RMA Mode
Introduction:
You can use the CDT RMA Mode to collect the information from the Security Gateway R77.30 or above about the installed software and configuration. You can use this information to reconfigure the replacement Security Gateway:
- Backup information contains installed version, list of installed Hotfixes, some Check Point configuration files, and Gaia configuration database).
- To reconfigure the replacement Security Gateway, administrator needs to provide the CPUSE package for Clean Install and the CPUSE packages of the Hotfixes.
Important:
Requirements for RMA backup and RMA restore to work correctly:
- On the Security Gateway, to connect to the Management Server, you must use the interface defined as the Gaia Management Interface.
- The communication between the Security Gateway and the Management Server must rely on the Security Gateway's default gateway and not on static routes.
For configuration instructions, see the Gaia Administration Guide for your Security Gateway version.
|
Warning - Do not edit the RMA configuration file RmaTool.xml installed by the CDT package.
Workflow
Step
|
Description
|
1
|
Connect to the command line on your Management Server you use for package distribution.
|
2
|
Log in to Expert mode.
|
3
|
Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole.
|
4
|
Install the CDT RPM package (if it is not already installed on your system) from sk111158.
|
5
|
Edit the CentralDeploymentTool.xml file to change the settings:
- Configure the element to specify the location of package files.
- Configure the element to specify the absolute path to the CPUSE RPM package.
|
6
|
When backing up Security Gateways, perform backup on all applicable Security Gateways.
Generate a Candidates List to back up the specified Security Gateways, or use the -backupall option to back up all the Security Gateways in one command.
|
7
|
When restoring a Security Gateway, perform restore on the applicable Security Gateway.
|
8
|
Make sure the Gaia Clish configuration was restored correctly on the applicable Security Gateway.
|
Collecting RMA Backup Information
- The RMA Mode backup operation saves minimal information:
- Of all Security Gateways in the Candidates List file, or
- Of all connected Security Gateways, if you use the
-backupall option
The information saved:
- Number and Builds of the installed Check Point version.
- List of all installed Hotfixes.
- Check Point and Linux configuration files:
File
|
Description
|
FTW_settings.conf
|
Configuration file for Automatic First Time Configuration Wizard.
The CLI utility config_system uses this file to run automatic First Time Configuration Wizard (sk69701).
|
machine_settings.conf
|
Output of the Gaia Clish command save configuration.
|
SIC_settings.conf
|
Configuration file to restore SIC settings in the Check Point Registry ($CPDIR/registry/HKLM_registry.data).
|
exported_sic_cert.p12
|
SIC certificate file.
|
additional_settings.sh
|
Backup script (for example, to restore the cluster mode, SNMP extension, and other settings).
|
various.tar
|
Contains these files:
$CPDIR/conf/cp.license - Contains the installed Check Point license$FWDIR/boot/boot.conf - Contains specific Check Point boot parameters$FWDIR/conf/objects.C - Contains the applicable objects$FWDIR/conf/fwauth.NDB - Contains users configured in SmartDashboard or SmartConsole$FWDIR/boot/modules/fwkern.conf - Contains Firewall kernel parameters and their values$PPKDIR/conf/simkern.conf (in R80.20 and above), $PPKDIR/boot/modules/simkern.conf (in R80.10 and below) - Contains SecureXL kernel parameters and their values$PPKDIR/conf/sim_aff.conf (in R80.20 and above), $PPKDIR/boot/modules/sim_aff.conf (in R80.10 and below) - Contains SecureXL Interface Affinity configuration$FWDIR/conf/fwaffinity.conf - Contains CoreXL Interface Affinity configuration$FWDIR/conf/dispatcher_mode.conf - Contains CoreXL Dynamic Dispatcher (sk105261) and Firewall Priority Queues (sk105762) internal settings$FWDIR/conf/dynamic_dispatcher_mode.conf - Contains CoreXL Dynamic Dispatcher (sk105261) internal settings$FWDIR/boot/mq.conf - Contains Multi-Queue settings/etc/snmp/userDefinedSettings.conf - Contains custom SNMP settings (sk90860)/boot/grub/grub.conf - Linux GRUB configuration file/etc/rc.d/rc.local - Linux start-up script (administrator should add to this script the desired Linux commands to run at boot)
|
- CDT saves the RMA backup information on the Management Server in the repository path as defined in the CDT configuration file. Each Security Gateway's backup is saved in a file name corresponding to the Security Gateway's object name in the management database. The size of the RMA backup file is approximately 200kB for each backed up Security Gateway or Cluster Member.
- Each time you change the settings of a Security Gateway (in SmartConsole, or in Gaia operating system), you must collect a new backup of that Security Gateway.
- Optional: You can add more files to the RMA Backup.
- Prepare a plain-text file with a list of full paths to the files you want to collect.
- Write full path to each file on a separate line.
- Add this parameter to the syntax:
-additional_files=</path_to/file_with_list_of_files_to_collect>
Notes:
Restoring RMA Backup Information
- The RMA restore operation uses the RMA backup information to reconfigure a replaced Security Gateway.
