I agree.  It seems like the revisions in R80.10 lose any object changes/deletions, which was the main reason I used DB revision in previous versions.  I'll be doing full backups and restores but that makes me more nervous than DB revisions did because it seems more invasive.  Does anyone know if there are plans to ever bring back anything more light weight to restore previous objects other than a full backup/restore?

yes, it's in the works.

and regardless:

Have you tried the Installation History Page of R80.10? With R80.10, installing a previous revision saves the network enforcement with a single click and buys you time to investigate the root cause of the misconfiguration using the audit logs, while the rest of the organization lives with the last known good configuration. Once you identify the root cause of the misconfiguration you can manually do the opposite action, publish and install policy again.

I haven't tried it but I read the post that you and/or Tim made about it.

Hi Tomer,

Any update on this? For complex changes the inability in R80/R80.10 to easily roll back to a "known good" database revision is a huge regression from R77.30. At present we perform a migrate export to establish a point in time revision before major changes, but this is an ugly solution compared with the previous "revert to version". A VMware snapshot is another option in some environments, but if the server is also the log server then reverting the snapshot loses logs...

The suggestion in Dynamic revisions in R80.x SmartConsole  that "Your job is to do investigation and redo the changes." defeats the purpose of having a GUI to make administration easier...

Cheers,

Paul

The Policy Installation History is where you can revert changes on the Gateway level. This is how it works in R80.10 and R80.20. We are planning Management-level revert mechanisms, but they will not make our next release.

Let's give an example with R80.10 (and R80.20):

1. You make 50 changes and install policy

2. You have network drops

3. You immediately go to Policy Installation History, install a previous revision, the network was restored, all employees can breathe. Management configuration is still the most recent one, and includes the 49 changes and the 1 misconfiguration.

4. You go back to the Policy Installation History in order to see audit logs per change. You find the bad change, and do the reverse operation on the 1 bad change. Publish, install policy.

Understood, and that works great in your scenario, but let me give you another one that I run into.  Customer is upgrading from an Edge box to a 1450.  I create the new object for the 1450.  In order for the center gateway, say a 15800, to establish the new tunnel with the 1450, I have to delete the old Edge object or the gateway will remember that the tunnel used to go to that device and throw errors.  Even though I changed the encryption domain of the old Edge object, I can't get rid of the errors unless I delete the object.  After deleting the Edge object, say I'm still unable to establish the tunnel with the 1450 for some other reason.  The maintenance window is over and the customer asks me to roll back to the old configuration.  I go to the policy installation from before the change and roll back, but my Edge object is still gone.  There are a lot of scenarios like this where a DB revision rollback restores the old config including objects, but going back to a previous policy installation does not.

It's actually good that you're bringing up concrete cases, not because I'm not convinced that the feature is helpful (we have people working on it), but because I want to see in which cases the operation set is complex.

For your situation - how about pulling a Replace All from the GUI? https://community.checkpoint.com/thread/4958-any-improvements-in-r80-for-where-used 

What would happen if I take system backup and restore this if I need to backout? I have a change I need to make that modifies 1000 polices and 1000 Objects. What is the best approach to backout? I need a way to restore the 1000 polices and 1000 objects if we need to backout. This is for ISP change so I need to modify all the automatic NATs.. I know I can go to install history and restore but I need to be able to also restore MGMT configuration. I have no concerns of wiping others changes as there will be freeze during this period. Do not want to do snapshot.. Consumes to much Disk...R77.30 Would of just to DB back up

Like Tomer said, we're working on adding this functionality back.

To provide a different perspective, if I have to make 1000 changes, I'm probably going to automate it. 

Which means you could automate "undoing" the changes as well.

Yup easy task to do but change management will not be found of it...DB backup means guaranteed your going back to same level of config

junior ra wrote:

What would happen if I take system backup and restore this if I need to backout? I have a change I need to make that modifies 1000 polices and 1000 Objects. What is the best approach to backout? I need a way to restore the 1000 polices and 1000 objects if we need to backout. This is for ISP change so I need to modify all the automatic NATs.. I know I can go to install history and restore but I need to be able to also restore MGMT configuration. I have no concerns of wiping others changes as there will be freeze during this period. Do not want to do snapshot.. Consumes to much Disk...R77.30 Would of just to DB back up

There is also the option use Backup and Restore from GAIA web UI.

You are referring to system Backup (and System Restore) correct?  This should contain objs right

It contains everything, yes.

Hello Tomer,

An attempt to install specific revision from deleted policy is not supported on R80.10 take 169. Besides restore from mds_backup, is there any quick way to restore the deleted policy package?