restoring an individual domain is effectively impossible via the Checkpoint supported backup solution.  It's either recover ALL of MDS (including the logs assuming no MLM which we are currently in the process of quoting out) in the event that something goes very wrong on a domain, or nothing.  No individual domain level recovery in R80.10. 

In our environment, each domain will represent a separate customer, and we will be expected to backup and restore domain information without affecting other clients.  

An additional related fear is that certain larger clients will require us to offload backups of their config to their environment as a part of their disaster recovery plan, which currently we can't really do due to the apparent limitations of the backup solution provided.

I was wondering if anybody had any solutions to work around this limitation, or if anyone had some tips and tricks to backing up configuration so it can easily be restored via a 3rd party solution?  Scripts, etc, any advice is welcome.

Thanks!
Richard

20 Replies
Danny
Champion Champion
Champion

In R77.30 a backup of each individual MDS could be created by accessing the specific upgrade_tools directory and executing ./migrate export

Example: /opt/CPmds-R77/customers/NAME_OF_CUSTOMER_DMS/CPsuite-R77/fw1/bin/upgrade_tools/

This should also work in R80.10 as sk120222 describes.

The correct path with R80.10 is: /opt/CPmds-R80/customers/NAME_OF_CUSTOMER_DMS/CPsuite-R80/fw1/bin/upgrade_tools/

Reference: R80 Advanced Upgrade and Database Migration

0 Kudos
Richard_Friesen
Participant

When I got on the phone with support, our original restoration process used the upgrade tools method to export a CMA from a pre-oops copy of MDS, exported it off the copy MDS, then attempted to restore it to the live MDS.  

We did not have luck with this solution, but once we get our lab upgraded to R80.10 I'll give this process another shot to see if we have better luck with it there.

Thank you!

0 Kudos
Richard_Friesen
Participant

I should clarify, we need to separate out individual CMA's/domains in our backup and restore procedure, as that's how we're segmenting our customers from one another within MDS.  Currently there doesn't appear to be a supported process to do this in R80.10, and we really need either a viable supported method, or at least a supported workaround.

0 Kudos
PhoneBoy
Admin
Admin

You should be able to use migrate_export / migrate_import as Danny Jung‌ mentioned.

If you want to move between versions (except from R80 to R80.10), then it's important you use the migrate_export tools from the target version, not the source version.

If this isn't working for you, then we need a bit more details about what happens when you try and import the CMA into another MDS (e.g. to test recovery).

0 Kudos
Richard_Friesen
Participant

Is this verified for backing up and recovering strictly R80.10 domains inside of R80.10 MDS?  

I'm hoping for a yes, but in my specific instance we were not able to use the migrate_import/export tools successfully to recover an R80.10 domain, and restore it back into an R80.10 MDS.  

Off the top of my head, I don't remember exactly what all the issues I ran into were along the way, but if you say that process should work in R80.10 --> R80.10, I'll verify that the process works once our lab is upgraded to R80.10 before I report back with results. 

Thank you!

0 Kudos
PhoneBoy
Admin
Admin

I've seen nothing to suggest this won't work.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

0 Kudos
Richard_Friesen
Participant

My issue echo's what Dave Hoggan is running into in that thread, and the response he, and myself, have largely gotten is not one that I consider to be acceptable considering the caliber of the product we're working with.  There doesn't appear to be a good way to quickly and efficiently run a complete backup/restore of a single domain in the event of a catastrophic failure in R80.10, and my SE is now echoing these sentiments as well.  In terms of Checkpoint supported backup methods, it's either "mds_backup", and pull it all off, or nothing, restoration procedure is the same.  Everything or nothing.  If you question why better backup functionality doesn't exist, you'll get the "just don't break our product and you won't need those backups" response, which simply isn't acceptable.  We need to be able to recover from any unforeseen issue we may have, be it user induced or otherwise, and being able to efficiently schedule and take complete, separate domain level backups for both logging and policy/objects is a very basic part of that disaster recovery procedure. 

 The feature you're mentioning there is nice if you need to roll back a rule, but it is not a "disaster recovery" solution, as we found out first hand.  My solution of a Veeam snapshot did work, but it's not a supported method, and I suspect that I may have caused some serious issues in MDS as a result of slapping a copy of the MDS VM over top the existing live MDS VM, considering everything is now database driven. 

I've been told that "MDS_Backup" is the only real Checkpoint supported backup feature I can to implement to ensure our policy/logging backups are taking place, but for several reasons I don't like how this tool requires us to operate. 
In terms of functionality of the solution, my major issue with the MDS_Backup feature is that I'll effectively need to shut my entire MDS down to pull supported backups, and if you're including logs in that backup, it will take hours to backup a series of domains and logs.  Considering we require hourly diffs of all this data, this simply isn't an acceptable option, which is forcing us to move to an MLM so we can separate our logs from our policy. 

