Checkpoint How To Documentation
The snapshot creates a binary image of the entire root (lv_current) disk partition. This includes Check Point products, configuration, and operating system.
The log partition is not included in the snapshot. Therefore, any locally stored Firewall logs will not be saved.
System Backup can be used to backup current system configuration. A backup creates a compressed file that contains the Check Point configuration including the networking and operating system parameters, such as routing and interface configuration etc., but unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.
snapshot | backup | |
How much time does it take ? | 30 - 60 minutes | 5 - 30 minutes |
Size of output file on Security Gateway | 5-100 GB | Depends on configuration |
Size of output file on Management Server | 5-100 GB | 5-100 GB |
Does it back up Gaia OS configuration ? | Yes | Yes |
Does it back up Products configuration ? | Yes | Yes |
Does it back up Hotfixes ? | Yes | No (*) |
Does it back up Check Point logs? | No | No |
Does it support automatic scheduling ? | No | Yes |
Can you restore from different version ? | Yes | No |
Does it require to close SmartConsole GUI clients ? | No | R7x - No R80 - Yes |
Does it require to stop Check Point services? | No | No |
Does it require reboot ? | No | No |
Useful command on your management server to determine if there are any issues going on
RSA SecurID Authentication
SDCONF.REC file is generated
from the RSA Authentication Manager for the Firewall MY-VPN-FW01 And it is
placed in the /var/ace directory
SDOPTS.REC is a text file
that contains Client_IP=100.114.255.29
(this the IP address of the Firewall member. The file is created by the System
Admin.
SDSTATUS.12 this file is generated by Checkpoint
and it contains information such as token passing successfully to auth manager,
it records
SECURID – this is the Secret
Node Key that is exchanged between the Security Gateway and RSA SecureID
Server.
"Wrong username and password" error when authenticating via SecurID
The "securid" file (a Secret Node key that is exchanged
between the Security gateway and the RSA SecurID Server) is corrupted. sk106582
The sdopts.rec file will not be invoked
the sdopts.rec file was not being
invoked by Firewall-1 because of the presence ofthe sdstatus.12 which is also
in the /var/ace directory. The sdstatus.12 file takes precedence. Removing the
sdstatus.12 file made the sdopts.rec take effect.
Any modification of these file will require a cpstop and
cpstart on the active cluster member.
Access –> Authentication Agent -> Generate Configuration File
RSA Authentication Manager (Auth Manager)
Authentication Manager has a WebUI, and it manages users, tokens agents and can produce reports and enforce policies like how many time. The Authentication Manager has a primary and a replica for redundancy. It is available in 2 options, software and appliance form factor. It’s main purpose is to handle user authentication requests, and also to system administration such as users, tokens, agents, reporting, and policy and database backups
To establish SIC with a new Checkpoint gateway and it's Management Sever
1. The Gateway must have CPD running in E Stat .. to validate it, you can run cpwd_admin list if it is a T stat, you will not be able to establish SIC
[Expert@MY-VPN-FW01:0]# cpwd_admin list
