Print Download PDF Send Feedback

Previous

Next

RMA Mode

Introduction:

You can use the CDT RMA Mode to collect the information from the Security Gateway R77.30 or above about the installed software and configuration. You can use this information to reconfigure the replacement Security Gateway:

Important:

Requirements for RMA backup and RMA restore to work correctly:

  • On the Security Gateway, to connect to the Management Server, you must use the interface defined as the Gaia Management Interface.
  • The communication between the Security Gateway and the Management Server must rely on the Security Gateway's default gateway and not on static routes.

For configuration instructions, see the Gaia Administration Guide for your Security Gateway version.

Warning - Do not edit the RMA configuration file RmaTool.xml installed by the CDT package.

Workflow

Step

Description

1

Connect to the command line on your Management Server you use for package distribution.

2

Log in to Expert mode.

3

Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole.

4

Install the CDT RPM package (if it is not already installed on your system) from sk111158.

5

Edit the CentralDeploymentTool.xml file to change the settings:

  • Configure the Repository element to specify the location of package files.
  • Configure the <CPUSE> element to specify the absolute path to the CPUSE RPM package.

6

When backing up Security Gateways, perform backup on all applicable Security Gateways.

Generate a Candidates List to back up the specified Security Gateways, or use the -backupall option to back up all the Security Gateways in one command.

7

When restoring a Security Gateway, perform restore on the applicable Security Gateway.

8

Make sure the Gaia Clish configuration was restored correctly on the applicable Security Gateway.

Collecting RMA Backup Information

Restoring RMA Backup Information

Note - License information is not restored on Check Point appliance, because it depends on the appliance's MAC address.

Generating a Candidates List for RMA Backup

Run these commands to generate a Candidates List file for RMA Backup:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -rma -generate [-additional_files=<Path to and Name of File with the List of Additional Files>] -candidates=<Name of Candidates List file>.csv

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -rma -generate -candidates=<Name of Candidates List file>.csv -server=<IP Address or Name of Domain Management Server>

Collecting RMA Backup from the Specified Remote Security Gateways

You specify the remote Security Gateways according to the Candidates List file. Run these commands:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -rma -backup [-additional_files=<Path to and Name of File with the List of Additional Files>] -candidates=<Name of Candidates List file>.csv

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -rma -backup [-additional_files=<Path to and Name of File with the List of Additional Files>] -candidates=<Name of Candidates List file>.csv -server=<IP Address or Name of Domain Management Server>

Collecting RMA Backup Information from all Remote Security Gateways

In this case, you do not need the Candidates List file. Run these commands:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -rma -backupall [-additional_files=<Path to and Name of File with the List of Additional Files>]

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -rma -backupall [-additional_files=<Path to and Name of File with the List of Additional Files>] -server=<IP Address or Name of Domain Management Server>

Showing the RMA Backup Information of a Specified Remote Security Gateway

Run these commands:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object> -server=<IP Address or Name of Domain Management Server>

Restoring the RMA Backup Information on a Remote Security Gateway

Run these commands:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file>

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -server=<IP Address or Name of Domain Management Server>

Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.

Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information

If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the full path and the name of the CPUSE package for Clean Install.

You can get this CPUSE package from the Home Page for your version (contact Check Point Support for assistance).

Run these commands:

Management Server

Instructions

Security Management Server

# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -package=<File Name of CPUSE Offline Package>.tgz

Multi-Domain Server

# mdsenv <IP Address or Name of Domain Management Server>

# ./CentralDeploymentTool -rma -restore -gateway=<Name of Security Gateway or Cluster Member Object> -license=<Path to License file> -package=<File Name of CPUSE Offline Package>.tgz -server=<IP Address or Name of Domain Management Server>

Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.

Verification

After you perform an RMA restore, we recommend to make sure the Gaia Clish configuration was restored correctly on the Security Gateway or Cluster Member, VSX Gateway or VSX Cluster Member.

Examine these log files on your Management Server from the Security Gateway or Cluster Member:

Log File

Description

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishCommand.elg

List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of Security Gateway or Cluster Member Object>_FinalClishLog.elg

Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member

Examine these log files on your Management Server from the VSX Gateway or VSX Cluster Member:

Log File

Description

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_FinalClishCommand.elg

List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_VS0ClishCommand.elg

List of Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0)

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_FinalClishLog.elg

Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/RmaLogs/<Name of VSX Gateway or VSX Cluster Member Object>_VS0ClishLog.elg

Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0)

Notes: