Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lari_Luoma
Ambassador Ambassador
Ambassador

Do you take regular backups of your management server?

If not, configure them today! We in Professional Services have been involved in several cases during the last 12 months or so where our customer has lost their management server and had no backups. While we do have some recovery tools, getting everything back as it was using files from a gateway is never 100% guaranteed. It's also very time consuming task.

Having daily or weekly backups of your management server is the best thing you can do to keep your security infrastructure functioning even in the events of catastrophic events.

19 Replies
the_rock
Legend
Legend

Agree 100%. We do at least weekly, but for few customers even daily fw/mgmt backups.

0 Kudos
Chiko_Phiri
Participant

Does the scheduled backup in Maintainance > System Backup contain the management database? 

0 Kudos
the_rock
Legend
Legend

Im pretty positive it does and here is reason I say that...2 years ago, dont ask me why and how this happened and we even had TAC case, went to escalations and no one could figure it out...we had customer and one day out of the blue, they cant log into smart console. We did bunch of troubleshooting, did cpstop/start, reboot, nothing...cpm would simply never come up. After some time, TAC discovered that some database files were "missing", but no one knows why that happened...thank God we had backup and after restoring, we reinstalled same jumbo and bam, back in business.

0 Kudos
Scottc98
Collaborator

same question as @Chiko_Phiri   

- for a single management system, is that applicable backup to rebuild a Smart-1 appliance?   

- for a single management system virtual machine (vMWare ESXI), what would be the recommended backup or schedule cadence  with the considerations of VM snapshots being possible?

- For HA management (two Smart-1 appliances in different geo-locations), what would be the recommendations and schedule cadence knowing the odds of failure of both appliances is lessen?

 

Really glad this subject came up as I was literally discussing with some co-workers last week about what are some best practices for management.  

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Check the SK I pasted above for details.

System backup is enough to restore the applicable server. However, you would still need to install Gaia OS to the same Jumbo Hotfix level as previously. Snapshot also backs up the binaries, but system backup does not.

What comes backing up the secondary management server, you can always synchronize it with the primary. Even if you have older snapshot or just a clean installation of the secondary server you can sync it with the primary. However, in large environments I would back up both with the same cadence as having up-to-date backups from both would speed up the restoration process.

the_rock
Legend
Legend

JUST in case (knock on wood), if need be, below is procedure to get mgmt up and going if its totally hosed.

Lari_Luoma
Ambassador Ambassador
Ambassador

This procedure assumes that you have the files. Many of my customers I have worked with had nothing else than a gateway. 🙂

(1)
the_rock
Legend
Legend

Tell me about it lol

0 Kudos
Alex-
Advisor
Advisor

Actually, I sometimes use the gateway as SCP recipient of SMS backups. They have plenty of space in /var/log, are often in the same management space than the gateways and are more reliable than an external file server shared with other services. Just remove older backups every now and then.

0 Kudos
Blason_R
Leader
Leader

Yeah - but I am keen to know on that advanced part about getting rules back from just a files. I mean that would be interesting.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
_Val_
Admin
Admin

Not just that, I am afraid. This procedure is for R77.x and below. 

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

It does. Refer to the following sk for comparison between different backup methods.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


0 Kudos
Blason_R
Leader
Leader

Undoubtedly - We prefer once a weekly and even migrate export once a month just to doubly sure.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
EnriqueGB
Participant

Does CheckPoint recommends or supports any cloud native(Azure backup and/or AWS backup) method for the management servers? Restoring a MDS backup in Azure has been... an experience.

Alan_Long
Participant

I have 2 mgmt servers in AWS, I manually do a migrate_server export twice a week on both of mine and copy them out to a server.

When we migrated from R80.30 to R81.10, that is how we moved the db from one version to another.

 

the_rock
Legend
Legend

That is indeed supported method CP recommends for Azure/AWS as well.

0 Kudos
EnriqueGB
Participant

My experience has not been so pleasant. Our MDS is heavy and due different "events" we had to restore a new VM, import the backup, move the public IPs... and a long etc. (THANKS CheckPoint support team!).

But I wonder if we have simple VMs with the MDS (primary and secondary), would be possible to perform snapshots with the native services?

0 Kudos
PhoneBoy
Admin
Admin

The problem with using these backups is that you may end up with a backup in an inconsistent state.
Which is why they are only recommended to use when the VM is powered down.
Otherwise, it's better to use one of the official Check Point methods for backup. 

0 Kudos
Vladimir
Champion
Champion

@Lari_Luoma , I will make a bold suggestion for Check Point to introduce a built-in flash drives in their management server appliances, to which the backups will be performed automatically, by default, without any user input.

Who knows, the ROI may just justify it:)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events