1 / 103

Valeri (VAL) Loukine | Cyber Security Evangelist CheckMates Live! Series 2019 - Moscow

Best Practices. Maintenance and upgrades. Valeri (VAL) Loukine | Cyber Security Evangelist CheckMates Live! Series 2019 - Moscow. Agenda for today. CheckMates Community News Maintenance and Upgrade BP Round Table Q&A Feedback. The Why:. To Build…. And Encourage…. Crowdsourcing

paul
Télécharger la présentation

Valeri (VAL) Loukine | Cyber Security Evangelist CheckMates Live! Series 2019 - Moscow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Best Practices Maintenance and upgrades Valeri (VAL) Loukine | Cyber Security Evangelist CheckMates Live! Series 2019 - Moscow

  2. Agenda for today • CheckMates Community News • Maintenance and Upgrade BP • Round Table Q&A • Feedback

  3. The Why: To Build… And Encourage… Crowdsourcing Direct conversation Information sharing Excitement Feedback Ideas Early adopters Problem solving an online platform with LARGE CROWD OF USERSand give them the ability to share challenges, APIs, benefits, ideas, questions, discussions and connect through meetings and local User Groups.

  4.  [Internal Use] for Check Point employees​ • We grow together CPX 2017launched 100KUSERS From over 150+Countries

  5. Grow, Share, and Inspire!

  6. Being Part of CP Ecosystem

  7. Local User Groups CheckMates Live!

  8.  [Protected] Distribution or modification is subject to approval ​ Events

  9. The Purpose of a Local CheckMates Chapter Collaborate with end users to improve understanding of Check Point products and services and improve their security posture and operational efficiency. Target audience: people who specify, install, architect, debug, hack, or defend Check Point products.

  10. More CheckMates Events

  11. CheckMates Champions in Tel Aviv HQ 2018

  12. Ask Me Anything with Dorit Dor & Product Org. Leaders • More than 60 questions answered by Dorit and the team • Discussed the future of cyber security, Infinity Architecture, RoadMap and more • Excellent Engagement with more than 100,000 views (Page and Facebook Live) • To see the recording and answers google “ask me anything Dorit Dor”

  13. Testimonials “Seriously, you and your team are changing the way customer think of Check Point in a very positive way” Employee “site is great and getting better as more user participate…” customer “Guys, You are doing an amazing works I’m proud to be a Check Point customer and a CheckMater“ Customer “My engineers are on CheckMates all the time… Director at Xero “This is the highlight of my career to be mentioned by Gil & Dorit “ Partner “Thanks for the informative webinar: How to prevent the next global attack” some great info in there! Thanks… “Good stuff“ Customers on TechTalks

  14. Community Update - Migration • Happened earlier this week • With minimal downtime • Why did we migrate? • Jive out of support • Aged look & feel • Missing usability features

  15. Community Migration • What are we getting? • New platform with refined look • Better processing • Social networks integration • More gamification • Mobile app (in progress)

  16. Community Migration • Outstanding issues: • Minor look and feel • Additional useful gadgets • Please allow us some time to work it through

  17. Questions?

  18. And Now Maintenance and upgrades Best practices!

  19. Agenda • Introduction • Backup and Restore Tools • Upgrade Planning • Useful Tools • Password Recovery • Q&A

  20. Why backups? • The only way not to ruin the system • Should be stored outside (with a few exceptions) • Do it every time you make changes • Mandatory for upgrades, migrations, HW and/or configuration changes

  21. Scary tales of no backup

  22. Upgrade becoming a disaster • Smart Center Server upgrade in place • No physical access • Mounting ISO file instead of using CD • More than once • Standard upgrade procedure, YES to all questions • Upgrade fails on snapshot , no HD space • Cannot revert, no external backup

  23. SSL Portal blows up • SSL VPN Portal • Heavily customized • cvpnd is dead • Investigation shows • /opt/ is used for 100%, • corrupted config files • cpd fails to start, • then other processes (CP bug, but who cares) • No backup available, customization log lost, so cannot reinstall either

  24. Schrödinger’s Backup • Complex MDSM + VSX environment • Daily scheduled backup scripted with cron • Never tested • Never worked either

