Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Easy Backup Tool

HeikoAnkenbrand
Champion Champion
Champion

asy Backup Tool

Features


This tool creates a backup of all GAIA gateway configurations with one CLI command "ebackup":

 


- Only one CLI command "ebackup"
- Backup of all Gaia gateway configurations (Check Point appliances, Open Server, SMB appliances 11xx, 14xx)
- Migrate export on SMS
- Migrate-server on MDS
- Backup all files to one TGZ file
- FTP upload support backup file
- CP upload support for backup file via cprid_util

- MDS   > All CMA's a

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(4)
99 Replies

R80
Explorer

This command will save all gaia configurations of all gateways. Do iI understand this correctly?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @R80 

That's right!

It reads all gateways (not SMB appliances) from the topology and saves their GAIA configurations in a tar achive.

PS:
Nice username @R80.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HulugL
Explorer

Wow, great tool  @HeikoAnkenbrand 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

Heiko, another great script that you've created.

I've run it on several different systems to test, and have varying results.

On a SMS (R80.30) with 3 gateways (1 single and 2 clustered), it found the single, but did not find the cluster. Looked at the topo file and it only shows the single gateway. Have you tested it against a cluster?

On a SMS (R80.40) it found the local gateway and was successful, but Failed - checkpoint_cloud_security_1408377501  (not surprised at all at that fai

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Paul_Gademsky,

It is not for a MDS only for SMS.

I tested it with R80.10, R80.20 and R80.30 and it works without problems.

Can you run the following command and see if the IP and the gateway are output:

 


   mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains("Member","simple-gateway")) | ."ipv4-address",."name" ' |xargs -n 2 | grep -v null | grep -v 0.0.
  

 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


ruggy
Participant

It works fine:

b1.JPG

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

Just re-ran the command provided on a R80.30 SMS with 1 single gateway and 1 cluster(HA made up of 2 5600's running R80.30).

I only get one result, and that's for the single gateway.

In digging into the object via GUIDBEDIT, the class is 'cluster_member' and type is 'cluster_member'.

I'm thinking that is what the issue is.

The single gateway comes up with a class of 'gateway_ckp' and a type of 'gateway'

Paul G.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Paul_Gademsky 

Thanks for the information.

I search in my script for the following in the type field:

- Member
- simple-gateway

Could you please execute the following CLI command.
It shows the following:   IP address,     gateway name,       type

I need the "type" field that is found at the gateway.

 


   mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type) | ."ipv4-address",."name",."type" ' 
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Paul_Gademsky,

Several of our customers have tested this script over the last few days. None of them have this issue.

I have also looked at this with the oneliner described above.

There are the following types:

simple-gateway                     > Gateway Object
CpmiClusterMember            > Cluster Gateway Object
CpmiGatewayCluster            > Cluster Object
CpmiHostCkp                         > Management Server SMS or Log Server
CpmiSofawareGateway         > old SMB G

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

@HeikoAnkenbrand 

Ran the command per your request and got the following (R80.30 SMS)

[Expert@cp_mgmt:0]# mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type) | ."ipv4-address",."name",."type" ' | xargs -n 3
172.22.0.1 Gresham simple-gateway
172.30.0.2 cp_mgmt CpmiHostCkp
172.30.0.1 Park_FW_Cluster CpmiGatewayCluster
172.30.0.3 fw CpmiClusterMember
172.30.0.4 fw1b CpmiClusterMember

What I see for the cat /tmp/ebacku

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

@HeikoAnkenbrand 

After doing more testing, it looks like the "grep -v 0.0." in the string is what was causing the gateways to not show up.

So that problem is solved for me.

I was having an issue with only some of the gateways on a different SMS showing up in in ebackup_topo (about 40 out of 73).  I was able to remedy this with adding to the mgmt_cli the following "offset 0 limit 500". I was then able to get all the gateways to show up.

I still have a few other questions on th

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Paul_Gademsky 

First of all many thanks for the support.

I use the following syntax to parse the script into a file. If I do not use the / in front of a variable the value will be parsed into the script. 

cat <<EOT  > /usr/local/bin/ebackup
script
EOT

I have modified the line in the script a little bit. Can you try it again.

Regards
Heiko

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

@HeikoAnkenbrand 

Tried the modified command and got the following:

[Expert@cp_mgmt:0]# mgmt_cli -r true show gateways-and-servers details-level full limit 500 offset 0 --format json | $CPDIR/jq/jq -r '.objects[] | select(.type) | ."ipv4-address",."name",."type" ' | xargs -n 3 | grep -E 'simple-gateway|Member' | grep -v '0\.0\.' | awk '{print $1 " " $2}'
172.22.0.1 Gresham

[Expert@ohs_cp_mgmt:0]# mgmt_cli -r true show gateways-and-servers details-level full limit 500 offset 0 --f

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

If I don't execute a "grep -v 0.0." all SMB appliances will be included and they can't use a cprid_util cli command.

