RMA Mode

Introduction:

You can use the CDT RMA Mode to collect the information from the Security Gateway R77.30 or higher about the installed software and configuration. You can use this information to reconfigure the replacement Security Gateway:

• Backup information contains installed version, list of installed Hotfixes, some Check Point configuration files, and Gaia configuration database).
• To reconfigure the replacement Security Gateway, administrator needs to provide the CPUSE package for Clean Install and the CPUSE packages of the Hotfixes.

Important:

Requirements for RMA backup and RMA restore to work correctly: On the Security Gateway, to connect to the Management Server, you must use the interface defined as the Gaia Management Interface. The communication between the Security Gateway and the Management Server must rely on the Security Gateway's default gateway and not on static routes. For configuration instructions, see the R80.10 Gaia Administration Guide.

Warning - Do not edit the RMA configuration file RmaTool.xml installed by the CDT package.

Workflow:

1. Connect to the command line on your Management Server that is used for package distribution.
2. Log in to Expert mode.
3. Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole.
4. Install the CDT RPM package (if it is not already installed on your system) from sk111158.
5. Edit the CentralDeploymentTool.xml file to change the settings:
   • Configure the Repository element to specify the location of package files
   • Configure the CPUSE element to specify the absolute path to the CPUSE RPM package.
6. When backing up Security Gateways, perform backup on all applicable Security Gateways.

   Generate a Candidates List to back up the specified Security Gateways, or use the -backupall option to back up all the Security Gateways in one command.

7. When restoring a Security Gateway, perform restore on the applicable Security Gateway.
8. Make sure the Gaia Clish configuration was restored correctly on the applicable Security Gateway.

To collect the RMA backup information:

• The RMA Mode backup operation saves minimal information:
  • Of all Security Gateways in the Candidates List, or
  • Of all connected Security Gateways, if the -backupall option is used

  The information saved:

  • Number and Builds of the installed Check Point version.
  • List of all installed Hotfixes.
  • Gaia configuration (the output of the Gaia Clish command save configuration).
  • Check Point configuration (SIC, $FWDIR/boot/modules/fwkern.conf, and so on).
• CDT saves the RMA backup information on the Management Server in the repository path as defined in the CDT configuration file. Each Security Gateway's backup is saved in a file name corresponding to the Security Gateway's object name in the management database. The size of the RMA backup file is approximately 200kB for each backed up Security Gateway or Cluster Member.

To restore the RMA backup information:

• The RMA restore operation uses the RMA backup information to reconfigure a replaced Security Gateway.
• Requirements for the RMA restore process:
  • The replaced Security Gateway appliance must be the same model.
  • The replaced Security Gateway must have the default username/password (admin/admin).

    If you changed the default username/password, restore the Gaia to factory defaults.

  • The replaced Security Gateway must have the same physical interface configuration as the old Security Gateway.
  • The replaced Security Gateway must have the same networking configuration (IP address, default gateway, and so on).
  • The replaced Security Gateway must not be configured with the Gaia First Time Configuration Wizard.

    If the First Time Configuration Wizard was already done, you must restore the Gaia to the factory defaults before you can run the RMA restore.

  • You must have all the required packages to install in the repository defined in the primary configuration file. That is, you must have the CPUSE package for Clean Install of the version and the CPUSE packages of all the Hotfixes that were installed on the old Security Gateway.

    To see the required packages and other backup information, run:

  # ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>

  • If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the full path to the CPUSE package for Clean Install.
    See the syntax below in the procedure To specify a CPUSE Clean Install package when you restore the RMA backup information.

Note - License information is not restored on Check Point appliance, because it depends on the appliance's MAC address.

To generate a Candidates List for RMA backup:

Management Server	Instructions
Security Management Server	# ./CentralDeploymentTool -rma -generate -candidates=<Name of Candidates List file>.csv
Multi-Domain Security Management Server	# mdsenv <IP Address or Name of Domain Management Server>   # ./CentralDeploymentTool -rma -generate -candidates=<Name of Candidates List file>.csv -server=<IP Address or Name of Domain Management Server>

To collect RMA backup from specified remote Security Gateways according to the Candidates List:

Management Server	Instructions
Security Management Server	# ./CentralDeploymentTool -rma -backup -candidates=<Name of Candidates List file>.csv
Multi-Domain Security Management Server	# mdsenv <IP Address or Name of Domain Management Server>   # ./CentralDeploymentTool -rma -backup -candidates=<Name of Candidates List file>.csv -server=<IP Address or Name of Domain Management Server>

To collect RMA backup information from all remote Security Gateways (Candidates List file is not needed):

Management Server	Instructions
Security Management Server	# ./CentralDeploymentTool -rma -backupall
Multi-Domain Security Management Server	# mdsenv <IP Address or Name of Domain Management Server>   # ./CentralDeploymentTool -rma -backupall -server=<IP Address or Name of Domain Management Server>

To show the RMA backup information of a specified remote Security Gateway:

Management Server	Instructions
Security Management Server	# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>
Multi-Domain Security Management Server	# mdsenv <IP Address or Name of Domain Management Server>   # ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object> -server=<IP Address or Name of Domain Management Server>

To restore the RMA backup information on a remote Security Gateway:

Management Server	Instructions
Security Management Server	# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file>
Multi-Domain Security Management Server	# mdsenv <IP Address or Name of Domain Management Server>   ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -server=<IP Address or Name of Domain Management Server>

Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.

To specify a CPUSE Clean Install package when you restore the RMA backup information:

If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the full path to the CPUSE package for Clean Install. You can get this CPUSE package from the Home Page for your version (contact Check Point Support for assistance):

Management Server	Instructions
Security Management Server	# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -package=<File Name of CPUSE Offline Package>.tgz
Multi-Domain Security Management Server	# mdsenv <IP Address or Name of Domain Management Server>   # ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -package=<File Name of CPUSE Offline Package>.tgz -server=<IP Address or Name of Domain Management Server>

Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.

To make sure the Gaia Clish configuration was restored correctly on the Security Gateway or Cluster Member:

After performing an RMA restore, we recommend to make sure the Gaia Clish configuration was restored correctly.

Examine these log files on your Management Server:

• List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member:

  /var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishCommand.elg

• Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member:

  /var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishLog.elg

Notes:

• If these files are not found on your Management Server, most likely the CDT could not copy them from the Security Gateway or Cluster Member. You can find these files on the Security Gateway or Cluster Member in the /var/log/CPrma/ directory.
• The log file with outputs of Gaia Clish commands contains special characters.

  To see this log file on Gaia OS, use the Linux less command.

  To see this log file on Windows OS, use an advanced text editor like Notepad++.