Database Revisions

The Security Management architecture has built-in revisions. Each publish operation creates a new revision which contains only the changes from the previous revisions.

Benefits of the revision architecture:

Safe recovery from a crisis, restore a Domain to a good known revision (see Notes below).
Fast policy verification, based on the difference between installed versions
More efficient Management High Availability.

Important - Before using the revision feature consider these limitations:

Reverting to a previous revision is an irreversible operation, newer revisions than the target revision are lost.
Changes apply to objects only and not to the file system.
Tasks, SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. and Licenses are not reverted.
The revert action disconnects all other connected users and discards all of their private sessions.
Revision is not supported in these scenarios:
- The Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is enabled.
- If SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. are connected through a proxy server, the GUI for this feature is not supported. In this case, use the applicable API command.
- VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. configuration or related networks differ between the source and target revisions.
- A new Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., a Security Management Server or a Check Point object was created or deleted after the target revision date.
- The corresponding revision of the Global Domain, or the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). or Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. components was purged.

Best Practices:

It is recommended to update the IPS and Application Control signatures and install the policy after the revert. Install policy if changes to log destinations are applied.
If it is necessary to restore a full environment to a certain point in time, use Restore Backup. All work done after the backup is lost. To learn more, see the: R80.40 Gaia Administration Guide
We recommend to purge irrelevant revisions. Accumulating too many revisions can create a heavy load on the server, which may cause disk and performance issues.

To see saved database versions:

In SmartConsole, go to Manage & Settings > Sessions > Revisions.

To see the changes made during a specific revision:

Go to Manage & Settings > Sessions > Revisions, and select a revision.

The bottom pane shows the audit logs of the changes made in the revision.
Optional: Click View.

A separate read-only SmartConsole session opens.

To revert to an earlier revision

Go to Manage & Settings > Sessions > Revisions, and select a revision.
In Actions, click Revert to this Revision.

The Revert to Revision wizard opens.

To delete all versions of the database that are older than the selected version:

Go to Manage & Settings > Sessions > Revisions, and select a revision.
In Actions, click Purge.
In the confirmation window that opens, click Yes.

Important - Purge is irreversible. When you purge, that revision and older revisions are deleted.

Notes:

When connected with SmartConsole to a Security Management Server, sessions that were published through the Management API in the system Domain are not shown in the Revisions view.
When connecting with the Management API to the Domain of a Security Management Server and running the show sessions API command with view-published-sessions set to true, sessions that were published through SmartConsole are not returned, even if they include changes in the system Domain.

Use Case - Managing a Crisis Using Database Revisions

A network problem occurs after downloading a Threat Prevention update and installing it on gateways.

Solution

From Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Threat Prevention > Custom Policy Tools > Updates, in the IPS section, select an update that is known to be good.
Click Switch to Version.
Install the Threat Prevention Policy.

The Gateway gets that version of the IPS protections. Other network objects and policies do not change.