Solved: Re: Recover policy after management crash

JorgenSpange · ‎2021-12-08

Hi,

I have an issue where the physical appliance that ran our check point management crashed spectacularly. Of course the backup has never been tested and seems to be corrupt.

We've managed to restore the objects, but are not able to restore the policy. We have recovered the rulebases_5_0.fws file, but not anything else from the management itself.

My question is - the security gateways are still up and running, is there in some way possible to recover the installed policy on a gateway or exctract it in a readable format so that we could've reconstructed it manually.
The gateways are running r77.30.

Thanks!

Br

G_W_Albrecht · ‎2021-12-09

There is a way with versions up to R77.xx - unsupported procedure attached 😎

CCSE CCTE SMB Specialist

View solution in original post

Ruan_Kotze · ‎2021-12-09

Not that I know of unfortunately. You can try running the rulebases_5_0.fws through something like Nipper to get a policy printout.

Just a thought - if you have access to the filesystem are there perhaps backups under /var/log/CPbackup/backups/

I've also had success moving hard drives between appliances.

G_W_Albrecht · ‎2021-12-09

There is a way with versions up to R77.xx - unsupported procedure attached 😎

CCSE CCTE SMB Specialist

G_W_Albrecht · ‎2021-12-09

See also View rulebase when only CLI available

CCSE CCTE SMB Specialist

JorgenSpange · ‎2021-12-10

Thanks so much for your contribution! We've tried this now and got some progress, I will update you when I know the final result.

Bob_Zimmerman · ‎2021-12-15

Nice to see that SK still kicking around! It's probably the most enduring single piece of documentation I've written.

Just be aware the part about removing certificates can be pretty dangerous. More than once, someone left an extra close paren in place, and when they started the management again, it hosed the objects file. If you use this process, be absolutely sure you have extra copies of all the files, including some on at least one other machine.

G_W_Albrecht · ‎2021-12-15

Which SK was it ? I just have the procedure, file dated 2013...

CCSE CCTE SMB Specialist

Bob_Zimmerman · ‎2021-12-16

It's sk32508. I eventually got fast enough that I could get somebody an upgrade_export less than 30 minutes after getting those files from a dead management.

Of course, now everything is in a PostgreSQL database rather than text files. I left the TAC before R80 was even announced outside R&D, so I never figured out an equivalent process for it.

JorgenSpange · ‎2021-12-17

Hey,

I've tried the procedure, but the firewall blade is not coming up. I have different versions of the files, do you know which files that contain the firewall blade?

JorgenSpange · ‎2021-12-17

Got to open the firwall blade and the ruleset is empty. Any suggestions?

JorgenSpange · ‎2021-12-17

Just tested with some other files and seems like that worked. thanks so much!

the_rock · ‎2021-12-16

I was just about to send you same process @G_W_Albrecht attached. But yes, he is correct, definitely not supported, but your best bet.

Andy

Recover policy after management crash

"Azure Site Recovery Public Services" UO Fails

Security logs rule_action maning

Threat Prevention - IPS policy

Session Management - Multiple Sessions but only fo...

Is administrator login to manager via groups on ta...