RMA Mode

Collecting RMA Backup Information

• The RMA Mode backup operation saves minimal information for these:

  • All Security Gateways in the Candidates List file (see The Candidates List), or

  • All connected Security Gateways, if you use the -backupall option

  The information saved:

  • Number and Builds of the installed Check Point version.

  • List of all installed Hotfixes.

  • Check Point and Linux configuration files:

    Table: Configuration files

    File	Description
    FTW_settings.conf	Configuration file for Automatic First Time Configuration Wizard. The CLI utility config_system uses this file to run automatic First Time Configuration Wizard (sk69701).
    machine_settings.conf	Output of the Gaia Clish command save configuration.
    SIC_settings.conf	Configuration file to restore SIC settings in the Check Point Registry ($CPDIR/registry/HKLM_registry.data).
    exported_sic_cert.p12	SIC certificate file.
    additional_settings.sh	Backup script (for example, to restore the cluster mode, SNMP extension, and other settings).
    various.tar	Contains these files: $CPDIR/conf/cp.license - Contains the installed Check Point license $FWDIR/boot/boot.conf - Contains specific Check Point boot parameters $FWDIR/conf/objects.C - Contains the applicable objects $FWDIR/conf/fwauth.NDB - Contains users configured in SmartDashboard or SmartConsole $FWDIR/boot/modules/fwkern.conf - Contains Firewall kernel parameters and their values $PPKDIR/conf/simkern.conf (in R80.20 and above), $PPKDIR/boot/modules/simkern.conf (in R80.10 and below) - Contains SecureXL kernel parameters and their values $PPKDIR/conf/sim_aff.conf (in R80.20 and above), $PPKDIR/boot/modules/sim_aff.conf (in R80.10 and below) - Contains SecureXL Interface Affinity configuration
    	$FWDIR/conf/fwaffinity.conf - Contains CoreXL Interface Affinity configuration $FWDIR/conf/dispatcher_mode.conf - Contains CoreXL Dynamic Dispatcher (sk105261) and Firewall Priority Queues (sk105762) internal settings $FWDIR/conf/dynamic_dispatcher_mode.conf - Contains CoreXL Dynamic Dispatcher (sk105261) internal settings $FWDIR/boot/mq.conf - Contains Multi-Queue settings /etc/snmp/userDefinedSettings.conf - Contains custom SNMP settings (sk90860) /boot/grub/grub.conf - Linux GRUB configuration file /etc/rc.d/rc.local - Linux start-up script (administrator should add to this script the desired Linux commands to run at boot)

• CDT saves the RMA backup information on the Management Server in the repository path as defined in the CDT configuration file. Each Security Gateway's backup is saved in a file name corresponding to the Security Gateway's object name in the management database. The size of the RMA backup file is approximately 200kB for each backed up Security Gateway or Cluster Member.

• Each time you change the settings of a Security Gateway (in SmartConsole, or in Gaia operating system), you must collect a new backup of that Security Gateway.

• Optional: You can add more files to the RMA Backup.

  1. Prepare a plain-text file with a list of full paths to the files it is necessary to collect.

  2. Write full path to each file on a separate line.

  3. Add this parameter to the syntax:

     -additional_files=</path to/file with list of files to collect>

  Notes:

  • All the files you specify must be located on all the Security Gateways and Cluster Members.

    If a specified file is not located on one of the remote machines, the RMA Backup fails on that machine.

  • You cannot backup the /var/log/ directory.

Restoring RMA Backup Information

• The RMA restore operation uses the RMA backup information to reconfigure a replaced Security Gateway.

• Requirements for the RMA restore process:

  • The replaced Security Gateway appliance must be the same model as the old Security Gateway appliance.

  • The replaced Security Gateway must have the default username and password (admin/admin).

    If you changed the default username or password, restore the Gaia to factory defaults.

  • The replaced Security Gateway must have the same physical interface configuration as the old Security Gateway.

  • The replaced Security Gateway must have the same networking configuration (IP address, default gateway, and so on).

  • The replaced Security Gateway must not be configured with the Gaia First Time Configuration Wizard.

    If the First Time Configuration Wizard was already done, you must restore the Gaia to the factory defaults before you can run the RMA restore.

  • You must have all the required packages to install in the repository defined in the primary configuration file. That is, you must have the CPUSE package for Clean Install of the version and the CPUSE packages of all the Hotfixes that were installed on the old Security Gateway.

    To see the required packages and other backup information, run:

    # ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>

  • If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the name of the CPUSE package for Clean Install.

    See the syntax in the procedure Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information.

Note - License information is not restored on Check Point appliance, because it depends on the appliance's MAC address.