How To Repair A Corrupt Smartcenter Installation

Repair A Corrupt Smartcenter Installation

This article details how to repair a corrupt smartcenter step-by-step. This process is valid for both Windows and *nix-based installations and platform-specific instructions are pointed out where necessary.

In fact, the word “repair” is somewhat misleading as what we really do is create a new smartcenter and use configuration files from the old install to effectively make a clone – all certificates, ICA, VPN etc will remain as they were so no re-SIC will be required with the gateway modules once you are up and running.

There are two ways to restore – minimal and complete. “Minimal” will make sure that all objects, rules, certificates and the user database are restored which is all that is needed a lot of the time. If however you would like to do a “complete” restore including licensing, database versions then the files are specified as well.

In addition, at the end of the article are two simple commands which can be used to gather up all of the files and place them in an archive for easy retrieval!

 

Minimal Restore Requirements

Objects and Rulebase

The following files are required to restore a smartcenter’s rulebase, objects and user database. The first two files are absolutely necessary and there is no point proceeding without them, fwauth.NDB is necessary to restore the user database:

  • $FWDIR/conf/objects_5_0.C
  • $FWDIR/conf/rulebases_5_0.fws
  • $FWDIR/conf/slprulebases_5_0.fws
  • $FWDIR/conf/fgrules.fws
  • $FWDIR/conf/fwauth.NDB

Notes:

  1. Check Point stores all the rulebases in one file, called ‘rulebases_5_0.fws’. This is the only rulebase file needed.
  2. Check Point stores the desktop security rulebase in a database file called ‘slprulebases_5_0.fws’ (Secure LAN Policy).
  3. Check Point stores all the objects, services, etc in one database file called ‘objects_5_0.C’.
  4. Check Point users are stored in the file ‘fwauth.NDB’.
  5. On Windows machines, %FWDIR%\conf\fwauth.NDB is only the pointer to the real user database file, for example, %FWDIR%\conf\fwauth.NDB522. In this case, rename the real database file %FWDIR%\conf\fwauth.NDB522 with the name %FWDIR%\conf\fwauth.NDB
Internal Certificate Authority Files

The ICA is what all other certificates are based on – SIC, VPN etc. restoreing these is necessary to avoid having to re-setup certificate-based VPNs, remote-worker certificates and re-establishing SICwith all managed gateways.

  • $FWDIR/conf/InternalCA.*
  • $FWDIR/conf/ICA*.*
  • $CPDIR/conf/sic_cert.p12
  • $FWDIR/conf/crls/*
Registry Data – SecurePlatform & Gaia

/opt/CPshared/registry/HKLM_registry.data

– copy everything under ‘SIC’

Registry Data – Windows OS

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SIC

(export this key and then import it on the target machine)


 

Full Restore Requirements

The following represents the complete set of files essential for a database restore:
• $CPDIR/conf/cp.license
• $CPDIR/conf/sic_cert.p12
• $CPDIR/database/*.C
• $CPDIR/registry/*
• $FWDIR/conf/lists/*
• $FWDIR/conf/*.fws
• $FWDIR/conf/*.conf (except for ‘components_reg.conf’, ‘fwrl.conf’, ‘cpmad_rulebase.conf’)
• $FWDIR/conf/masters
• $FWDIR/conf/fwmusers
• $FWDIR/conf/gui-clients
• $FWDIR/conf/*.C (except for ‘mv_doc.C’, ‘classes.C’, ‘scheme.C’, ‘fields.C’, ‘tables.C’, ‘rtmclasses.C’, ‘default_objects.C’)
• $FWDIR/conf/db_versions/Database/versioning_db.fws
• $FWDIR/conf/vpe/*
• $FWDIR/conf/XML/*
• $FWDIR/conf/cpsc/*
• $FWDIR/conf/I*
• $FWDIR/conf/crls/*
• $FWDIR/conf/db_versions/repository/*
• $FWDIR/conf/fwauth.NDB
• $FWDIR/conf/DiapCpdList.NDB
• $FWDIR/conf/DiapFwmList.NDB
• $FWDIR/conf/DAIP_RS_Database.NDB
• $FWDIR/conf/robo-gateways.NDB
• $FWDIR/conf/robo-control.NDB
• $FWDIR/conf/robo-ike.NDB

Note: If logs are required then the contents of $FWDIR/log/ should also be included (note that $FWDIR/log/ is a symbolic link to another partition on the hard disk and files should be retrieved from there).

