Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Scolamiero
Explorer

R80.10 Database Revision Question

Hello out there, this is in regards to the changes R80.10 has made to db revisions. This weekend I am decommissioning some firewalls/clusters and upgrading/consolidating the hardware. I will be  deleting a bunch of firewall and cluster objects and recreating new ones which in some cases will have the same IP addresses. In R77 and before, I would perform a DB revision and that would take a snapshot of my policies and objects, which allowed me to roll back if i ran into any issues. I just migrated to R80.10 a few weeks ago on my MDS. I looks now as though the MDS takes copies of previous policies per policy, no? I am working with about six different policies. Is there anything similar to the way it used to be, where i can restore all policies to where I was before I started, or is it per policy? thanks Joe

15 Replies
Vladimir
Champion
Champion

Please clarify "It looks now as though the MDS takes copies of previous policies per policy", I am not sure that I understand this statement.

To the best of my knowledge, there are no DB revisions in MDS R80.XX and the built-in revision controls are drastically different. I also do not believe that those are actually keeping the objects versioning, just the rules.

 

Unless someone can tell me that my assumptions are incorrect, the only way you can presently save objects between changes is by performing a full MDS backup with recovery entailing full MDS restore.

See: Current state of MDS R80.10 and should we wait for R80.20?  and How do you rollback an old policy? 

There is a rollback procedure in place that changes policy and objects on the gateways to the older revision, but it will NOT change the actual policy or properties of the objects on the management server.

You are essentially limited to a blind rollback to a good known state and have to manually examine changes in history and manually change them in active policy and objects.

Daniel_Westlund
Collaborator

I agree.  It seems like the revisions in R80.10 lose any object changes/deletions, which was the main reason I used DB revision in previous versions.  I'll be doing full backups and restores but that makes me more nervous than DB revisions did because it seems more invasive.  Does anyone know if there are plans to ever bring back anything more light weight to restore previous objects other than a full backup/restore?

0 Kudos
Tomer_Sole
Mentor
Mentor

yes, it's in the works.

and regardless:

Have you tried the Installation History Page of R80.10? With R80.10, installing a previous revision saves the network enforcement with a single click and buys you time to investigate the root cause of the misconfiguration using the audit logs, while the rest of the organization lives with the last known good configuration. Once you identify the root cause of the misconfiguration you can manually do the opposite action, publish and install policy again.

0 Kudos
Daniel_Westlund
Collaborator

I haven't tried it but I read the post that you and/or Tim made about it.

0 Kudos
Paul_Hagyard
Advisor

Hi Tomer,

Any update on this? For complex changes the inability in R80/R80.10 to easily roll back to a "known good" database revision is a huge regression from R77.30. At present we perform a migrate export to establish a point in time revision before major changes, but this is an ugly solution compared with the previous "revert to version". A VMware snapshot is another option in some environments, but if the server is also the log server then reverting the snapshot loses logs...

The suggestion in Dynamic revisions in R80.x SmartConsole  that "Your job is to do investigation and redo the changes." defeats the purpose of having a GUI to make administration easier...

Cheers,

Paul

Tomer_Sole
Mentor
Mentor

The Policy Installation History is where you can revert changes on the Gateway level. This is how it works in R80.10 and R80.20. We are planning Management-level revert mechanisms, but they will not make our next release.

Let's give an example with R80.10 (and R80.20):

1. You make 50 changes and install policy

2. You have network drops

3. You immediately go to Policy Installation History, install a previous revision, the network was restored, all employees can breathe. Management configuration is still the most recent one, and includes the 49 changes and the 1 misconfiguration.

4. You go back to the Policy Installation History in order to see audit logs per change. You find the bad change, and do the reverse operation on the 1 bad change. Publish, install policy.

Daniel_Westlund
Collaborator

Understood, and that works great in your scenario, but let me give you another one that I run into.  Customer is upgrading from an Edge box to a 1450.  I create the new object for the 1450.  In order for the center gateway, say a 15800, to establish the new tunnel with the 1450, I have to delete the old Edge object or the gateway will remember that the tunnel used to go to that device and throw errors.  Even though I changed the encryption domain of the old Edge object, I can't get rid of the errors unless I delete the object.  After deleting the Edge object, say I'm still unable to establish the tunnel with the 1450 for some other reason.  The maintenance window is over and the customer asks me to roll back to the old configuration.  I go to the policy installation from before the change and roll back, but my Edge object is still gone.  There are a lot of scenarios like this where a DB revision rollback restores the old config including objects, but going back to a previous policy installation does not.

Tomer_Sole
Mentor
Mentor

It's actually good that you're bringing up concrete cases, not because I'm not convinced that the feature is helpful (we have people working on it), but because I want to see in which cases the operation set is complex.

For your situation - how about pulling a Replace All from the GUI? https://community.checkpoint.com/thread/4958-any-improvements-in-r80-for-where-used 

0 Kudos
junior_ra
Participant

What would happen if I take system backup and restore this if I need to backout? I have a change I need to make that modifies 1000 polices and 1000 Objects. What is the best approach to backout? I need a way to restore the 1000 polices and 1000 objects if we need to backout. This is for ISP change so I need to modify all the automatic NATs.. I know I can go to install history and restore but I need to be able to also restore MGMT configuration. I have no concerns of wiping others changes as there will be freeze during this period. Do not want to do snapshot.. Consumes to much Disk...R77.30 Would of just to DB back up

0 Kudos
PhoneBoy
Admin
Admin

Like Tomer said, we're working on adding this functionality back.

To provide a different perspective, if I have to make 1000 changes, I'm probably going to automate it. 

Which means you could automate "undoing" the changes as well.

0 Kudos
junior_ra
Participant

Yup easy task to do but change management will not be found of it...DB backup means guaranteed your going back to same level of config

0 Kudos
Tomer_Sole
Mentor
Mentor

junior ra wrote:

What would happen if I take system backup and restore this if I need to backout? I have a change I need to make that modifies 1000 polices and 1000 Objects. What is the best approach to backout? I need a way to restore the 1000 polices and 1000 objects if we need to backout. This is for ISP change so I need to modify all the automatic NATs.. I know I can go to install history and restore but I need to be able to also restore MGMT configuration. I have no concerns of wiping others changes as there will be freeze during this period. Do not want to do snapshot.. Consumes to much Disk...R77.30 Would of just to DB back up

There is also the option use Backup and Restore from GAIA web UI.

0 Kudos
junior_ra
Participant

You are referring to system Backup (and System Restore) correct?  This should contain objs right

0 Kudos
PhoneBoy
Admin
Admin

It contains everything, yes.

0 Kudos
Ramchand_Somaya
Employee Alumnus
Employee Alumnus

Hello Tomer,

An attempt to install specific revision from deleted policy is not supported on R80.10 take 169. Besides restore from mds_backup, is there any quick way to restore the deleted policy package?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events