-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You'll definitely want to make sure you're backing up the management
station (where all these files reside..) The firewalls are
significantly easier to get up and running. Nokia has its own way it
goes about doing backups and so do the little Intrusion.com PDS boxes..
Also, don't forget to get the $FWDIR\state\local.arp file if you're
running NT.. If you're doing a UNIX variant, backing up the files
relevant to IP addressing and whatever startup file you use to do static
arps and routes will probably save you some time trying to get the
static NATs back up. (Trick of the tobkin: Don't hardcode the ethernet
address into the shell script.. This way the startup scripts are
completely portable if you need to replace the hardware underneath.
Note that solaris uses the same ethernet address for all NICs, so do
something like:
#!/bin/sh
IFADDR=`ifconfig -a |grep ether |awk '{print $2}' |uniq`
export IFADDR
/usr/sbin/arp -s 1.2.3.4 $IFADDR
Here's a quick touch on what the files in the conf directory are, so you
can decide whether you should back them up or not. Feel free to correct
me if I'm wrong or unclear. (In general, you can just look at what's
changed since you installed the machine and back up those files..)
Of largest significance are your policy file, <policyname>.W, and
objects.C -- from these two you can regenerate the rulebases.fws file
(./fw m -g *.W).
The cp.license file may be useful, but if you know your certificate key,
you can request a copy of it from the checkpoint license site.
The fwauth.NDB (mgmt. module only) file keeps information about your
users & user-groups, so unless you're not doing any authentication or
securemote (minus LDAP stored users..), you'll want to grab this file
too.
The fwauth.keys file contains all the putkeys you've set -- backing this
up probably isn't necessary since you'll have to redo the putkeys
anyways. This may not be existant if in single gateway mode with no
opsec add-ons tied into it.
The fwmusers (mgmt. station only) file contains all the usernames and
passwords (including permissions), for GUI-Client access.
The gui-clients (mgmt. station only) file tells which remote systems are
allowed to log into the management station via the GUI and manage it.
The masters file (fw module only) just has the address of the management
server in it.
The product.conf file tells which options you have purchased, want
turned on, and such.. restoring it will save some reconfiguring.
The seed file will allow you to utilize the parts that are stored
encrypted -- user passwords and such. Without it, expect to change a
lot of passwords.
The sync.conf (fw modules only) file is used when doing
high-availability state-synchronization.
The serverkeys file (or serverkeys.* on unix) are hashes of the putkeys
(fwauth.keys file).
- ------------
I wrote a script to grab all the configuration files off a solaris
firewall and tar them up. I then wrote another to extract them into the
correct places, re-putkey, and reboot.. Instant cold spare machine for
any of the many solaris firewalls you've got deployed out there.. Email
me if you'd like a copy...
Cheers and such,
// Chris
[EMAIL PROTECTED]
- -----Original Message-----
From: Ryan Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 25, 2001 11:18 AM
To: Abdul Hakim
Cc: [EMAIL PROTECTED]
Subject: Re: Backing up Policies on Firewall-1
Abdul:
Firewall-1 stores configuration files in $FWDIR/conf/ (On Solaris).
The
individual files have a .W extension. Compiled rulebases have a .pf
extension. When the Policy Manager loads, it reads a file called
rulebases.fws. The easiest way to back up your rulebases is to simply
back up
the entire $FWDIR/conf directory. You might want to remove the .pf
files to
save space, as they get created whenever you install a policy. The
other
important file is objects.C. This file contains all of your objects and
services. This file and the user base file are also in the $FWDIR/conf
directory.
For a detailed procedure for restoring objects and rulebases to a
different
box, see:
http://www.phoneboy.com/faq/0397.html
Hope this helps.
- -Ryan
Abdul Hakim wrote:
> Hi People,
>
> Is there a way in which i can back up my rule base on Check point
> firewall-1, If so how do i do it and how can i restore it back if i
have to
> Restore it on a different server, will the network objects/services
etc get
> backed up as well. I understand that the network object's and the rule
base
> resides in the management module of the firewall, Which directory does
it
> usually reside in, and is there any tool like a TFTP to back up the
> configuration from the management module.
>
> Thanks in advance,
>
> Rgds,
> Ab-Hakim.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOudnFh3lwiNerIMVEQJYMQCdH5au0EIfxixE8Lk+q4j0fuvwfU0AoMQi
i2UtOtapTV3sGfjvmuGBgBHx
=y68W
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