I have tested this on many SMS today and none had the problem with grep -v "0.0.". I don't really understand why this is so.

---

In the next few days I will be able to modify it accordingly for a MDS and SMS. I could also add a parameter -migrate_server to distinguish between "migrate export" and "migrate_server".

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

@HeikoAnkenbrand 

The grep -v 0.0 is catching the IP address of the gateway and that's why it's having a problem -  172.30.0.1 is an example. If you specify which part of the results it greps, rather than all the data, it might work better.

On the SMS/MDS version, I've been working on that, and have everything but the export sorted out at this point.

I'm doing a R80 to R80.10 and an R80.20 and up fork to handle that, so don't spend to much time. I'll have it uploaded by Monday C

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Paul_Gademsky ,

👍

I will add grep -v 0.0.0.

Many thanks for the support. Your effort was great.

Regards Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Paul_Gademsky
Employee Employee
Employee

@HeikoAnkenbrand 

So worked this some more over the weekend and have the resulting script attached (version 1.1?)

This works with all versions of R80 released so far.

In particular, I've tested on the following

R80.40 MDS  and SMS

R80.30 MDS and SMS

R80.20 MDS

R80.10  SMS

Several features of the new version attached

  Tests to see if SMS or MDS

  Get's management IP (and if more than one interface on a SMS removes the additionals so that only one IP is in table, ot

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Paul_Gademsky
Employee Employee
Employee

Testing in another MDS environment today, and it looks like the cprid_util has to be set to the mdsenv before it can run the command properly and get a response. Will work to figure out how to get this implemented. Thinking that the ebackup_topo can have a third field/column with the relevant CMA info that can be triggered before the call.  The interesting thing is that the Mgmt/HA, log servers and SE server work with no domain (as they should).

Paul G.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Paul_Gademsky
Employee Employee
Employee

@HeikoAnkenbrand 

I've worked through the mds issues I was having and have finished a 1.4 version that additionally supports the MDS/CMA structure.  This includes finding the mds/ha, mlm servers and SmartEvent servers that are tied to a mds configuration and backs up their configuration.

It includes the changes for -port and -ftpserver as well (though I'll probably change that to sftp for my own usage)

I've run it on the following (the problem with the previous version I created

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

Hi @Paul_Gademsky,

First of all thanks for the support. I think it is good when users participate in projects and have good ideas.

In version 2.0 I have removed some bugs that may occur:

1) If an MDS or SMS does not contain gateways the table /tmp/ebackup_topo was filled with wrong values. This caused a grep error.

2) I have developed a few more parser issues.

3) I now check if the CMA's are up, otherwise wrong information are written to /tmp/ebackup_topo.

4) I also

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Yury_Anoshyn
Participant

hello,  @HeikoAnkenbrand 

what about capture configs from VSX clusters & objects ?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Paul_Gademsky
Employee Employee
Employee

Interesting question, I haven't looked into the structure on the VSX.

What issues did you see when you ran the script against the systems?

Try the 1.4 that I just posted if you are running an mds as well.

Paul G.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Yury_Anoshyn
Participant

First of all, I apologize for the delay in answering 🙂

i'm not run script on the VSLS VSX yet. But expect issue with few points.

Point1.

For catching config from gaia clish "ebackup" is use next cmd: clish -c "show configuration". But it will be correct only for non VSLS VSX GW. Because in VSLS mode in configuration are present VS ( virtual system ) specific configuration. In VSLS GW can be more then one VS object. As i know, VS specific part of configuration is atleast OSPF a

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Yury_Anoshyn
Participant

it's me again 🙂

i find script writen by @Niels_van_Sluis  there Save virtual server configurations on a VSX member 

and this script capture not only VSX with al VS gaia configuration , but also additional important cfg files.   by my opinion  "ebackup" script and script from @Niels_van_Sluis  need be combined to one. 

 

 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Mstay
Participant

Hi Heiko

 

Is the Script working from R81.10 JHF take 55? Since that take is not taking the  show configuration ´s backup of the Gws attached to the SMS.

 

Regards

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Nikolai_Borhart
Contributor

Hello Heiko

first of all a big thank you for another great tool here for the Check Mate community.

So if I understood it correctly.

1. Download the script to the SMS.
2. Execute script.

And then you have the clish configuration backup of all gateways and SMS on the Managment Server and also the migrate export/import backup.

Does the Check Point Migrate Tool need to have a specific version or does it have to be updated?
Because when migrating from R77.x to R80.x the migration tool

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

Hi @Nikolai_Borhart 

I use the default migrate tool from the path:
$FWDIR/bin/upgrade_tools/migrate

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


_Val_
Admin
Admin

Impressive

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

ute
Participant

Hi @HeikoAnkenbrand 

We have an environment with about 40 Gateway.  It saves us a lot of work to backup all GAIA settings.

The tool works fine here.

Maybe you can add a parameter to not execute the "migrate export". That would be great.

Thanks for this bash script.

Great work

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free