You could probably automate the whole thing by using my snapshot script to save your backups to SCP, and having a similar 'revert' script run on the other box a few hours later to restore the new config. You'd need to watch out for duplicate IPs and stuff if both boxes are physically connected to the network, but you'd effectively have a 'warm standby' instead of a cold box that still needs to be restored in the meantime. For the duplicate IP address issue, you could just enable assign an IP to an interface which is unplugged on the live box, but is the ONLY interface plugged in on the standby box. Both machines would have the same IP assigned to that interface, as well as the others, but no two matching interfaces would be plugged in at the same time.
Alternately, and probably more straightforward, you could just copy the snapshot to a CD, tape, or whatever media is valid (Flash drive even?) and then manually revert it on the new box, or set up a script that automatically reverts when the media is inserted... I don't know how a management server would handle seeing two instances of the same managed firewall though. There may be a better solution to this, I'm really just throwing out ideas. I haven't tested any of these, but I'm sure there's some way to do what you're looking for. Jeff Jarmoc - CCSA, CCNA, MCSE Sr. Network Analyst - Grubb & Ellis [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Alan Choyna Sent: Tuesday, December 13, 2005 2:29 PM To: [email protected] Subject: Re: [FW-1] Secure Platform: difference between backups &snapshots Would this be a good way to update a cold swap firewall as well? As a low cost measure we have 2 DL360's, both of them running R55 HFA16 with identical hardware configs. We only have a management and gateway license, so we want to have 1 running live, backing up daily, and then if we have an issue with it, restoring the backup to the cold swap unit. My test restores don't seem to be working well, as the conf, database, state and log dirs are not being restored. The /etc dir seems to restore fine, my overwritten ethers file (and routing, etc) can attest to that. Any advice on what l'm doing wrong? or how l could improve mirroring methodology? Thanks, Al At 01:07 PM 12/13/2005, Jarmoc, Jeff wrote: >It's pretty simple really. Take the below two lines (wordwrap may break >them up) and put them in a file, chmod it so it's executable and set up >a cron job to run it on whatever schedule you want. You can set the >user's home directory on the SCP server (I use Cygwin on windows) to >store snapshots wherever you want. The resulting file, if run today, >would be called snapshot_05.12.13.tgz. I prefer the year.month.date >format as it sorts more easily buy you can modify that to your liking. > >DATESTAMP=`date +%y.%m.%d` >echo y | snapshot --scp <SCP_Server> <SCP_Username> <SCP_password> >snapshot_$DATESTAMP > >To restore, just build the firewall with a SPLAT CD, then run revert to >pull the file off SCP and restore it. > >One of the biggest benefits of this method of backup for me is that it >restores zebra and all it's configuration which we use for routing. The >normal backup utils included in SPLAT don't do that, they only backup >checkpoint config. > >Jeff Jarmoc - CCSA, CCNA, MCSE >Sr. Network Analyst - Grubb & Ellis >847.753.7617 - [EMAIL PROTECTED] > > >-----Original Message----- >From: Shane Presley [mailto:[EMAIL PROTECTED] >Sent: Tuesday, December 13, 2005 12:44 PM >To: Mailing list for discussion of Firewall-1; Jarmoc, Jeff >Subject: Re: [FW-1] Secure Platform: difference between backups >&snapshots > >Thanks everybody. And yes Jeff, if you're willing to share, I'd love >a copy of your script. > >Shane > >On 12/13/05, Jarmoc, Jeff <[EMAIL PROTECTED]> wrote: > > It's worth pointing out that you can redirect snapshots to an SCP > > server. In fact, I've written a small script to automate the naming >of > > snapshots using the current date, and SCP them off to a separate >server > > which is then backed up via tape. > > > > The result is a great disaster resilient recovery system. Not only >can > > I restore from software corruption or a hard disk failure, but I can >get > > a completely new server up and running as a fully configured firewall >in > > under 20 minutes. > > > > Jeff Jarmoc - CCSA, CCNA, MCSE > > Sr. Network Analyst - Grubb & Ellis > > 847.753.7617 - [EMAIL PROTECTED] > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
