This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patrick_Tuttle1
Collaborator
‎2019-04-02 06:34 AM

Rebuild & Restore GW from a USB

Hello Checkmates;

We are searching for a way to use a USB to give to field operators at remote sites in order to provision a gateway out in the field.

This would be a disaster recovery scenario where they would grab a replacement gateway from their local office and we would provide them with a USB stick with all code jumbos and full configuration on it.
These would be GWs running the full Gaia not the embedded ones.

I have been trying to use Isomorphic in Advance mode and using the config_system template but this only seems to like entries used in the 1st time wizard. trying to add other entries such as additional interfaces has failed.

I also tried doing the "additional OS Configuration" This seems to get further but if there are add commands in the config, it seems to bail out.

Is this even possible to do a complete automated rebuild and restore to a gateway from a USB stick ?

Anyone have a running example of either a script or template file that includes a full configuration.


Thanks
-pat

0 Kudos
9 Replies
Maik
Advisor
‎2019-04-02 06:57 AM

Create a snapshot, move the (exported) snapshot to a USB device and you should be good to go.

The snapshot itself contains the os config, the product config as well as installed hotfixes with a few limitations that you can read about here. So for example, you are going to loose locally saved logs, this could be circumvented via additional methods. But my guess is that this is not as relevant as you are writing a about something like an "emergency" solution/USB stick.

 

0 Kudos
Patrick_Tuttle1
Collaborator
‎2019-04-02 08:07 AM
In response to Maik

Thanks I didn't think of that method but I think? someone would have to be consoled in to kick off the snapshot?
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-04-02 07:54 AM

We are doing this at the moment with isomorphic prepared USB-device to do a rollout for 60 appliances without the need for onsite going for a Check Point specialist. 

You don't need to touch the appliance, You can bring it with the USB-device onsite, put it in, boot twice and after the configuration the appliance is up with "initial_policy" and ready to get connected to smartcenter.

Have a look at my document. I hope anything is described and understandable.

Preview file
291 KB
0 Kudos
Patrick_Tuttle1
Collaborator
‎2019-04-02 08:05 AM
In response to Wolfgang

Thanks for the response. I think this is where I'm running into problems and you mentioned it as well...
"you can place any clish command in the file, but there is a limitation
 if the command results in a question or any other problematic output you
can’t use it this way, the script will be failing
 configuration commands like this must be done later"

So does you method put the entire config in or do you have to go back later and add them?
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-04-02 08:59 AM
In response to Patrick_Tuttle1

Hello Patrick,

yes, this is a limitation. There are some commands we are adding later running a script via Smartconsole to the gateway. But this is not a problem for us, most of the commands are running fine.

If you do a testdrive with a serial console attached to the appliance you can see the failing command in the second stage.

There is no log written to the USB-device, but you can log your putty-session or what else tool you are using for serial connection.

For us this is the best solution, we don‘t need to unpack the appliance, configure, repack and bring onsite... They are delivered direct to the production location and installed from one of the normal users onsite.

Wolfgang

0 Kudos
Patrick_Tuttle1
Collaborator
‎2019-04-02 09:25 AM
In response to Wolfgang

Thanks again. Very helpful info. Maybe Check Point will see a need for smoother solution like our network guys having a flash card and getting a replacement router up and running in a few min by a non technical person without a console hookup, plugging in a card and flipping on a switch.
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-04-02 10:01 AM
In response to Patrick_Tuttle1

Another nice way for first time configuration is Zerotouch Installation 

Since R80.20 this is available too for GAiA Gateways, not only SMB-devices. But you have to touch once the appliance and enable it and you need a Internet connection. Maybee it’s default enabled in one of the next releases. Zerotouch is described in sk116375.

Wolfgang

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-04-02 11:16 AM
In response to Wolfgang

Backing up Gaia system level configuration

Kind regards,
Jozko Mrkvicka
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-04-02 12:04 PM
In response to JozkoMrkvicka

Hello Jozko,

problem with that solution...you have to touch the device and you have to run the first time install wizzard before.

I really agree with Patrick, a real zerotouch procedure would be very nice and helpfully for new installs and replacements.

Wolfgang

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events