RMA Mode

You can use the CDT RMA Mode to collect the information from the Security Gateway about the installed software and configuration.

You can use this information to reconfigure the replacement Security Gateway:

  • Backup information contains installed version, list of installed Hotfixes, some Check Point configuration files, and Gaia configuration database).

  • To reconfigure the replacement Security Gateway, administrator needs to provide the CPUSE package for Clean Install and the CPUSE packages of the Hotfixes.

Important:

Requirements for RMA backup and RMA restore to work correctly:

  • On the Security Gateway, to connect to the Management Server, you must use the interface configured as the Gaia Management Interface.

  • The communication between the Security Gateway and the Management Server must rely on the Security Gateway's default gateway and not on static routes.

For configuration instructions, see the Gaia Administration Guide for your version of the Security Gateway.

Warning - Do not edit the RMA configuration file RmaTool.xml installed by the CDT package.

Workflow

Step

Description

1

Connect to the command line on your Management Server you use to install software packages.

2

Log in to the Expert mode.

3

Install the CDT RPM package (if it is not already installed) from sk111158.

4

Edit the $CDTDIR/CentralDeploymentTool.xml file to change the settings.

See CDT Primary Configuration File.

  • Add / configure the "Repository" element to specify the location of package files.

  • Add / configure the "<CPUSE>" element to specify the absolute path to the CPUSE RPM package.

See Elements of the CDT Primary Configuration File.

5

When you back up Security Gateways, do it on all applicable Security Gateways.

Do one of these:

6

When you restore a Security Gateway, do it on the applicable Security Gateway.

7

Make sure the Gaia Clish configuration was restored correctly on the applicable Security Gateway.

Collecting RMA Backup Information

  • The RMA Mode backup operation saves minimal information for these:

    • All Security Gateways in the Installation Candidates List File (see Installation Candidates List File)

      or

    • All connected Security Gateways, if you use the "-backupall" option

    The information saved:

    • Number and Builds of the installed Check Point version.

    • List of all installed Hotfixes.

    • Check Point and Linux configuration files:

      Table: Configuration files

      File

      Description

      FTW_settings.conf

      Configuration file for Automatic First Time Configuration Wizard.

      The CLI command "config_system" also uses this file to run automatic First Time Configuration Wizard (sk69701).

      machine_settings.conf

      Output of the Gaia Clish command "save configuration".

      SIC_settings.conf

      Configuration file to restore SIC settings in the Check Point Registry ($CPDIR/registry/HKLM_registry.data).

      exported_sic_cert.p12

      SIC certificate file.

      additional_settings.sh

      Backup script (for example, to restore the cluster mode, SNMP extension, and other settings).

      various.tar

      Contains these files:

      File

      Contents of the File

      $CPDIR/conf/cp.license

      Installed Check Point licenses

      $FWDIR/boot/boot.conf

      Specific Check Point boot parameters

      $FWDIR/conf/objects.C

      Applicable objects configured in SmartDashboard or SmartConsole

      $FWDIR/conf/fwauth.NDB

      Users configured in SmartConsole / SmartDashboard

      $FWDIR/boot/modules/fwkern.conf

      Firewall kernel parameters and their values

      $PPKDIR/conf/simkern.conf (in R80.20 and above)

      $PPKDIR/boot/modules/simkern.conf (in R80.10 and below)

      SecureXL kernel parameters and their values

      $PPKDIR/conf/sim_aff.conf (in R80.20 and above)

      $PPKDIR/boot/modules/sim_aff.conf (in R80.10 and below)

      SecureXL Interface Affinity configuration

      $FWDIR/conf/fwaffinity.conf

      CoreXL Interface Affinity configuration

      $FWDIR/conf/dispatcher_mode.conf

      CoreXL Dynamic Dispatcher (sk105261) and Firewall Priority Queues (sk105762) internal settings

      $FWDIR/conf/dynamic_dispatcher_mode.conf

      CoreXL Dynamic Dispatcher (sk105261) internal settings

      $FWDIR/boot/mq.conf

      Multi-Queue settings

      /etc/snmp/userDefinedSettings.conf

      User-defined SNMP settings (sk90860)

      /boot/grub/grub.conf

      Linux GRUB configuration file

      /etc/rc.d/rc.local

      Linux start-up script (administrator can add the desired Linux commands to this script to run at boot)

  • CDT saves the RMA backup information on the Management Server in the repository path as configured in the CDT configuration file.

