Saving Checkpoint Firewall Config

[southside]

Hi All,

Can anyone tell me the best way to save the config of the Firewall 1 so I can re-install the ruleset config without having to manually type it all in again for a disaster recovery process.

Is it a case of saving the relevant .pf and .W file or are there more that should be saved.

 

[ChrisAC]

Run, $FWDIR/bin/upgrade_tools/upgrade_export. This will dump everything to a single file that can then be imported using upgrade_import.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[southside]

I can't find this in the bin folder. There is no Upgrade_Tools folder. I'm dealing with a Win2K machine, apologies but forgot to mention. Is it still achieved this way or is there another way??

 

[ChrisAC]

What version of firewall-1 are you runnng?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[southside]

Its Checkpoint Firewall-1 NG.

I think its feature pack 1. I'm going to be updating this as I think it's never been patched since its been installed. I'm finding this the perils of taking over the security in our company. First the pix's, now this, then the switches and so on.

Thanks for your help.

 

[ChrisAC]

Well, you can manually backup all the files but the export utility keeps it all neat and tidy. Having said that when we used to run Firewall-1 on Windows boxes we would always just take a ghost image of the entire disk so that if an upgrade went belly up we could just ghost the image back on. If I were you I would get that sucker upgraded to NG AI R55.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[wirelesspeap]

Southside,

I am not a checkpoint expert on windows platform so I can't help you much on this.

I would definitely look at either Nokia appliance or Secureplatform. You will find that the backup/restore configuration on these plaftform is a very easy process.
It is even easier if you are running checkpoint in a distributed model. With nokia, you just need to save the /config/active configuration file. With Secureplatform, you just need to save the /etc/sysconfig/cpnetstart file.

I would go one step further, go with NG AI R55w.

 

[southside]

Thanks, we were looking at Nokia boxes so I'll have to chase that up to see what the outcome it (its a Managerial Red-Tape issue - Insecurity seems to out-weigh Security Issues (If there was a section of Security Nightmares you could have a few laughs on my inputs)).

Although I'm going to start looking at this - With the NG AI R55w, is that a stright upgrade on the current Firewall-1 NG FP1 or am I looking at a completely new re-configuration. I ask as I'm looking at a trans-atlantic network with firewalls either side of the pond.

 

[wirelesspeap]

Southside,

you will have to do the following:

Step 1: Upgrade the NG FP1 box to NG AI R55,
Step 2: Once the box is upgraded to NG AI R55, upgrade it
again to NG AI R55w,

The license for NG is the same as NG AI R55 or R55w for that matter.

The step is very straight forward. It would be much simpler if you run the Enforcement Module and the Management Server on different device. As I've said before, I am NOT a windows expert so my advice may not help you much. With Nokia, when managing remote firewalls, I normally dial into a external remote modem that is attached to the console port of the Nokia so in case something happens, I can reboot the device. I am not sure you can do that on a windows box if the upgrade go bad.

 

[ChrisAC]

If you upgrade the Windows box to R55 and then R55W you will then have the upgrade_export and upgrade_import utilities available. You can then export the config from the Windows box, install FW-1 on either a Nokia or SPAT box and then transfer your exported file across to the new box and run upgrade_import. This will port all your objects and security rules to the new box.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************