1.05k likes | 1.27k Vues
Best Practices. Maintenance and upgrades. Valeri (VAL) Loukine | Cyber Security Evangelist CheckMates Live! Series 2019 - Moscow. Agenda for today. CheckMates Community News Maintenance and Upgrade BP Round Table Q&A Feedback. The Why:. To Build…. And Encourage…. Crowdsourcing
E N D
Best Practices Maintenance and upgrades Valeri (VAL) Loukine | Cyber Security Evangelist CheckMates Live! Series 2019 - Moscow
Agenda for today • CheckMates Community News • Maintenance and Upgrade BP • Round Table Q&A • Feedback
The Why: To Build… And Encourage… Crowdsourcing Direct conversation Information sharing Excitement Feedback Ideas Early adopters Problem solving an online platform with LARGE CROWD OF USERSand give them the ability to share challenges, APIs, benefits, ideas, questions, discussions and connect through meetings and local User Groups.
[Internal Use] for Check Point employees • We grow together CPX 2017launched 100KUSERS From over 150+Countries
Local User Groups CheckMates Live!
[Protected] Distribution or modification is subject to approval Events
The Purpose of a Local CheckMates Chapter Collaborate with end users to improve understanding of Check Point products and services and improve their security posture and operational efficiency. Target audience: people who specify, install, architect, debug, hack, or defend Check Point products.
More CheckMates Events
Ask Me Anything with Dorit Dor & Product Org. Leaders • More than 60 questions answered by Dorit and the team • Discussed the future of cyber security, Infinity Architecture, RoadMap and more • Excellent Engagement with more than 100,000 views (Page and Facebook Live) • To see the recording and answers google “ask me anything Dorit Dor”
Testimonials “Seriously, you and your team are changing the way customer think of Check Point in a very positive way” Employee “site is great and getting better as more user participate…” customer “Guys, You are doing an amazing works I’m proud to be a Check Point customer and a CheckMater“ Customer “My engineers are on CheckMates all the time… Director at Xero “This is the highlight of my career to be mentioned by Gil & Dorit “ Partner “Thanks for the informative webinar: How to prevent the next global attack” some great info in there! Thanks… “Good stuff“ Customers on TechTalks
Community Update - Migration • Happened earlier this week • With minimal downtime • Why did we migrate? • Jive out of support • Aged look & feel • Missing usability features
Community Migration • What are we getting? • New platform with refined look • Better processing • Social networks integration • More gamification • Mobile app (in progress)
Community Migration • Outstanding issues: • Minor look and feel • Additional useful gadgets • Please allow us some time to work it through
And Now Maintenance and upgrades Best practices!
Agenda • Introduction • Backup and Restore Tools • Upgrade Planning • Useful Tools • Password Recovery • Q&A
Why backups? • The only way not to ruin the system • Should be stored outside (with a few exceptions) • Do it every time you make changes • Mandatory for upgrades, migrations, HW and/or configuration changes
Upgrade becoming a disaster • Smart Center Server upgrade in place • No physical access • Mounting ISO file instead of using CD • More than once • Standard upgrade procedure, YES to all questions • Upgrade fails on snapshot , no HD space • Cannot revert, no external backup
SSL Portal blows up • SSL VPN Portal • Heavily customized • cvpnd is dead • Investigation shows • /opt/ is used for 100%, • corrupted config files • cpd fails to start, • then other processes (CP bug, but who cares) • No backup available, customization log lost, so cannot reinstall either
Schrödinger’s Backup • Complex MDSM + VSX environment • Daily scheduled backup scripted with cron • Never tested • Never worked either
Tools for backup and DR • Conventional • Snapshot • Backup • Less conventional • CLISH config • migrate tool • CDT
[Internal Use] for Check Point employees Backup and DR tools snapshot
[Internal Use] for Check Point employees Snapshot • Makes a binary image of the entire root partition (lv_current) • Created on demand with WebUI or CLISH, also can be scheduled • A snapshot is a backup of the system settings and products: • File system, with customized files • System configuration (interfaces, routing, hostname, and similar) • Software Blades • Management database (on a Security Management Server or a Multi-Domain Server)
[Internal Use] for Check Point employees Snapshot (cont) • You can import a snapshot that was made on a different release. However, you must import it to the same appliance or open server hardware model. • Snapshots can be large; • you can reboot into maintenance mode, and resize partitions with “lvm_manager” if needed
[Internal Use] for Check Point employees Snapshot WebUI
[Internal Use] for Check Point employees Snapshot CLI >add snapshot snap120718 desc snap120718 >show snapshots >set snapshot export snap120718 path /var/log/ name snap120718 >show snapshots Important: never rename a snapshot file!
[Internal Use] for Check Point employees Backup and DR tools Backup & restore
[Internal Use] for Check Point employees System Backup OS config & Management server database Does not include binaries of all kinds Backups can be stored locally, or remotely on a TFTP / SCP / FTP server Saved to a .tgz file in /var/log/Cpbackup/backups folder Created on demand with WebUI or CLISH Can be scheduled
[Internal Use] for Check Point employees Collect Backup in CLISH live-machine> backup ftp - Store the files on ftp server local - Store the files locally scp - Store the files on scp server tftp - Store the files on tftp server live-machine> backup local “show backup status” Restore from Backup in CLISH: Collect Backup in Web-UI:
Show backups live-machine> show backups Backups location: /var/log/CPbackup/backups backup_live-machine_11_Feb_2019_16_37.tgz Mon, Feb 11, 2019 343.11 MB
Restore live-machine> restore backup local backup_live-machine_11_Feb_2019_16_37.tgz live-machine> show restore status
[Internal Use] for Check Point employees Backup and DR tools OS config
OS built-in commands: save / load configuration • Allows saving Gaia OS configuration settings as a ready-to-run CLI script. • OS CLISH info only: • Network IP addresses • Routes, • OS users, • VRRP, etc. • Maybe useful when making massive OS level changes
OS configuration • To save configuration: HostName> save configuration <filename> • File will be saved to /home/<username> folder • To load the configuration, use the following procedure HostName> set clienv on-failure continue HostName> load configuration <filename> HostName> set clienv on-failure stop HostName> save config
[Internal Use] for Check Point employees Backup and DR tools Migrate tool
[Internal Use] for Check Point employees Migration Tools for MANAGEMENT Servers All Security Management configuration, independent of hardware, OS or Check Point version Part of advanced Upgrade procedure Can copy over logs and indexes (heavy and long) Used by TAC to replicate a customer’s environment Always use target version tool to collect the export For built-in help, run: #$FWDIR/bin/upgrade_tools/migrate --help
Export Process # $FWDIR/bin/upgrade_tools/migrate export MGMT.tgz You are required to close all clients to Security Management Server or execute 'cpstop' before the Export operation begins. Do you want to continue? (y/n) [n]? y Copying required files... Compressing files... The operation completed successfully. Location of archive with exported database: /home/scp/MGMT.tgz
Import Process # $FWDIR/bin/upgrade_tools/migrate import MGMT.tgz The import operation will eventually stop all Check Point services (cpstop). Do you want to continue? (y/n) [n]? y Extracting the database... Stopping all Check Point services (cpstop)... … Machine will run cpstop and continue
Import Process (cons) Importing files... The import operation completed successfully. Do you wish to start Check Point services? (y/n) [y]? Wait till CPM is up. How to be sure? # $FWDIR/scripts/cpm_status.sh Check Point Security Management Server is during initialization Check Point Security Management Server is running and ready
[Internal Use] for Check Point employees Backup and DR tools Let’s compare