RMA Mode
You can use the CDT RMA Mode to collect the information from the Security Gateway R77.30 or above about the installed software and configuration. You can use this information to reconfigure the replacement Security Gateway:
-
Backup information contains installed version, list of installed Hotfixes, some Check Point configuration files, and Gaia configuration database).
-
To reconfigure the replacement Security Gateway, administrator needs to provide the CPUSE package for Clean Install and the CPUSE packages of the Hotfixes.
Important:
Requirements for RMA backup and RMA restore to work correctly:
For configuration instructions, see the Gaia Administration Guide for your Security Gateway version. |
Warning - Do not edit the RMA configuration file |
Workflow
Step |
Description |
---|---|
1 |
Connect to the command line on your Management Server you use for package distribution. |
2 |
Log in to the Expert mode. |
3 |
Make sure there is no active GUI client that locks the management database, such as SmartDashboard or SmartConsole. |
4 |
Install the CDT RPM package (if it is not already installed on your system) from sk111158. |
5 |
Edit the
|
6 |
When backing up Security Gateways, perform backup on all applicable Security Gateways. Generate a Candidates List to back up the specified Security Gateways, or use the |
7 |
When restoring a Security Gateway, perform restore on the applicable Security Gateway. |
8 |
Make sure the Gaia Clish configuration was restored correctly on the applicable Security Gateway. |
Collecting RMA Backup Information
-
The RMA Mode backup operation saves minimal information for these:
-
All Security Gateways in the Candidates List file (see The Candidates List), or
-
All connected Security Gateways, if you use the
-backupall
option
The information saved:
-
Number and Builds of the installed Check Point version.
-
List of all installed Hotfixes.
-
Check Point and Linux configuration files:
Table: Configuration files File
Description
FTW_settings.conf
Configuration file for Automatic First Time Configuration Wizard.
The CLI utility
config_system
uses this file to run automatic First Time Configuration Wizard (sk69701).machine_settings.conf
Output of the Gaia Clish command
save configuration
.SIC_settings.conf
Configuration file to restore SIC settings in the Check Point Registry (
$CPDIR/registry/HKLM_registry.data
).exported_sic_cert.p12
SIC certificate file.
additional_settings.sh
Backup script (for example, to restore the cluster mode, SNMP extension, and other settings).
various.tar
Contains these files:
-
$CPDIR/conf/cp.license
- Contains the installed Check Point license -
$FWDIR/boot/boot.conf
- Contains specific Check Point boot parameters -
$FWDIR/conf/objects.C
- Contains the applicable objects -
$FWDIR/conf/fwauth.NDB
- Contains users configured in SmartDashboard or SmartConsole -
$FWDIR/boot/modules/fwkern.conf
- Contains Firewall kernel parameters and their values -
$PPKDIR/conf/simkern.conf
(in R80.20 and above),$PPKDIR/boot/modules/simkern.conf
(in R80.10 and below) - Contains SecureXL kernel parameters and their values -
$PPKDIR/conf/sim_aff.conf
(in R80.20 and above),$PPKDIR/boot/modules/sim_aff.conf
(in R80.10 and below) - Contains SecureXL Interface Affinity configuration
-
$FWDIR/conf/fwaffinity.conf
- Contains CoreXL Interface Affinity configuration -
$FWDIR/conf/dispatcher_mode.conf
- Contains CoreXL Dynamic Dispatcher (sk105261) and Firewall Priority Queues (sk105762) internal settings -
$FWDIR/conf/dynamic_dispatcher_mode.conf
- Contains CoreXL Dynamic Dispatcher (sk105261) internal settings -
$FWDIR/boot/mq.conf
- Contains Multi-Queue settings -
/etc/snmp/userDefinedSettings.conf
- Contains custom SNMP settings (sk90860) -
/boot/grub/grub.conf
- Linux GRUB configuration file -
/etc/rc.d/rc.local
- Linux start-up script (administrator should add to this script the desired Linux commands to run at boot)
-
-
-
CDT saves the RMA backup information on the Management Server in the repository path as defined in the CDT configuration file. Each Security Gateway's backup is saved in a file name corresponding to the Security Gateway's object name in the management database. The size of the RMA backup file is approximately 200kB for each backed up Security Gateway or Cluster Member.
-
Each time you change the settings of a Security Gateway (in SmartConsole, or in Gaia operating system), you must collect a new backup of that Security Gateway.
-
Optional: You can add more files to the RMA Backup.
