Archive for the ‘Checkpoint’ Category

CCSA/E Study Notes – Advanced Upgrading

August 26, 2012 5 comments

Checkpoint provides three methods for backing and restoring the operating system and networking parameters.

  • Snapshot and Revert – Snapshots can only be performed on Splat and backs up everything including the OS drivers; can be used to backup both gateway and management server. File sizes for these backups are usually very  large and can only be restored to devices having the EXACT OS, Checkpoint version of Splat and patch level. Command used to perform a snapshot is snapshot_ and must be run from expert mode. By default the snapshot file is stored in the /var/CPsnapshot/snapshots directory. To perform a restore, issue the revert command from expert mode. 
  • Backup and Restore – The Backup utility is only available on Splat and backups up your firewall configuration as well as networking parameters such as routing. The file size is usually smaller than that of a snapshot because it doesn’t contain any drivers. Can be used to restore to a machine having the same OS, Checkpoint version and patch level. Backups are performed using the backup command; the default location is /var/CPbackup/backups. On UTM-1 and Power-1 appliacnes the default location is /var/log/CPbackup/backups. Restoring is done by issuing the restore command from export mode. Backups are generally performed via the WebUI however restores must be done via the CLI.
  • Upgrade_export/Export – Upgrade tools backs up all configuration independent of hardware, OS and Checkpoint version. Migrate utility is used for uprades/migration of database information and can’t be used when downgrading to an earlier version of Checkpoint. File size usually depends on the size of your Policy. Usually this can be done on a live system provided that the CPU isn’t overloaded. Can be run on Splat, Linux and Windows. Upgrade tools on R75 can be found at $FWDIR/bin/upgrade_tools

Saving Interface and Routing Information

  • Windows: netstat -rm > routes.txt – saves route information to text file.
  • Windows: ipconfig -a > ipconfig.txt – saves interface information to tex file.
  • Splat: ifconfig > ifconfig.txt – saves inferface information to text file.
  • Splat: copy /etc/sysconfig/network.C <location>– copies files containing route information to a location defined.

Performing Upgrades

Always upgrade the Security Management Server first before the Gateways.

Migration steps for SMS

  1. Prepare source machine for export by performing a migrate export which creates a backup of all configurations. Once this is completed, export the file using SCP on Splat or by copying it from its directory on Windows.
  2. Perform clean install on new server
  3. Import the database on the new server using the migrate import command.
  4. Test to make sure everything works before putting into production.

CCSA Home Lab

March 20, 2012 8 comments

As most of you may already know by now, I recently relocated to the beautiful Island of Bermuda and started a new gig. Part of my job role will be to deploy and support Checkpoint firewalls. This means that I would need to get up to speed on how these firewalls work pretty quickly. Given this, I figured it would be a good idea to blog about my experiences with these devices as a way to both understand and store my thoughts for future references.

Building a home lab for my studies turned out to be a whole lot easier than I had first  anticipated. Everything I needed to be able to study for the exams and also practice deploying the devices could be virtualized. Below you can find my home lab blue print.

  • Lenovo ThinkPad with 8GB of RAM and lots of disk space.
  • VMware Workstation 7
  • Two Windows Server 2003 VMs
  • One Windows 7 (host install on my laptop)
  • Two Security Gateways
  • One Security Management Server
  • Checkpoint SecurePlatform R75.20

One of the 2K3 VMs was configured with the RRAS role to act as a router while the other was used just as a general client sitting behind the firewall. Any client OS such as Windows XP/Vista/7 can work but  I was too lazy to install another OS, so I copied the VM for the server 2K3 🙂 . I also used my windows 7 host OS as a client sitting behind one of the gateways; this way I was able to do ping tests to the remote site when testing my VPN configurations.

As you can see, it’s a very basic setup, but should allow me to test most of the stuff relevant to the exams.