This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
antsvett3
Participant
‎2025-12-04 02:18 PM

Standalone backups and appliance refresh

Hi All,

I have been tasked with refreshing appliances in a standalone environment with 1 firewall and another in an HA environment.

Everything I'm seeing is to get a snapshot, Gaia backup and perform migrate_server export on the current appliances and a migrate_server import on the new. The single environment is running R81.20 and the HA is running R81.10 which will be upgraded to R81.20.

With that said I was speaking with my customer and they seem to say the Gaia backup is sufficient to do this migration to the new appliances. He set this up originally.

I don't think this is correct and there may be some confusion. I have a meeting next week with my customer so I want to be sure I'm correct as I've never performed these tasks.

Any input is appreciated.

 

Thanks,

Anthony

 

 

 

0 Kudos
12 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-04 02:43 PM

Hey Anthony,

So, just to make sure there is no confusion, is it standalone as it gw+mgmt as one appliance or there is separate mgmt? If its distributed (separate mgmt), then you can absolutely do migrate_server export, then import into new server with desired version.

Its all documented below:

https://support.checkpoint.com/results/sk/sk135172

Now, when it comes to firewalls, backup will never work on a different hardware, as interfaces would never match, plus, Im sure version would not be the same. What I always do is this. Generate clish config, say from expert mode -> clish -c "show configuration" > /vaqr/log/hostname_config_date.txt, (just change the name) and would generate txt file with the clish config in /var/log

Then, you can use that file to copy bits and pieces to new fws, as long as interface name matches correctly.

After all that id done and verified, I always use below process, never had the issue.

Solved: Replace/Upgrade Cluster - Check Point CheckMates

Hope that helps!

Best,
Andy
"Have a great day and if its not, change it"
antsvett3
Participant
‎2025-12-04 02:49 PM
In response to the_rock

Hi Andy,

These are appliances running both Mgmt and firewall. I've done firewall migrations/upgrades but never when running Mgmt and firewall on the same box.

Thanks,

Anthony

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-04 02:53 PM
In response to antsvett3

O ok, then you can do migrate export as well, just follow the sk I mentioned, as its not version dependant. It would import all the objects, along with smart console services etc, so there would not be an issue. I had done this before in the lab, from R81.20 to R82.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
antsvett3
Participant
‎2025-12-04 02:56 PM
In response to the_rock

Thanks Andy. I'm trying to practice in my lab so we'll see how it goes.

the_rock
MVP Diamond
MVP Diamond
‎2025-12-04 02:58 PM
In response to antsvett3

Good idea! btw, if say export fails for whatever reason, just run -h flag to see all the options, but I always found one with --ignore_warnings would take care of it.

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2025-12-04 04:37 PM
In response to antsvett3

Since I was doing some other lab, what I did was built R81.20 standalone and then followed migrate server to import to R82 standalone, worked like a charm.

Best,
Andy
"Have a great day and if its not, change it"
antsvett3
Participant
‎2025-12-04 04:45 PM
In response to the_rock

Awesome Andy!!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-04 04:46 PM
In response to antsvett3

It only had 4 rules, but I just wanted to have something more than clean up rule, as that would prove it worked.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
antsvett3
Participant
‎2025-12-05 06:17 AM
In response to the_rock

Cool Andy, good to hear. I will continue testing!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-05 06:22 AM
In response to antsvett3

I just did it last night, but had to delete it, so much space on eve-ng and Im the worst "suspect", since I try to do labs for whatever I can : - )

Anyway, point is, it did work!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-12-04 02:53 PM

Hi Anthony,

The Gaia back on a management server does do a database backup/migrate_server export but I would not recommend that for migrations. 

Always worth checking the Installation and Upgrade Guide. That is something you can share with your customer because it has procedures listed. 

The verify is important to do too. 

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

 

 

 

antsvett3
Participant
‎2025-12-04 02:57 PM
In response to Don_Paterson

Hi Don,

Thanks for this. I've read all the documentation until i'm blue the face so its nice to get some others input.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events