  25. Tools for backup and DR • Conventional • Snapshot • Backup • Less conventional • CLISH config • migrate tool • CDT

  26.  [Internal Use] for Check Point employees​ Backup and DR tools snapshot

  27.  [Internal Use] for Check Point employees​ Snapshot • Makes a binary image of the entire root partition (lv_current) • Created on demand with WebUI or CLISH, also can be scheduled • A snapshot is a backup of the system settings and products: • File system, with customized files • System configuration (interfaces, routing, hostname, and similar) • Software Blades • Management database (on a Security Management Server or a Multi-Domain Server)

  28.  [Internal Use] for Check Point employees​ Snapshot (cont) • You can import a snapshot that was made on a different release. However, you must import it to the same appliance or open server hardware model. • Snapshots can be large; • you can reboot into maintenance mode, and resize partitions with “lvm_manager” if needed

  29.  [Internal Use] for Check Point employees​ Snapshot WebUI

  30. Location of Snapshots

  31.  [Internal Use] for Check Point employees​ Snapshot CLI >add snapshot snap120718 desc snap120718 >show snapshots >set snapshot export snap120718 path /var/log/ name snap120718 >show snapshots Important: never rename a snapshot file!

  32.  [Internal Use] for Check Point employees​ Backup and DR tools Backup & restore

  33.  [Internal Use] for Check Point employees​ System Backup OS config & Management server database Does not include binaries of all kinds Backups can be stored locally, or remotely on a TFTP / SCP / FTP server Saved to a .tgz file in /var/log/Cpbackup/backups folder Created on demand with WebUI or CLISH Can be scheduled

  34.  [Internal Use] for Check Point employees​ Collect Backup in CLISH live-machine> backup ftp - Store the files on ftp server local - Store the files locally scp - Store the files on scp server tftp - Store the files on tftp server live-machine> backup local “show backup status” Restore from Backup in CLISH: Collect Backup in Web-UI:

  35. Show backups live-machine> show backups Backups location: /var/log/CPbackup/backups backup_live-machine_11_Feb_2019_16_37.tgz Mon, Feb 11, 2019 343.11 MB

  36. Restore live-machine> restore backup local backup_live-machine_11_Feb_2019_16_37.tgz live-machine> show restore status

  37.  [Internal Use] for Check Point employees​ Backup and DR tools OS config

  38. OS built-in commands: save / load configuration • Allows saving Gaia OS configuration settings as a ready-to-run CLI script. • OS CLISH info only: • Network IP addresses • Routes, • OS users, • VRRP, etc. • Maybe useful when making massive OS level changes

  39. OS configuration • To save configuration: HostName> save configuration <filename> • File will be saved to /home/<username> folder • To load the configuration, use the following procedure HostName> set clienv on-failure continue HostName> load configuration <filename> HostName> set clienv on-failure stop HostName> save config

  40.  [Internal Use] for Check Point employees​ Backup and DR tools Migrate tool

  41.  [Internal Use] for Check Point employees​ Migration Tools for MANAGEMENT Servers All Security Management configuration, independent of hardware, OS or Check Point version Part of advanced Upgrade procedure Can copy over logs and indexes (heavy and long) Used by TAC to replicate a customer’s environment Always use target version tool to collect the export For built-in help, run: #$FWDIR/bin/upgrade_tools/migrate --help

  42. Export Process # $FWDIR/bin/upgrade_tools/migrate export MGMT.tgz You are required to close all clients to Security Management Server or execute 'cpstop' before the Export operation begins. Do you want to continue? (y/n) [n]? y Copying required files... Compressing files... The operation completed successfully. Location of archive with exported database: /home/scp/MGMT.tgz

  43. Import Process # $FWDIR/bin/upgrade_tools/migrate import MGMT.tgz The import operation will eventually stop all Check Point services (cpstop). Do you want to continue? (y/n) [n]? y Extracting the database... Stopping all Check Point services (cpstop)... … Machine will run cpstop and continue

  44. Import Process (cons) Importing files... The import operation completed successfully. Do you wish to start Check Point services? (y/n) [y]? Wait till CPM is up. How to be sure? # $FWDIR/scripts/cpm_status.sh Check Point Security Management Server is during initialization Check Point Security Management Server is running and ready

  45.  [Internal Use] for Check Point employees​ Backup and DR tools Let’s compare

  46. Tools in a glance

  47. Tools in a glance (cont)

  48. Building Recovery Plan

More Related