Gaia: Backup and Restore From CLI (Clish)

Gaia: Backup and Restore From CLI (Clish)

This article provides a quick tutorial on how to make a Gaia: backup and restore from the CLI (Clish shell) in Gaia. Depending which version of Gaia you are using, you may or may not have the option to perform a backup or restore from the Web GUI under the “Maintenance” section or you may only have SSH access – having the skill to do this from the command line is important either way.

For the methods below the following apply:

  • x.x.x.x should be replaced by the IP of the server
  • myuser should be replaced by a valid username for the server.
  • mybackupfile.tgz should be replaced by the name of your backup file
  • You will be prompted for the password on the command line if you are using FTP or SCP

Backup

The add backup command is what we use to initiate a backup from the CLI. We also need to pass a parameter to define where the backup is to be saved: local, FTP, TFTP or SCP:

  • To save a backup locally:
    • add backup local
  • To save a backup on a remote server using FTP:
    • add backup ftp ip x.x.x.x username myuser password plain
  • To save a backup on a remote server using TFTP:
    • add backup tftp ip x.x.x.x
  • To save a backup on a remote server using SCP:
    • add backup scp ip x.x.x.x username myuser password plain
add backup local
add backup local

Note:

 

  • You can use the show backups command to see the status of any current and completed backups.
  • Backup configurations on Check Point appliances are stored in /var/log/CPbackup/backups/
  • Backup configurations on Open Servers are stored in /var/CPbackup/backups/

 

Restore

To restore a backup we use the set backup restore command and as with the backup, we pass the relevant parameters:

  • To restore a local backup:
    • set backup restore local <TAB>
  • To restore a backup from a remote server using FTP:
    • set backup restore ftp ip x.x.x.x file mybackupfile.tgz username myuser password plain
  • To restore a backup from a remote server using TFTP:
    • set backup restore tftp ip x.x.x.x file mybackupfile.tgz
  • To restore a backup from a remote server using SCP:
    • set backup restore scp ip x.x.x.x username myuser password plain

Remember!

  • Restore is only allowed using the same Gaia version on the source and target computers.
  • Restore is only allowed using the same appliance type on the source and target computers.
  • The backup file name generated by the backup command should not be renamed and must not contain spaces.
  • When backing to an SCP or FTP server, the backup file is put in the user’s home folder. When restoring from SCP or FTP the backup file is taken from the user’s home folder.
  • This is not applicable to VSX – to backup and restore VSX, see sk100395 for details.

Checkpoint: Find The Serial Number of IP Appliances Via CLI

Find The Serial Number of IP Appliances Via CLI

Sometimes it is necessary to find the serial number of IP appliances but you either don’t have physical access to the machine or someone has removed the sticker from the side or bottom. This article lists methods to retrieve the serial via the command line interface (CLI).

1. If you are physically next to the device, look for a label on the physical box.

2. If you are remotely accessing the firewall, log into Voyager, then look for “Unit SN” under the “Basic IPSO Information” section of the homepage.

3. On the CLI (either SSH or console), run the following IPSO command:

ipso[admin]# ipsctl hw:eeprom:serial_number

hw:eeprom:serial_number = 7Hxxxxxxxx4

OR

ipso[admin]# ipsctl -a | grep serial

ipso[admin]# ipsctl -a | grep "serial"
hw:eeprom:motherboard:serial_number = 94072202114
hw:eeprom:cpci_1:serial_number = 94072301073
hw:eeprom:cpci_2:serial_number = 94072301093
hw:eeprom:power_a:serial_number = SH52618
hw:eeprom:power_b:serial_number = SH52471
hw:eeprom:wx_3:serial_number = 94072202755
hw:eeprom:viper_4:serial_number = 94072300835
hw:eeprom:wx_1_1:serial_number = 94073601141
hw:eeprom:serial_number = 7Hxxxxxxxx4
hw:motherboard:serialnumber = 0
hw:chassis:serialnumber = 7Hxxxxxxxx4

This will give you all serial numbers related to different parts – the chassis is the last in the list and it is this serial number which is most commonly used.

4. In the clish shell (enter “clish” on the command line):

NokiaIP1260:102> show asset hardware
Chassis Serial Number: 7Hxxxxxxxx4
CPU Model: Pentium 4/XEON
CPU MFR: GenuineIntel
CPU Frequency: 2794587100
Memory: 1073741824
Disk 0 Model: STI Flash 8.0.0
Disk 0 Capacity: 128MB
Disk 1 Model: FUJITSU MHV2040AS
Disk 1 Capacity: 40007MB
Platform: IP1260
Bios Vendor: Hilo BIOS
Bios Version: 5.0-1.5
Bios Date: 10-19-2004
Motherboard Serial Number: 0
Motherboard Revision: B01
Motherboard Model: HILO-RCC1

5. For Nokia IP VPN devices:

hostname> show fru

MAIN (MOTHERBOARD) EEPROM FRU INFO:
-----------------------------------
Product Name: 10i
EEPROM info format rev num: 6
Number of slots: 0
MAC address count: 3
Base MAC address: 00:A0:8E:XX:XX:XX
System serial number: 7HXXXXXXXXX
System Agile part number: N806189001
System Agile H/W rev: C
Onboard MAC count: 3
System PCA Agile P/N base: 6187
System PCA Agile P/N suffix: 1

6. For former Nokia IPS platforms, please run the following command:

ip390ips ~ # cat /proc/nokia/nvram/serial_num

7. For UTM-1 EDGE devices, you can also use run the command:

EDGE:XX> show asset hardware

Checkpoint: Change the Default Shell for “admin” in Gaia and SecurePlatform

This article details how to change the default shell for both Gaia and SecurePlatform (SPlat) systems.

SecurePlatform

In SecurePlatform, all we need to do is log in to expert mode and use the change shell command – chsh:

myfirewall > expert
Enter expert password:

myfirewall # chsh -s /bin/bash admin<

Shell changed.

This permanently changes the shell and will survive a reboot.

Gaia

The above will also work in Gaia but will not survive a reboot – the shell will default back to clish. Doing a “cat” on /etc/shells in expert mode will show you what is available:

myfirewall> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@myfirewall:0]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/scponly
/bin/tcsh
/bin/csh
/etc/cli.sh
[Expert@myfirewall:0]#

To effect the change we use the “set user” command, in this example we will set it to the bash shell:

myfirewall> set user admin <tab to show options:>
force-password-change - Force the user to change their password
gid - User's group ID
homedir - User's home directory
info - DEPRECATED synonym for 'realname'
lock-out - Unlock a locked out user
newpass - User's new password
password - User's password
password-hash - User's password hash
realname - User's real name or other informative label
shell - User's login shell
uid - User's numeric user ID
myfirewall> set user admin shell /bin/bash
myfirewall> save config
myfirewall>

 

** Don’t forget the “save config” at the end!! **