This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2023-07-31 08:55 AM

Snapshot to upgrade 3000 series HW (3600 to 3800)?

Is there any use case where you can use a snapshot of a current cluster and use it to move to another set of hardware?   I totally understand when you are moving up to different hardware with different cards and such.

I was more looking at a situation where you would move from a 3600 to a 3800 series.   The physically nics and hardware is basically the same; it would really be about increasing the CPU and RAM on such conversions.    If one was low on RAM on a 5000/6000 series, you would just pop in some RAM; where on the 3000 series, you have to replace the hardware.  

I might have some situations with some 3600s and just trying to think in advance on how I can easily replace them in the field with some 3800s I have; limiting the staging and downtime for a remote site (i.e. Keep it simple for hand on staff and remote engineers ;))

 

 

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2023-07-31 09:25 AM

Not a good idea, always use backup and not snapshot when between different HW.

Scottc98
Advisor
‎2023-07-31 10:01 AM
In response to _Val_

I figured as much 🙂   

@_Val_ 

Can I use a system backup here to move from 3600 to 3800?    Reading SK91400, it lists this limitation:

"Restore is only allowed using the same appliance model on the source and target computers."

There is also this one I am curious about:

"Once restore is done, you must reboot the machine and install policy in order to apply the new configuration."

   - Upon the restore, is the current policy that was on the backup file properly working or is this a case where you have to do a 'fw unloadlocal' and then push policy?     This was one of my initial concerns that I understood a snapshot would not have.    If the backup file has the current policy upon load but just needs a push post replace to 'sync' back up, that isn't as bad.

 

@the_rock 

In the use case of 3600 => 3800, I really don't think there is a real difference within the 'show configuration' portion here on these boxes.   I would think I would be ok with a complete copy of gaia config as you mentioned would copy over like for like but then there is the extra .conf file edits one would have to manually make that a backup shouldn't require.

 

0 Kudos
the_rock
Legend
Legend
‎2023-07-31 10:08 AM
In response to Scottc98

Totally up to you, but I did this with customers before and even TAC told us that doing restore, specially when models are different is not a good idea, which I agree with 100%.

All I did is exactly what I mentioned. Saved the file, then simply copy it over to new fw, made sure to make necessary changed, did below and then loaded the file

Andy

[Expert@QUANTUM-MANAGEMENT:0]# clish
QUANTUM-MANAGEMENT> set clienv on-fai
QUANTUM-MANAGEMENT> set clienv on-failure cont
QUANTUM-MANAGEMENT> set clienv on-failure continue
QUANTUM-MANAGEMENT> save config
QUANTUM-MANAGEMENT> load config
QUANTUM-MANAGEMENT> load configuration

Just be careful if you run set clienv command to continue on failure, UNLESS you are POSITIVE config is fine. Personally, I always copy bits and pieces, so it can tell me if something is wrong.

Now, if you load the config file, it will NOT tell you if something is wrong, will simply continue, so you would need to figure it out yourself.

Btw, backup wont restore any jumbo hotfixes, something to keep in mind.

Cheers,

Andy

Scottc98
Advisor
‎2023-07-31 10:41 AM
In response to the_rock

Thanks @the_rock 

I think I'll have to take the manual approach here first just to be safe.   It just will add to a lot more steps here staging before shipping and on site work to get it online.   I might be able to use a new management IP on a few sites and that may allow for me to rebuild with a new cluster Name/IP & install policy before cutting over.  

I'll have to put some more thoughts on this one 😉

0 Kudos
the_rock
Legend
Legend
‎2023-07-31 10:42 AM
In response to Scottc98

As I said, everyone has their own approach, but I always found show configuration is the safest.

Just my honest feedback/suggestion.

Andy

the_rock
Legend
Legend
‎2023-07-31 02:25 PM
In response to Scottc98

Also, for whatever this is worth, if you look at below sk, it states that backup CAN be restored on different firewall running the same OS and hotfixes, but in the words on Dallas TAC escalation guy few years ago, key word is can be, but will usually never work properly...and thats 100% accurate statement actually.

https://support.checkpoint.com/results/sk/sk108902

Anyway, something to think about...again, Im just giving you my HONEST feedback/opinion. I would never force anyone to do anything, its a free world after all : - )

Andy

 

_Val_
Admin
Admin
‎2023-08-02 07:47 AM
In response to Scottc98

show config, then copy/paste. Also, make sure the interface names are the same, or edit the captured config before pasting 

the_rock
Legend
Legend
‎2023-08-02 08:53 AM
In response to _Val_

I agree with that 100% Val. I find that method always works without any issues.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-07-31 09:31 AM

Personally, I would not use either if I were you. Interfaces might be different, along with few other things...

 I always do show configuration, save it into a file and then copy bits and pieces. You also need to confirm interface names, as config related to it would not work, since names might be different.

from expert -> clish -c "show configuration" > /var/log/currentconfig.txt

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events