 

We currently need to have separate backup/restoration/retention plans for:

  • Daily full backups for everything that would be required to recover from a disaster event at the MDS level.  
  • Daily full backups, with hourly diffs for everything that would be required to recover from a disaster event at the domain level.
  • Daily full backups, with hourly diffs on individual domain logs.
  • The ability to restore a domain, or domain logs, without affecting any other domain in MDS. 

How would it look if we billed four hours of work for modifying policy for one customer, then had all that work reverted because we had to run an mds_backup and revert to the midnight backup due to issues with a completely different domain?  Not to mention that if we were to currently do that we would lose all the logging data from midnight to the point of the restore, unless of course we paid for an MLM, which at this point we are in the process of vetting out. 
During our very informative R80.10 training course this last week we learned that it is possible to export logs off MDS prior to a restore to prevent data loss, but it's at best a "hack it together" method to something that's important enough that it should be baked into the product. 

Apologies for the length of what has ultimately turned into a rant at this point, but progromatically exporting/importing every aspect of individual domains should be an easily schedulable feature, ideally through the GUI, exporting/importing logs for an individual domain should be a separate schedulable feature, exporting the entire shebang should be a third schedulable feature, again ideally all done through the GUI.  

PhoneBoy
Admin
Admin

In general, this is all stuff that surely can be improved.

We are looking at ways of doing that as well as better documenting the current options.

Definitely appreciate the feedback.

0 Kudos
Richard_Friesen
Participant

At this point, backup requirements as outlined in my post above are a standard part of our service SLA's, and as an ISP the caliber of customers we're looking to serve down the road are going to have a serious problem with our inability to effectively retain or restore data with this product, to the point where I have trouble calling this solution "multi-tenant".  This isn't exactly something we can beat around the bush on when we're talking to our highly sensitive clients.

Our clients will be (have been) asking questions about our disaster recovery options, and we will currently have to explain to our clients: 

  • Why we can't easily provide customers with offsite backup copies of their data, or their logs.
  • How we can't treat client domains as individuals when it comes to backing up and restoring their data.
  • How we can't easily separate the backing up and restoring of logs and policy. 

Do we have an ETA, or some form of continued update thread on a fix for these issues?  The backup solution feels less than half baked, it seems at best like an afterthought.  We absolutely require a Checkpoint supported, baked in, granular backup solution we can depend on, and I would very much like to stay as up to date as I can on the fix. 

0 Kudos
denis_litvak
Explorer

Comment on his long message.

 

Richard,

My name is Denis and I am a senior security system integrator based out of Israel.

 

You might want to take a look at BackBox (backbox.com), working with their solution I think you will be able to accomplish a lot of what you are looking to do automatically (except of course things that are still not supported by CheckPoint such as the single CMA recovery in R80.10).

 

Denis

0 Kudos
Martin_Valenta
Advisor

No HA for MDS?

0 Kudos
Eran_Habad
Employee
Employee

Richard,

My name is Eran and I'm a manager in the R&D of Check Point.

I would like to thank you for your feedback regarding the lack of domain level recovery in R80.X.

It's currently under development, as part of a bigger infrastructure.

I also saw your feedback regarding the fact that mds_backup forces you to shut down your server. We plan to address this as well.

I can't share a solid ETA at the moment but this is in our road map for 2018.

Regards,

Eran

Kaspars_Zibarts
Employee Employee
Employee

Eran Habad‌ hi - just wondering if there have been any news/updates on individual CMA backup and restore in R80.10? Thanks!

PhoneBoy
Admin
Admin

Had a session with Tomer Sole‌ earlier this week and can assure you this is in progress.

Kaspars_Zibarts
Employee Employee
Employee

Pity. We really need it now. But ok, good to hear that it is coming!

0 Kudos
Vladimir
Champion
Champion

Any progress on this front? Another threat poped-up asking for a single CMA backup and restore to SMS.

PhoneBoy
Admin
Admin

The new upgrade mechanism we're using for R80.20 upgrades will ultimately support it, as noted in the SK:

Security Management upgrade from/to Management Feature Release 

As for when exactly, it's planned for during 2019.

Venkatesh
Participant

Hi Eran,

Is this feature Available yet? We are in version R80.40.

I dont see option on GAIA or Smartconsole for domain level back?

 

Thanks and Regards,

Venkatesh Patil

0 Kudos
PhoneBoy
Admin
Admin

It’s been supported since the release of R80.40 and has been backported to R80.30 and R80.20 JHF.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events