Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Linus_Espach
Participant

Policy revision - Installation History - Does the compiled Policy include the Database?

Hi 2 all,

I am writing an emergency backup plan which creates a strategy for different cases and therefore used backup-mechanisms.

Reverting a policy via "Installation History/Install specific version" is described to install an old, compiled version of the specific policy. 

So I have 3 questions regarding this:

-Does the compiled Policy include the database, so in case an error which is based on a db-change can be reverted until the real error is found?

-Where (which folder on the management) are the compiled policies, shown in "Installation History" saved?

- How large are these files? (GB or MB)

 

Thanks for your help and best regards,

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend

>-Does the compiled Policy include the database, so in case an error which is based on a db-change can be reverted until the real error is found?

The compiled policy includes the objects to the degree that they apply to that specific firewall's policy.  I don't think it is a complete list of objects but I could be wrong.  You cannot revert the live configuration displayed in the SmartConsole back to the state when a policy was compiled and installed as shown via the Installation History screen.

> -Where (which folder on the management) are the compiled policies, shown in "Installation History" saved?

In the postgres database located in $CPDIR/database/postgresql/data, but you can't typically access these directly from the CLI although it is probably possible via the psql_client command.

> - How large are these files? (GB or MB) 

I'm not sure if the compiled policy is stored in its entirety or if it is simply a set of database transactions to recreate the original compiled policy.  In the former case the size would be roughly the same as you would see on the SMS by running this command: du -sh $FWDIR/state/(gateway name)/FW1.  In the latter case the amount consumed would be significantly less.

If you haven't already, please see my article about R80+ Database Revision Control here:

https://community.checkpoint.com/t5/Policy-Management/R80-Change-Control-A-Visual-Guide/m-p/39702?se...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

All changes made to the Security Policy/Objects etc should be listed in the Audit logs.
While you can't take a snapshot and revert, you can at least review the logs to see what changes were made.
0 Kudos
Tomer_Noy
Employee
Employee

The "install previous revision" mechanism does not really store the compiled policy.

The way that R80.x DB works, is that every publish operation does not really overwrite the previous data. It stores a new version of the data and connects it to the latest revision. This is a built-in mechanism which doesn't require the user to manually run a backup. You can also purge old revisions if you wish.

You don't need to worry about the size and you cannot inspect them, since as was said, they are part of our DB.

When you install from a previous revision, we perform the entire policy installation process, but look at the rows that belong to that revision, while ignoring updates that were done on top. This includes all the objects in the DB. Some things that are stored externally, such as SIC changes will not be taken from the past.

In the upcoming R80.40, we are also adding a feature that will allow you to revert the DB to a specific revision, thus allowing you to continue working on top of it (not just installing it on the gateway in an emergency). Also, in R80.40 we are bringing back the option to back up a specific MDM domain to a backup file (not only the full MDM). That may be another option for extreme disaster recovery.

JozkoMrkvicka
Authority
Authority

I have feeling that I will love R80.40 🤔

Kind regards,
Jozko Mrkvicka

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events