What is best practice backing up a R80.40 managment server and MDS for distaster recovery.


Backup tools are for disaster recovery. And sometimes for cloning an environment in lab for replicating a problem.
When  running into a big issue on the Management server and need to restore to a working environment we need a fast and reliable restore process ( like a restore from a VMware snapshot)

I am working with Checkpoint products for 26 yours and I have never seen a Checkpoint backup tool which has done a good job for this ...

For the current version ( R80.40 with Management Server/MDS) see my notes for the existing tools:

- GAIA backup  ---> includes mds_backup (see below). Backup file size is big. (IMHO) terrible way how cli options and parameters where implemented (not intuitive and lack of functionality)

- GAIA snapshot ---> Size !(...), no simple way to forward it to another network storage.
                             ---> has someone really used GAIA snapshots as a source for disaster recoveries ? I do not know of anyone

- mds_backup   --->  for recovery it depends on exact SW versions ( including all (private) hotfixes)
                             ---> mds_restore overrides Registry keys
                             ---> do we need the binaries in a backup, when restore has the requirement of the exact same hotfix level?(..)

- migrate_server ---> new tool, but not usable for daily backups - Management server has to be stopped !!
                               --->  tool version changes (it updates itself automatically).
                               --->  Can we reliable restore from a backup file taken from an old build  of  migrate_server  export ?

- migrate_export ---> not supported anymore !(?)
                               ---> not usable for MDS !(?)  (I know, (on the ISO)  used it for MDS, too !)


My requirements:

- single command for Management Server and MDS

- backuptool should not stop cpm/fwm; administrators working 24hrs!

- (almost) independent of (jumbo)hotfix level.

- (simple) restore into an existing environment (should not require a clean/new install)
   ( it should cleanup existing environment before)

- should be able to forward backup file to a server with SCP/SSH w/o (!) the use of a password ( RSA public key !)

- import/restore should not take several hours.

- relative small size ( size like we see with migrate_server is ok )


"migrate export" was a flexible tool, that brought some points closest to the functionality  we need. But it was not intended for MDS, too.

Thanks for any comments on this.




MDS backup will never be small.. 🙂

I'm happy with Gaia backup/restore in general. It has improved a lot in R80.30 and 40. 

But looking at your requirements would script it myself (most of your requirements can be addressed) or look at off shelf products like BackBox

But I agree there's room for improvement


Did you look here already: Easy Backup Tool - (migrate export + all GAIA con... ?




it uses migrate_server , so  all mentioned limitations apply ...


In general, for disaster recovery, it's a good idea to do...all of the above.
At the moment, doing an mds_backup and/or a migrate_server does require the stoppage of some processes.
migrate_server is not build sensitive, though you do have to specify the target version for restore when you perform the export.
migrate export (the old version of migrate_server) is basically deprecated in R81 and should only be used when migrating pre-R80.20 releases to R80.40 (the last version to support this).
Also, the backups migrate_server does is much smaller than the equivalent migrate export.


Good summary. I would like to see an additional point:

- Include audit logs. (without experimenting with mds_exclude.dat)




Is there anyone out there NOT running their SmartCenter/MDS on a VM? Enterprise hypervisor snapshot seems a reasonable starting point, even if it is not guaranteed in all scenarious. No issue running migrate export, we do this nightly (-n switch for non-interactive). Script it so it checks for database lock first, waiting (for some time) until the lock clears.

Haven't looked at MDS for a while but we used to do both a mds_backup and a migrate export within each domain.



"Is there anyone out there NOT running their SmartCenter/MDS on a VM? Enterprise hypervisor snapshot seems a reasonable starting point"

All customers running their environment on Check Point Appliances for example 😉

We are running MDS on bare metal servers. 

Or VM environment is to slow and we have to be independent from our VM environment.....