- Requirements for the RMA restore process:
- The replaced Security Gateway appliance must be the same model as the old Security Gateway appliance.
- The replaced Security Gateway must have the default username and password (
admin/admin).If you changed the default username or password, restore the Gaia to factory defaults.
- The replaced Security Gateway must have the same physical interface configuration as the old Security Gateway.
- The replaced Security Gateway must have the same networking configuration (IP address, default gateway, and so on).
- The replaced Security Gateway must not be configured with the Gaia First Time Configuration Wizard.
If the First Time Configuration Wizard was already done, you must restore the Gaia to the factory defaults before you can run the RMA restore.
- You must have all the required packages to install in the repository defined in the primary configuration file. That is, you must have the CPUSE package for Clean Install of the version and the CPUSE packages of all the Hotfixes that were installed on the old Security Gateway.
To see the required packages and other backup information, run:
# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>
- If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the name of the CPUSE package for Clean Install.
See the syntax in the procedure Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information.
Note - License information is not restored on Check Point appliance, because it depends on the appliance's MAC address.
Generating a Candidates List for RMA Backup
Run these commands to generate a Candidates List file for RMA Backup:
Management Server
|
Instructions
|
Security Management Server
|
# ./CentralDeploymentTool -rma -generate [-additional_files=<Path to and Name of File with the List of Additional Files>] -candidates=<Name of Candidates List file>.csv
|
Multi-Domain Server
|
# mdsenv <IP Address or Name of Domain Management Server>
# ./CentralDeploymentTool -rma -generate -candidates=<Name of Candidates List file>.csv -server=<IP Address or Name of Domain Management Server>
|
Collecting RMA Backup from the Specified Remote Security Gateways
You specify the remote Security Gateways according to the Candidates List file. Run these commands:
Management Server
|
Instructions
|
Security Management Server
|
# ./CentralDeploymentTool -rma -backup [-additional_files=<Path to and Name of File with the List of Additional Files>] -candidates=<Name of Candidates List file>.csv
|
Multi-Domain Server
|
# mdsenv <IP Address or Name of Domain Management Server>
# ./CentralDeploymentTool -rma -backup [-additional_files=<Path to and Name of File with the List of Additional Files>] -candidates=<Name of Candidates List file>.csv -server=<IP Address or Name of Domain Management Server>
|
Collecting RMA Backup Information from all Remote Security Gateways
In this case, you do not need the Candidates List file. Run these commands:
Management Server
|
Instructions
|
Security Management Server
|
# ./CentralDeploymentTool -rma -backupall [-additional_files=<Path to and Name of File with the List of Additional Files>]
|
Multi-Domain Server
|
# mdsenv <IP Address or Name of Domain Management Server>
# ./CentralDeploymentTool -rma -backupall [-additional_files=<Path to and Name of File with the List of Additional Files>] -server=<IP Address or Name of Domain Management Server>
|
Showing the RMA Backup Information of a Specified Remote Security Gateway
Run these commands:
Management Server
|
Instructions
|
Security Management Server
|
# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>
|
Multi-Domain Server
|
# mdsenv <IP Address or Name of Domain Management Server>
# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object> -server=<IP Address or Name of Domain Management Server>
|
Restoring the RMA Backup Information on a Remote Security Gateway
Run these commands:
Management Server
|
Instructions
|
Security Management Server
|
# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file>
|
Multi-Domain Server
|
# mdsenv <IP Address or Name of Domain Management Server>
./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -server=<IP Address or Name of Domain Management Server>
|
Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.
Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information
If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the full path and the name of the CPUSE package for Clean Install.
You can get this CPUSE package from the Home Page for your version (contact Check Point Support for assistance).
Run these commands:
Management Server
|
Instructions
|
Security Management Server
|
# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -package=<File Name of CPUSE Offline Package>.tgz
|
Multi-Domain Server
|
# mdsenv <IP Address or Name of Domain Management Server>
# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -package=<File Name of CPUSE Offline Package>.tgz -server=<IP Address or Name of Domain Management Server>
|
Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.
Verification
After you perform an RMA restore, we recommend to make sure the Gaia Clish configuration was restored correctly on the Security Gateway or Cluster Member, VSX Gateway or VSX Cluster Member.
Examine these log files on your Management Server from the Security Gateway or Cluster Member:
Log File
|
Description
|
/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishCommand.elg
|
List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member
|
/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishLog.elg
|
Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member
|
Examine these log files on your Management Server from the VSX Gateway or VSX Cluster Member:
Log File
|
Description
|
/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_FinalClishCommand.elg
|
List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member
|
/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_VS0ClishCommand.elg
|
List of Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0)
|
/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_FinalClishLog.elg
|
Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member
|
/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_VS0ClishLog.elg
|
Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0)
|
Notes:
- If these files are not found on your Management Server, most likely the CDT could not copy them from the Security Gateway or Cluster Member.
You can find these files on the Security Gateway or Cluster Member in the /var/log/CPrma/ directory.
- The log file with outputs of Gaia Clish commands contains special characters.
To see this log file on Gaia OS, use the Linux less command.
To see this log file on Windows OS, use an advanced text editor, like Notepad++.