Restore Process

  1. Back up the files noted herein, offloading to a secure location.
  2. Install the same version and feature set onto the replacement Security Management Server, ensuring that the same hostname and leading IP address are used.
  3. Perform the installation as though this was a clean (new) Security Management Server installation.
  4. If the new Security Management Server is rebooted at the conclusion of the installation, run ‘cpstop’ before restoring the files.
  5. Copy the backups from Step 1 to the fresh installation.
  6. Extract the backups to their appropriate locations.
  7.   Before executing ‘cpstart’, delete the $FWDIR/conf/applications.C and $FWDIR/conf/CPMILink*

Automate File Retrieval

Use the below commands to automate retrieval of the files specified above. The files will be bundled into two files named backup1.tgz and backup2.tgz

Note: This does assume that the Check Point path variables $CPDIR and $FWDIR are available:
[Expert@mgmt]# tar -czvf backup1.tgz $FWDIR/conf/objects_5_0.C $FWDIR/conf/gui-clients $FWDIR/conf/fwmusers $FWDIR/conf/rulebases_5_0.fws $FWDIR/conf/slprulebases_5_0.fws $FWDIR/conf/fgrules.fws $FWDIR/conf/fwauth.NDB $FWDIR/conf/InternalCA.* $FWDIR/conf/ICA*.* $CPDIR/conf/sic_cert.p12 $CPDIR/conf/cp.license $CPDIR/registry/HKLM_registry.data $FWDIR/conf/crls

 

[Expert@mgmt]# tar -czvf backup2.tgz $CPDIR/conf/cp.license $CPDIR/conf/sic_cert.p12 $CPDIR/database/*.C $CPDIR/registry $FWDIR/conf/lists/* $FWDIR/conf/*.fws $FWDIR/conf/*.conf $FWDIR/conf/fwmusers $FWDIR/conf/masters $FWDIR/conf/*.C $FWDIR/conf/db_versions/Database/versioning_db.fws $FWDIR/conf/gui-clients $FWDIR/conf/vpe/* $FWDIR/conf/XML/* $FWDIR/conf/cpsc/* $FWDIR/conf/I* $FWDIR/conf/crls/* $FWDIR/conf/*.NDB

Gaia: Backup and Restore From CLI (Clish)

Gaia: Backup and Restore From CLI (Clish)

This article provides a quick tutorial on how to make a Gaia: backup and restore from the CLI (Clish shell) in Gaia. Depending which version of Gaia you are using, you may or may not have the option to perform a backup or restore from the Web GUI under the “Maintenance” section or you may only have SSH access – having the skill to do this from the command line is important either way.

For the methods below the following apply:

  • x.x.x.x should be replaced by the IP of the server
  • myuser should be replaced by a valid username for the server.
  • mybackupfile.tgz should be replaced by the name of your backup file
  • You will be prompted for the password on the command line if you are using FTP or SCP

Backup

The add backup command is what we use to initiate a backup from the CLI. We also need to pass a parameter to define where the backup is to be saved: local, FTP, TFTP or SCP:

  • To save a backup locally:
    • add backup local
  • To save a backup on a remote server using FTP:
    • add backup ftp ip x.x.x.x username myuser password plain
  • To save a backup on a remote server using TFTP:
    • add backup tftp ip x.x.x.x
  • To save a backup on a remote server using SCP:
    • add backup scp ip x.x.x.x username myuser password plain
add backup local
add backup local

Note:

 

  • You can use the show backups command to see the status of any current and completed backups.
  • Backup configurations on Check Point appliances are stored in /var/log/CPbackup/backups/
  • Backup configurations on Open Servers are stored in /var/CPbackup/backups/

 

Restore

To restore a backup we use the set backup restore command and as with the backup, we pass the relevant parameters:

  • To restore a local backup:
    • set backup restore local <TAB>
  • To restore a backup from a remote server using FTP:
    • set backup restore ftp ip x.x.x.x file mybackupfile.tgz username myuser password plain
  • To restore a backup from a remote server using TFTP:
    • set backup restore tftp ip x.x.x.x file mybackupfile.tgz
  • To restore a backup from a remote server using SCP:
    • set backup restore scp ip x.x.x.x username myuser password plain

Remember!

  • Restore is only allowed using the same Gaia version on the source and target computers.
  • Restore is only allowed using the same appliance type on the source and target computers.
  • The backup file name generated by the backup command should not be renamed and must not contain spaces.
  • When backing to an SCP or FTP server, the backup file is put in the user’s home folder. When restoring from SCP or FTP the backup file is taken from the user’s home folder.
  • This is not applicable to VSX – to backup and restore VSX, see sk100395 for details.

Checkpoint: Gaia Web User Interface Fails to Load

This article details how to solve one issue that may be stopping the Gaia web user interface from loading.

The login screen appears but after submitting your username and password, you get stuck on the spinning “flower of death”!

This can be down to a few different things but #1 is disk space – if the disk is full then temp files cannot be created and the webui will not load.

A simple “df -h” will tell you what’s going on:

[Expert@fw2:0]# df -h
Filesystem                        Size  Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current   11G  11G  0G  100% /
/dev/sda1                         145M   19M  118M  14% /boot
tmpfs                             980M     0  980M   0% /dev/shm
/dev/mapper/vg_splat-lv_log       11G  986M  9.2G  10% /var/log
[Expert@fw2:0]#

Highlighted in red above we see the offender. Use “du -h” to find the directory which is taking up all the space – my issue was due to backups not being FTP’d off the machine from the “/var/CPbackup/backups/” folder. Once they were removed to free up disk space, everything was back to normal.