When I got on the phone with support, our original restoration process used the upgrade tools method to export a CMA from a pre-oops copy of MDS, exported it off the copy MDS, then attempted to restore it to the live MDS.  

We did not have luck with this solution, but once we get our lab upgraded to R80.10 I'll give this process another shot to see if we have better luck with it there.

Thank you!

I should clarify, we need to separate out individual CMA's/domains in our backup and restore procedure, as that's how we're segmenting our customers from one another within MDS.  Currently there doesn't appear to be a supported process to do this in R80.10, and we really need either a viable supported method, or at least a supported workaround.

You should be able to use migrate_export / migrate_import as Danny Jung‌ mentioned.

If you want to move between versions (except from R80 to R80.10), then it's important you use the migrate_export tools from the target version, not the source version.

If this isn't working for you, then we need a bit more details about what happens when you try and import the CMA into another MDS (e.g. to test recovery).

Is this verified for backing up and recovering strictly R80.10 domains inside of R80.10 MDS?  

I'm hoping for a yes, but in my specific instance we were not able to use the migrate_import/export tools successfully to recover an R80.10 domain, and restore it back into an R80.10 MDS.  

Off the top of my head, I don't remember exactly what all the issues I ran into were along the way, but if you say that process should work in R80.10 --> R80.10, I'll verify that the process works once our lab is upgraded to R80.10 before I report back with results. 

Thank you!

I've seen nothing to suggest this won't work.

My issue echo's what Dave Hoggan is running into in that thread, and the response he, and myself, have largely gotten is not one that I consider to be acceptable considering the caliber of the product we're working with.  There doesn't appear to be a good way to quickly and efficiently run a complete backup/restore of a single domain in the event of a catastrophic failure in R80.10, and my SE is now echoing these sentiments as well.  In terms of Checkpoint supported backup methods, it's either "mds_backup", and pull it all off, or nothing, restoration procedure is the same.  Everything or nothing.  If you question why better backup functionality doesn't exist, you'll get the "just don't break our product and you won't need those backups" response, which simply isn't acceptable.  We need to be able to recover from any unforeseen issue we may have, be it user induced or otherwise, and being able to efficiently schedule and take complete, separate domain level backups for both logging and policy/objects is a very basic part of that disaster recovery procedure. 

 The feature you're mentioning there is nice if you need to roll back a rule, but it is not a "disaster recovery" solution, as we found out first hand.  My solution of a Veeam snapshot did work, but it's not a supported method, and I suspect that I may have caused some serious issues in MDS as a result of slapping a copy of the MDS VM over top the existing live MDS VM, considering everything is now database driven. 

I've been told that "MDS_Backup" is the only real Checkpoint supported backup feature I can to implement to ensure our policy/logging backups are taking place, but for several reasons I don't like how this tool requires us to operate. 
In terms of functionality of the solution, my major issue with the MDS_Backup feature is that I'll effectively need to shut my entire MDS down to pull supported backups, and if you're including logs in that backup, it will take hours to backup a series of domains and logs.  Considering we require hourly diffs of all this data, this simply isn't an acceptable option, which is forcing us to move to an MLM so we can separate our logs from our policy. 

We currently need to have separate backup/restoration/retention plans for:

• Daily full backups for everything that would be required to recover from a disaster event at the MDS level.  
• Daily full backups, with hourly diffs for everything that would be required to recover from a disaster event at the domain level.
• Daily full backups, with hourly diffs on individual domain logs.
• The ability to restore a domain, or domain logs, without affecting any other domain in MDS. 

How would it look if we billed four hours of work for modifying policy for one customer, then had all that work reverted because we had to run an mds_backup and revert to the midnight backup due to issues with a completely different domain?  Not to mention that if we were to currently do that we would lose all the logging data from midnight to the point of the restore, unless of course we paid for an MLM, which at this point we are in the process of vetting out. 
During our very informative R80.10 training course this last week we learned that it is possible to export logs off MDS prior to a restore to prevent data loss, but it's at best a "hack it together" method to something that's important enough that it should be baked into the product. 

Apologies for the length of what has ultimately turned into a rant at this point, but progromatically exporting/importing every aspect of individual domains should be an easily schedulable feature, ideally through the GUI, exporting/importing logs for an individual domain should be a separate schedulable feature, exporting the entire shebang should be a third schedulable feature, again ideally all done through the GUI.  

In general, this is all stuff that surely can be improved.

We are looking at ways of doing that as well as better documenting the current options.

Definitely appreciate the feedback.

At this point, backup requirements as outlined in my post above are a standard part of our service SLA's, and as an ISP the caliber of customers we're looking to serve down the road are going to have a serious problem with our inability to effectively retain or restore data with this product, to the point where I have trouble calling this solution "multi-tenant".  This isn't exactly something we can beat around the bush on when we're talking to our highly sensitive clients.

Our clients will be (have been) asking questions about our disaster recovery options, and we will currently have to explain to our clients: 

• Why we can't easily provide customers with offsite backup copies of their data, or their logs.
• How we can't treat client domains as individuals when it comes to backing up and restoring their data.
• How we can't easily separate the backing up and restoring of logs and policy. 

Do we have an ETA, or some form of continued update thread on a fix for these issues?  The backup solution feels less than half baked, it seems at best like an afterthought.  We absolutely require a Checkpoint supported, baked in, granular backup solution we can depend on, and I would very much like to stay as up to date as I can on the fix. 

Comment on his long message.

Richard,

My name is Denis and I am a senior security system integrator based out of Israel.

You might want to take a look at BackBox (backbox.com), working with their solution I think you will be able to accomplish a lot of what you are looking to do automatically (except of course things that are still not supported by CheckPoint such as the single CMA recovery in R80.10).

Denis

No HA for MDS?

Eran Habad‌ hi - just wondering if there have been any news/updates on individual CMA backup and restore in R80.10? Thanks!

Had a session with Tomer Sole‌ earlier this week and can assure you this is in progress.

Pity. We really need it now. But ok, good to hear that it is coming!

Any progress on this front? Another threat poped-up asking for a single CMA backup and restore to SMS.

The new upgrade mechanism we're using for R80.20 upgrades will ultimately support it, as noted in the SK:

Security Management upgrade from/to Management Feature Release 

As for when exactly, it's planned for during 2019.

Hi Eran,

Is this feature Available yet? We are in version R80.40.

I dont see option on GAIA or Smartconsole for domain level back?

Thanks and Regards,

Venkatesh Patil

It’s been supported since the release of R80.40 and has been backported to R80.30 and R80.20 JHF.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...