-
Prepare a plain-text file with a list of full paths to the files you want to collect.
-
Write full path to each file on a separate line.
-
Add this parameter to the syntax:
-additional_files=</path to/file with list of files to collect>
Notes:
-
All the files you specify must be located on all the Security Gateways and Cluster Members.
If a specified file is not located on one of the remote machines, the RMA Backup fails on that machine.
-
You cannot backup the
/var/log/
directory.
-
Restoring RMA Backup Information
-
The RMA restore operation uses the RMA backup information to reconfigure a replaced Security Gateway.
-
Requirements for the RMA restore process:
-
The replaced Security Gateway appliance must be the same model as the old Security Gateway appliance.
-
The replaced Security Gateway must have the default username and password (
admin/admin
).If you changed the default username or password, restore the Gaia to factory defaults.
-
The replaced Security Gateway must have the same physical interface configuration as the old Security Gateway.
-
The replaced Security Gateway must have the same networking configuration (IP address, default gateway, and so on).
-
The replaced Security Gateway must not be configured with the Gaia First Time Configuration Wizard.
If the First Time Configuration Wizard was already done, you must restore the Gaia to the factory defaults before you can run the RMA restore.
-
You must have all the required packages to install in the repository defined in the primary configuration file. That is, you must have the CPUSE package for Clean Install of the version and the CPUSE packages of all the Hotfixes that were installed on the old Security Gateway.
To see the required packages and other backup information, run:
# ./CentralDeploymentTool -rma -info -gateway=<Name of Security Gateway or Cluster Member Object>
-
If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the name of the CPUSE package for Clean Install.
See the syntax in the procedure Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information.
-
Note - License information is not restored on Check Point appliance, because it depends on the appliance's MAC address.
Generating a Candidates List for RMA Backup
Run these commands to generate a Candidates List file (see The Candidates List) for RMA Backup:
Management Server |
Instructions |
---|---|
Security Management Server |
|
Multi-Domain Server |
|
Collecting RMA Backup from the Specified Remote Security Gateways
You specify the remote Security Gateways according to the Candidates List file (see The Candidates List). Run these commands:
Management Server |
Instructions |
---|---|
Security Management Server |
|
Multi-Domain Server |
|
Collecting RMA Backup Information from all Remote Security Gateways
In this case, you do not need the Candidates List file (see The Candidates List). Run these commands:
Management Server |
Instructions |
---|---|
Security Management Server |
|
Multi-Domain Server |
|
Showing the RMA Backup Information of a Specified Remote Security Gateway
Run these commands:
Management Server |
Instructions |
---|---|
Security Management Server |
|
Multi-Domain Server |
|
Restoring the RMA Backup Information on a Remote Security Gateway
Run these commands:
Management Server |
Instructions |
---|---|
Security Management Server |
|
Multi-Domain Server |
|
Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.
Specifying a CPUSE Clean Install Package when you Restore the RMA Backup Information
If the CDT could not recognize the CPUSE package file name of the installed version, you must explicitly specify the full path and the name of the CPUSE package for Clean Install.
You can get this CPUSE package from the Home Page for your version (contact Check Point Support for assistance).
Run these commands:
Management Server |
Instructions |
---|---|
Security Management Server |
|
Multi-Domain Server |
|
Note - License path must be the full path to a new license file that you get from your account in Check Point User Center.
Verification
After you perform an RMA restore, we recommend to make sure the Gaia Clish configuration was restored correctly on the Security Gateway or Cluster Member, VSX Gateway or VSX Cluster Member.
Examine these log files on your Management Server from the Security Gateway or Cluster Member:
Log File |
Description |
---|---|
|
List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member |
|
Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the Security Gateway or Cluster Member |
Examine these log files on your Management Server from the VSX Gateway or VSX Cluster Member:
Log File |
Description |
---|---|
|
List of Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member |
|
List of Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0) |
|
Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration on the VSX Gateway or VSX Cluster Member |
|
Outputs of the Gaia Clish commands that were run to restore the Gaia Clish configuration in the VSX context 0 (VS0) |
Notes:
-
If these files are not found on your Management Server, most likely the CDT could not copy them from the Security Gateway or Cluster Member.
You can find these files on the Security Gateway or Cluster Member in the
/var/log/CPrma/
directory. -
The log file with outputs of Gaia Clish commands contains special characters.
To see this log file on Gaia OS, use the Linux
less
command.To see this log file on Windows OS, use an advanced text editor, like Notepad++.
Central Deployment Tool (CDT) v1.7 Administration Guide