    Each Security Gateway's backup is saved in a file name corresponding to the Security Gateway's object name in the management database.

    The size of the RMA backup file is approximately 200kB for each backed up Security Gateway or Cluster Member.

  • Each time you change the settings of a Security Gateway (in SmartConsole, or in Gaia operating system), you must collect a new backup of that Security Gateway.

  • Optional: Add more files to the RMA Backup.

    1. Prepare a plain-text file with a list of full paths to the files it is necessary to collect.

    2. Write full path to each file on a different line.

    3. Add this parameter to the syntax:

      -additional_files=<Path to and Name of File with List of Additional Files, including File Extension>

    Notes:

    • "<File with List of Additional Files>" is plain-text file that contains absolute paths to the files you want to add to the RMA Backup.

    • All the files you specify must be located on all the Security Gateways and Cluster Members.

      If a specified file is not located on one of the remote targets, the RMA Backup fails on that target.                    

    • You cannot backup the /var/log/ directory.

Restoring RMA Backup Information

  • The RMA restore operation uses the RMA backup information to reconfigure a replaced Security Gateway.

  • Requirements for the RMA restore process:

    • The replaced Security Gateway appliance must be the same model as the replaced Security Gateway appliance.

    • The replaced Security Gateway must have the default username and password (admin/admin).

      If you changed the default username or password, restore the Gaia to factory defaults.

    • The replaced Security Gateway must have the same physical interface configuration as the replaced Security Gateway.

    • The replaced Security Gateway must have the same networking configuration (IP address, default gateway, and so on).

    • The replaced Security Gateway must not be configured with the Gaia First Time Configuration Wizard.

      If the First Time Configuration Wizard was already done, you must restore the Gaia to the factory defaults before you can run the RMA restore.

    • You must have all the required packages to install in the repository configured in the primary configuration file.

      That is, you must have the CPUSE package for Clean Install of the version and the CPUSE packages of all the Hotfixes that were installed on the replaced Security Gateway.

      To see the required packages and other backup information, run in the Expert mode:

      $CDTDIR/CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>

    • If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the name of the CPUSE package for Clean Install.

      See the syntax in the procedure RMA Mode.

Note - License information is not restored on Check Point appliance, because it depends on the appliance's MAC address.

Generating an Installation Candidates List File for RMA Backup

Run these commands in the Expert mode to generate an Installation Candidates List File (see Installation Candidates List File) for RMA Backup:

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -generate -candidates=<Path to and Desired Name of Installation Candidates List File>.csv [-additional_files=<Path to File with List of Additional Files, including File Extension>] [-filter=<Path to Filter File, including File Extension>] [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -generate -candidates=<Path to and Desired Name of Installation Candidates List File>.csv [-additional_files=<Path to File with List of Additional Files, including File Extension>] [-filter=<Path to Filter File, including File Extension>] [–session=<Name of Management Session without Spaces>] -server=<IP Address or Name of Domain Management Server>

Notes:

  • The "-additional_files" parameter is optional.

    Use it to collect more files for the RMA Backup.

  • The "-filter" parameter is optional (available from CDT v1.9.5).

    Use it to exclude the specified Security Gateways and Cluster Members.

  • The "-session" parameter is optional (available from CDT v1.9.8).

    Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Collecting RMA Backup from the Specified Remote Security Gateways

You specify the remote Security Gateways based on the Installation Candidates List File (see Installation Candidates List File).

Run these commands in the Expert mode:

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -backup -candidates=<Path to Installation Candidates List File>.csv [-additional_files=<Path to File with List of Additional Files, including File Extension>] [-filter=<Path to Filter File, including File Extension>] [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -backup -candidates=<Path to Installation Candidates List File>.csv [-additional_files=<Path to File with List of Additional Files, including File Extension>] [-filter=<Path to Filter File, including File Extension>] [–session=<Name of Management Session without Spaces>] -server=<IP Address or Name of Domain Management Server>

Notes:

  • The "-additional_files" parameter is optional.

    Use it to collect more files for the RMA Backup.

  • The "-filter" parameter is optional (available from CDT v1.9.5).

    Use it to exclude the specified Security Gateways and Cluster Members.

  • The "-session" parameter is optional (available from CDT v1.9.8).

    Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Collecting RMA Backup Information from all Remote Security Gateways

In this case, you do not need the Installation Candidates List File (see Installation Candidates List File).

Run these commands in the Expert mode:

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -backupall [-additional_files=<Path to File with List of Additional Files, including File Extension>] [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -backupall [-additional_files=<Path to File (including File Extension) with the List of Additional Files>] [–session=<Name of Management Session without Spaces>] -server=<IP Address or Name of Domain Management Server>

Notes:

  • The "-additional_files" parameter is optional.

    Use it to collect more files for the RMA Backup.

  • The "-session" parameter is optional (available from CDT v1.9.8).

    Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Showing the RMA Backup Information of a Specified Remote Security Gateway

Run these commands in the Expert mode:

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object> [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object> [–session=<Name of Management Session without Spaces>] -server=<IP Address or Name of Domain Management Server>

Note:

The "-session" parameter is optional (available from CDT v1.9.8).

Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Restoring the RMA Backup Information on a Remote Security Gateway

Use these commands in the Expert mode after you performed a clean install on the appliance.

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License File, including File Extension> [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License File, including File Extension> -server=<IP Address or Name of Domain Management Server> [–session=<Name of Management Session without Spaces>]

Notes:

  • The license path must be the full path to a new license file that you get from your account in Check Point User Center.

  • The "-session" parameter is optional (available from CDT v1.9.8).

    Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Starting in CDT v1.9.1, you can use these commands in the Expert mode when you perform a clean install on the appliance with a Gaia Fast Deployment (Blink) Image (see sk120193).

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License File, including File Extension> -package=<Path to Blink Image, including File Extension> [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License File, including File Extension> -package=<Path to Blink Image, including File Extension> -server=<IP Address or Name of Domain Management Server> [–session=<Name of Management Session without Spaces>]

Notes:

  • The license path must be the full path to a new license file that you get from your account in Check Point User Center.

  • The "-session" parameter is optional (available from CDT v1.9.8).

    Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

  • The CDT fails the restore operation in these cases:

    • If the major software version of the Gaia Fast Deployment (Blink) Image is different than the major software version on the appliance when you collected the RMA Backup information.

    • If the Blink Image contains software packages (for example, hotfixes) that were not installed on the appliance when you collected the RMA Backup information.

    • If the Blink Image contains only some of the software packages (for example, hotfixes) that were installed on the appliance when you collected the RMA Backup information.

      The operation fails if the missing software packages do not exist in the RMA repository on the appliance.

Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information

If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the name of the CPUSE package for Clean Install.

You can get this CPUSE package from the Home Page for your version.

Run these commands in the Expert mode:

Management Server

Commands

Security Management Server

$CDTDIR/CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License File, including File Extension> -package=<Path to CPUSE Offline Package, including File Extension> [–session=<Name of Management Session without Spaces>]

Multi-Domain Security Management Server

mdsenv <IP Address or Name of Domain Management Server>

 

$CDTDIR/CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License File, including File Extension> -package=<Path to CPUSE Offline Package, including File Extension [–session=<Name of Management Session without Spaces>] -server=<IP Address or Name of Domain Management Server>

Notes:

  • The license path must be the full path to a new license file that you get from your account in Check Point User Center.

  • The "-session" parameter is optional (available from CDT v1.9.8).

    Use it to run several different CDT sessions at the same time (enter a desired session name - a text string without spaces).

Verification

After you run an RMA restore, we recommend to make sure the Gaia Clish configuration was restored correctly on the Security Gateway or Cluster Member, VSX Gateway or VSX Cluster Member.

Examine these log files on your Management Server from the Security Gateway or Cluster Member:

Log File

Description

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishCommand.elg

List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishLog.elg

Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member

Examine these log files on your Management Server from the VSX Gateway or VSX Cluster Member:

Log File

Description

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_FinalClishCommand.elg

List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_VS0ClishCommand.elg

List of Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0)

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_FinalClishLog.elg

Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_VS0ClishLog.elg

Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0)

Notes:

  • If these files are not found on your Management Server, most likely the CDT could not transfer them from the Security Gateway or Cluster Member.

    You can find these files on the Security Gateway or Cluster Member in the /var/log/CPrma/ directory.

  • The log file with outputs of Gaia Clish commands contains special characters.

    To see this log file on Gaia OS, use the Linux less command.

    To see this log file on Windows OS, use an advanced text editor, like Notepad++.