Create a Post
Showing results for 
Search instead for 
Did you mean: 

What is best practice backing up a R80.40 managment server and MDS for distaster recovery.


Backup tools are for disaster recovery. And sometimes for cloning an environment in lab for replicating a problem.
When  running into a big issue on the Management server and need to restore to a working environment we need a fast and reliable restore process ( like a restore from a VMware snapshot)

I am working with Checkpoint products for 26 yours and I have never seen a Checkpoint backup tool which has done a good job for this ...

For the current version ( R80.40 with Management Server/MDS) see my notes for the existing tools:

- GAIA backup  ---> includes mds_backup (see below). Backup file size is big. (IMHO) terrible way how cli options and parameters where implemented (not intuitive and lack of functionality)

- GAIA snapshot ---> Size !(...), no simple way to forward it to another network storage.
                             ---> has someone really used GAIA snapshots as a source for disaster recoveries ? I do not know of anyone

- mds_backup   --->  for recovery it depends on exact SW versions ( including all (private) hotfixes)
                             ---> mds_restore overrides Registry keys
                             ---> do we need the binaries in a backup, when restore has the requirement of the exact same hotfix level?(..)

- migrate_server ---> new tool, but not usable for daily backups - Management server has to be stopped !!
                               --->  tool version changes (it updates itself automatically).
                               --->  Can we reliable restore from a backup file taken from an old build  of  migrate_server  export ?

- migrate_export ---> not supported anymore !(?)
                               ---> not usable for MDS !(?)  (I know, (on the ISO)  used it for MDS, too !)


My requirements:

- single command for Management Server and MDS

- backuptool should not stop cpm/fwm; administrators working 24hrs!

- (almost) independent of (jumbo)hotfix level.

- (simple) restore into an existing environment (should not require a clean/new install)
   ( it should cleanup existing environment before)

- should be able to forward backup file to a server with SCP/SSH w/o (!) the use of a password ( RSA public key !)

- import/restore should not take several hours.

- relative small size ( size like we see with migrate_server is ok )


"migrate export" was a flexible tool, that brought some points closest to the functionality  we need. But it was not intended for MDS, too.

Thanks for any comments on this.




8 Replies

MDS backup will never be small.. 🙂

I'm happy with Gaia backup/restore in general. It has improved a lot in R80.30 and 40. 

But looking at your requirements would script it myself (most of your requirements can be addressed) or look at off shelf products like BackBox

But I agree there's room for improvement


Did you look here already: Easy Backup Tool - (migrate export + all GAIA con... ?




it uses migrate_server , so  all mentioned limitations apply ...


In general, for disaster recovery, it's a good idea to do...all of the above.
At the moment, doing an mds_backup and/or a migrate_server does require the stoppage of some processes.
migrate_server is not build sensitive, though you do have to specify the target version for restore when you perform the export.
migrate export (the old version of migrate_server) is basically deprecated in R81 and should only be used when migrating pre-R80.20 releases to R80.40 (the last version to support this).
Also, the backups migrate_server does is much smaller than the equivalent migrate export.


Good summary. I would like to see an additional point:

- Include audit logs. (without experimenting with mds_exclude.dat)




Is there anyone out there NOT running their SmartCenter/MDS on a VM? Enterprise hypervisor snapshot seems a reasonable starting point, even if it is not guaranteed in all scenarious. No issue running migrate export, we do this nightly (-n switch for non-interactive). Script it so it checks for database lock first, waiting (for some time) until the lock clears.

Haven't looked at MDS for a while but we used to do both a mds_backup and a migrate export within each domain.



0 Kudos

"Is there anyone out there NOT running their SmartCenter/MDS on a VM? Enterprise hypervisor snapshot seems a reasonable starting point"

All customers running their environment on Check Point Appliances for example 😉

0 Kudos

We are running MDS on bare metal servers. 

Or VM environment is to slow and we have to be independent from our VM environment.....