Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JorgenSpange
Contributor
Jump to solution

Backup - management server - migrate export vs system backup

Hi!

We're running our management on R81.10 with two dedicated vm's for management and log server.

These days we're looking into our backup and restore routines.
Until now we have been doing backup by scheduling migrate exports and chronjobs for copying the export to a scp-server.
This requires some degree of overhead in regards to custom scripts and chronjobs, so we have been looking into using "system backup" in gaia instead.

It seems to me like this is easier to handle and that you take backup the clish config and all necessary file such as vpnroute.conf in the same backup.

But we're not sure about this so my question is:
What is the trade off by using system backup instead of migrate export, what's the best practice for backup, and what are you guys doing for backup?


Feedback is much appreciated!

br
Jørgen

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee

Hi

I would recommend going over the following SK and CheckMates post:

Best Practices - Backup on Gaia OS

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

VMware backup vs migrate export vs Gaia snapshot

https://community.checkpoint.com/t5/Management/VMware-backup-vs-migrate-export-vs-Gaia-snapshot/td-p...

View solution in original post

10 Replies
Tal_Paz-Fridman
Employee
Employee

Hi

I would recommend going over the following SK and CheckMates post:

Best Practices - Backup on Gaia OS

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

VMware backup vs migrate export vs Gaia snapshot

https://community.checkpoint.com/t5/Management/VMware-backup-vs-migrate-export-vs-Gaia-snapshot/td-p...

the_rock
Legend
Legend

Put it this way...backup is more for the scenarios where say you make a change on the server and something does not work right and you simply wish to restore to working condition, you can do the restore from latest working backup...link @Tal_Paz-Fridman also explains that. Migrate export (or migrate server) starting from R80.20 is what you would use if you wish to, for example, import all the objects and licenses, along with policy rules (packages), vpn communities, etc, into the new management server.

Andy

K_montalvo
Advisor

Here is a good video on that of the Great Magnus, go check it out!

https://youtu.be/EHQZ2KgFgl0

 

JorgenSpange
Contributor

Thanks all for the feedback, much appreciated!
From what I understand we want backup for disaster recovery and migrate_export is the one best suited for this.

0 Kudos
imamuzic
Participant

To bring this topic to life, I was experimenting today with backups for the SMS (VM edition) and if SMS Gaia System backup is restored onto different VM configuration and different IP address it will restore only Gaia part which means objects and policies will be missing (but it will report restore operation as successful). But when I've done the same restore onto the another VM, but with the same configuration (CPU, HDD, RAM, IP address) I've got restored everything including management database (objects and policies) and even hot fixes are restored. I'm talking about R81.10 here.

Regards,

Igor

 

0 Kudos
the_rock
Legend
Legend

The backup itself does not actually restore hotfixes, only snapshot can do that.

Andy

0 Kudos
imamuzic
Participant

I see, but this is different from what I'm experiencing. It was strange to me too, but restore target VM is isolated from the Internet, so unable to update itself automatically and after restore it had a Jumbo HF Take version that was on the original server and that HF version is not downloadable with CPUSE from Check Point anymore, so it had to came with the restore. Also, initially restore operation failed because HF incompatibility between target server and backup, so I had to use 'dbset backup:override_hfs t' command to be able to even continue with the restore. 

I believe that these HFs aren't restored for real, but it is maybe just a false report from CPUSE after restore where backup defined what HFs must be installed and CPUSE just "believed" that they are installed indeed after the restore. Also, this test of mine is not exactly a real world example because in my case target server didn't had any HFs installed before restore (due to being isolated from the Internet - I had to use IP address used at the customer site in my lab for restore test) while in real life you will probably install latest HFs before attempting to restore. 

 

0 Kudos
the_rock
Legend
Legend

Ok, I see what you are saying. I tested this in my lab, as well as with the customer 4 times and not a single time, did we get jumbo back on the box. Actually, every single time we did this, it was restore on EXACT same appliance, so there would be no possibility of issue with the config/interfaces etc...

Andy

Also, according to below, it would appear that is the case as well.

https://community.checkpoint.com/t5/Training-and-Certification/What-is-backup-and-snapshot-and-diffe...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Snapshot Management

The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system.

The log partition is not included in the snapshot. Therefore, any locally stored FireWall logs will not be saved.

System Backup (and System Restore)

System Backup can be used to backup current system configuration. A backup creates a compressed file that contains the Check Point configuration including the networking and operating system parameters, such as routing and interface configuration etc., but unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.

Save Configuration (and Load Configuration)

Allows saving Gaia OS configuration settings as a ready-to-run CLI script. This allows you review your current setup and quickly restore the Gaia OS configuration.

 

Recommended backup plan

For complete backup of the system and maximum confidence, Check Points recommends combining all three methods as part of the backup plan (Snapshot Management, System Backup/Restore, Save/Load Configuration). This will allow multiple restore points, redundancy and reliability of overall restore procedure.

Collect:

  • Snapshot - after a fresh installation, before an upgrade, and before a hotfix installation.
  • Scheduled Backup - monthly or weekly, depending how frequently you perform changes in your configuration and policy
0 Kudos
imamuzic
Participant

Anyway, I was testing it in the first place, but not because of HFs, but because the official documentation is unclear at least to me about SMS. Is the System Backup enough to backup SMS database as well, so that in case of loosing SMS VM I can restore all the policies and objects from the backup to the another VM (same "model")? At the end it was turned to be true, so I do not have to create a script for scheduled 'migrate_server' command execution for database export for backup purpose only.

 

0 Kudos
the_rock
Legend
Legend

Yea, thats fair. These days, I always tell customers to be prepared to install jumbo again if they do restore, but either way, I find that show configuration seems to be best method. One customer, they had always done same method for so many years...use isomorphic tool to reinstall new version, then copy all the config and install recommended jumbo for new version. That actually works real well.

Cheers mate.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events