Last week my smartcenter server became corrupted (the filesystem) and I could not install any fw policy (checkpoint software could not find some needed inodes).
Fortunately I perform periodically checkpoint configuration backups (using the migrate export utility) this way -> Checkpoint – Schedule management database backup
These are the steps to get a working SMS again:
- Pre install steps
- Install Checkpoint 1 – Install the GAIA OS
- Install Checkpoint 2 – Install the Checkpoint SW
- Import the Checkpoint configuration backup
- Post install steps
- 1 Before install steps
- 2 Install Checkpoint 1 – Install the GAIA OS
- 3 Install Checkpoint 2 – Install the Checkpoint SW
- 4 Import the Checkpoint configuration backup
- 5 Post install steps
Before install steps
It is evident but we need a new machine to be used as SMS server. As a best practice, if virtual environment is available, the best solution is to generate a new virtual machine so the recovery can finished as soon as possible.
If there is no choice the same machine can be used (I completely discourage it). Anyway try to save the data (if still can access the old server) you can miss in another path (scripts, patches…). The backup is supposed to be in another secure path.
Finally, shut off the old server if still on the network (or change the network to test one on the virtual machine to isolate it).
After that, get the Checkpoint ISO (the same version that was installed) and run it on the new machine. So the installation starts…
Install Checkpoint 1 – Install the GAIA OS
The boot menu – Install Gaia
Disk partitioning, leave it by default or customize. After the installation I add a new disk with more space to store the logs so I dont think much about this configuration…
Choose a password to access via SSH or web GUI to the SMS server
Choose the same management IP as the old server!
Ok, proceed if you sure…
So the GAIA OS packages and software will be installed…
After the installation a reboot is required and then we can access to the GAIA web portal…
Install Checkpoint 2 – Install the Checkpoint SW
The first time configuration lets us configure some basic parameters and finally install the Checkpoint software layer
"Continue with Gaia configuration"
Configure the same parameters as the old server. The hostname is specially important to be the same! (like the management IP)
Again configure the same management IP. (This screenshot shows empty fields but they are prefilled with the IP configured on the previous step).
We want to install a "Security Gateway or Security Management"
Date/time. Use ntp if possible (you may configure it later).
Now we select what Checkpoint SW modules will be installed: "Security Management" as "Primary"
username and password to manage the Smarcenter consoles
Filter the access to the Security Management GUI clients
After completed the installation we have a fully functional SMS server but with empty firewall policies, databases, etc…
Import the Checkpoint configuration backup
Connect to the SMS via SSH
Connect via SSH to the SMS server, establish an expert password and enter expert mode
SMS> set expert-password Enter new expert password: Enter new expert password (again): SMS> expert Enter expert password: Warning! All configuration should be done through clish You are in expert mode now. [Expert@SMS:0]#
Copy the backup file
Copy the backup of the Checkpoint configuration to the SMS server (via SCP for example if the backup is located on another Linux machine)
[Expert@SMS:0]# scp root@MYLINUXSERVER:/var/backups/EXPORTDB_2016-04-18.tgz . root@MYLINUXSERVER's password: EXPORTDB_2016-04-18.tgz 4% 19MB 9.3MB/s 00:46 ETA
Import the backup
This will pause the cp services, import all the configuration policies, databases, objects… and start the services
[Expert@SMS:0]# $FWDIR/bin/upgrade_tools/migrate import EXPORTDB_2016-04-18.tgz Extracting the database... The import operation will stop all Check Point services (cpstop). Do you want to continue? (y/n) [n]? y cpwd_admin: Process DASERVICE terminated cpwd_admin: Process SMARTLOG_SERVER isn't monitored by cpWatchDog. Stop request aborts UEPM: Endpoint Security Management isn't activated Management Portal: Stopping CPWMD cpwd_admin: Process CPWMD terminated Management Portal: Stopping CPHTTPD cpwd_admin: Process CPHTTPD terminated evstop: dbsync stopped evstop: Stopping product - SmartEvent Server evstop: Stopping product - SmartEvent Correlation Unit Check Point SmartEvent Correlation Unit stopped Check Point SmartEvent Server stopped Stopping SmartReporter... Stopping the SmartReporter Server. Stopping the SmartReporter Log Consolidator. Stopping SmartReporter Database. Note: Database shutdown takes a few minutes. rmdstart will fail while shutdown is in progress. SmartView Monitor: Management stopped VPN-1/FW-1 stopped Multi portal stopped Local host is not a FireWall-1 module SVN Foundation: cpd stopped SVN Foundation: cpWatchDog stopped SVN Foundation: Stopping PostgreSQL Database SVN Foundation stopped Importing files... The import operation completed successfully. Do you wish to start Check Point services? (y/n) [y]? y
Post install steps
Add lost rules and policies
Maybe you have lost changes made between the backup and the crash. If possible (documented, emails…) add those changes
Configure lost server parameters
For example, I had to configure some OS level parameters to make the DHCP Relay work. Fortunately, I documented that change.
Reconfigure scripts and scheduled tasks
Dont forget to reconfigure scheduled tasks like backups, logs rotation, ntp time synchronization.