Create a Post
Showing results for 
Search instead for 
Did you mean: 

CheckPoint DR questions

Hello folks,

I am fairly new to CheckPoint and will be performing a DR test exercise. I have performed DR on Production in the past which was related to backup software a but need your suggestion on this DR test lab exercise where I will be performing to ensure everything goes well should a real disaster occur. This may be basic to you guys but I just need clarification so I do it the right way.

The scenario is that I will be in our IT Head Office with access to PC to connect to a remote site (I assume we will connect via RDP or VPN) where the DR is to be performed. The DR location to be tested is in a different site (another state than ours) and believe Firewall will be connected to a PC where I will remote into. I have been provided with an exercise list but that list only contains performing fresh installation from the Gaia R77.30 CD (which I understand will be helpful in case there isn't any image or need to boot off of the CD). It also contains tasks to perform First Run Configuration from the Gaia Web UI Wizard Setup, connecting to WebUI to add static routes (default route to external and setting static routes for internal). Furthermore, it has tasks to login to Smart Dashboard to install and configure policy, set Stealth and Cleanup Rules, inserting access rules for inside to internet and allow any. Last but not least, to push policy and verify internet access. This to me doesn't seem like a real disaster recovery. My understanding is that we should take a system, export, and show configuration backups, and use that to recover. Correct me if I am wrong.

1) If this is the case (which means I will take the backup of our Firewall and Management server located in our local office and restore to the remote site's network), then those policies won't work as they will have different IPs from the remote site's network IPs.
2) Since the remote location will have different IPs including DNS and routing information from the backup that is taken, how will this play out?
3) What IPs (IP for Gateway, Management, internal, external, including static) should I be using? I assume theirs.
3) I see one of the bulleted points for this DR test exercise is to build, configure, and test the internal and external firewalls.

Please advise and thank you for assistance here.

0 Kudos
2 Replies

It greatly depends on business requirements/drivers behind DR solution.

- What are time requirements for failing over to DR ?
- What are topology conditions (will the DR replicate IP scheme) ?

- Is it Hot or Cold DR ?

Looking at the task list you've received, seems like a Cold DR - that is, building a working environment at DR site from scratch. Again, if time constraints allow to set up firewall from scratch with new IPs/topology/rules, then it can take some 30-40 minutes to do so. Exporting/importing firewall policy from existing FW to the newly installed one, IMO, would be of dubious advantage - if IPs change, and of course they are used in the policy, you'd have head ache to fix the policy.

Most of DR procedures I've seen though, require replicating the LAN topology 1 to 1. It does not necessary include firewall if the firewall is used just to connect DR to the Internet, then possibly set up some way to access LAN of DR behind it.

The Hot/Real time DR would include DR site having the exactly same LAN topology with ongoing replication of data/services from the main site (usually via point to point link with the main site and some data center technology LAN extension technology like VXLAN/OTV of some sort, or just plain subnet dividing) with WAN IPs advertised via both (Main/DR) sites at the same time, so when main site fails, the DR takes over by the fact that production IPs get advertised (via say BGP) from DR site, and in this set up the firewall can have different IPs as it only provides perimeter security, not accessibility to production IPs.

Cold DR, on the other hand, would mean rebuilding the production environment from scratch at the DR site, possibly transferring WAN IPs of the firewall as well (with the ISP help). In such case, backing up existing firewall would be more logical - even using just migrate export, so after the fast clean install on DR site, you would import firewall config and be ready to go.

So, you are asking the correct questions, but only those designing this DR exercise can answer them.
0 Kudos

As Yuri mentioned, let's define the exact scenario concerning the security system fail-over.

There are quite a few different options, including Management HA configuration where you have both Primary and Secondary management servers in sync (no need to employ migrate export / import).

However, the main question is about connectivity changes in DR situation. Do you have another FW there? Same policy, different policy? How is it managed? If you are only concerned about VPN, in can be either VPN routing setup or even MEP with probing.

In short, you need to lay down your exact scenario to get the right answers.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events