Checkpoint config backup - ayarları yedekleme nasıl yapılır
Checkpoint çoğu bilinçli sistem yöneticisinin kullandığı firewall'dur.
Checkpoint'in güzel özelliklerinin yanı sıra backup arabiriminin olmayışı bazı durumlarda sistem yöneticilerini zorlamaktadır. Aşağıda Checkpoint IPSO (SecureOS) çalışırken nasıl yedekleneceğini adım adım anlattım.
Gerekli olanlar: Shell access (ssh) ve expert yetkisi, ftp (tavsiye ederim) veya tftp sunucu.
------------
Yedekleme (backup/export).
Last login: Thu Dec 27 09:18:01 2007 from 10.0.0.9
? for list of commands
sysconfig for system and products configuration
[cpmodule]# expert
Enter expert password:
You are in expert mode now.
[Expert@cpmodule]# df (komutu ile yeterli boş alanımız var mı bakıyoruz)
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/cciss/c0d0p7 1032056 232040 747592 24% /
none 1032056 232040 747592 24% /dev/pts
/dev/cciss/c0d0p1 150128 9975 132402 8% /boot
/dev/cciss/c0d0p3 3562112 622092 2759072 19% /opt
none 1799448 0 1799448 0% /dev/shm
/dev/cciss/c0d0p6 1546064 723024 744504 50% /sysimg
/dev/cciss/c0d0p5 56488476 32496316 21122700 61% /var
[Expert@cpmodule]# cd $fwdir (fw1'nın yüklü olduğu klasöre giriyoruz, fakat küçük/büyük harflere dikkat etmeli ve bu noktada büyük harfleri kullanmak gerekli)
[Expert@cpmodule]# pwd (görüldüğü üzere klasör değişmedi)
/home/admin
[Expert@cpmodule]# cd $FWDIR (büyük harflerle yazıyoruz)
[Expert@cpmodule]# pwd (klasöre ulaştık)
/opt/CPsuite-R65/fw1
[Expert@cpmodule]# cd bin/upgrade_tools/ (klasöre giriyoruz)
[Expert@cpmodule]# ls -l (dosyalara/komutlara bakalım)
total 4024
-rwxrwx--- 1 root bin 406076 Mar 7 2007 upgrade_export
-rwxrwx--- 1 root bin 3702348 Mar 7 2007 upgrade_import
[Expert@cpmodule]# ./upgrade_export yedek1 (parametre olarak yedek dosyasının adını yazıyoruz)
You are required to close all Check Point clients before the Export operation begins.
If the export fails, stop Check Point services and run the upgrade_export command again.
Press ENTER when ready..
Checking the existence of necessary files...
Copying files to temp dir...
Building configuration file...
Compressing the files...
The export operation finished successfully.
[Expert@cpmodule]# ls -l (yazıp son duruma bakıyoruz, "successfully" yazmadıysa checkpoint servislerini kapatıp tekrar export komutunu yazıyoruz)
total 40880
-rwxrwx--- 1 root bin 406076 Mar 7 2007 upgrade_export
-rwxrwx--- 1 root bin 3702348 Mar 7 2007 upgrade_import
-rw-rw---- 1 root root 37697230 Dec 28 18:30 yedek1.tgz (yedek dosyasının hazırlanması rule'larınıza, sunucunun hızına ve üstündeki yüke göre değişkenlik gösterir)
[Expert@cpmodule]# ftp 10.0.0.20 (ftp sunucusuna bağlanıyoruz)
Connected to 10.0.0.20 (10.0.0.20).
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.0.0.20:admin): anonymous (kullanıcı adını girin)
331 User name ok, need password
Password: (ÅŸifreyi girin)
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin (transfer modunu "binary" yapıyoruz, yapmazsak dosyasın içeriği aktarım esnasında bozulur)
200 Type set to I.
ftp> put yedek1.tgz (yedek dosyamızı transfer ediyoruz "upload")
local: yedek1.tgz remote: yedek1.tgz
227 Entering passive mode (10,0,0,20,11,227)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37697230 bytes sent in 3.2 secs (1.2e+04 Kbytes/sec)
ftp> exit (ftp'den çıkıyoruz)
221 Service closing control connection
[Expert@cpmodule]#
Yedekleme (backup) iÅŸlemimiz bitti.
-----------
-----------
Yedekten (restore/import) dönme.
[Expert@cpmodule]# df (komutu ile yeterli boş alanımız var mı bakıyoruz)
[Expert@cpmodule]# cd $FWDIR (büyük harflerle yazıyoruz)
[Expert@cpmodule]# pwd (klasöre ulaştık)
/opt/CPsuite-R65/fw1
[Expert@cpmodule]# cd bin/upgrade_tools/ (klasöre giriyoruz)
[Expert@cpmodule]# ls -l (dosyalara/komutlara bakalım)
total 40880
-rwxrwx--- 1 root bin 406076 Mar 7 2007 upgrade_export
-rwxrwx--- 1 root bin 3702348 Mar 7 2007 upgrade_import
-rw-rw---- 1 root root 37697230 Dec 28 18:30 yedek1.tgz
(Eğer bu klasördeki yedeği kullanacaksak direk olarak "upgrade_import" komutuna bakın)
[Expert@cpmodule]# ftp 10.0.0.20 (ftp sunucusuna bağlanıyoruz)
Connected to 10.0.0.20 (10.0.0.20).
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.0.0.20:admin): anonymous (kullanıcı adını girin)
331 User name ok, need password
Password: (ÅŸifreyi girin)
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin (transfer modunu "binary" yapıyoruz, yapmazsak dosyasın içeriği aktarım esnasında bozulur)
200 Type set to I.
ftp> get yedek1.tgz (yedek dosyamızı transfer ediyoruz "download")
local: yedek1.tgz remote: yedek1.tgz
227 Entering passive mode (10,0,0,20,11,230)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37697230 bytes received in 6.88 secs (5.4e+03 Kbytes/sec)
ftp> exit (ftp'den çıkıyoruz)
221 Service closing control connection
[Expert@cpmodule]#
[Expert@cpmodule]# ls -l (dosyalara/komutlara bakalım)
[Expert@cpmodule]# ./upgrade_import yedek1.tgz ((parametre olarak yedek dosyasının adını yazıyoruz)
The 'Import' operation will stop all Check Point services (cpstop).
Do you want to continue? (y/n) [n] ? y (import işleminde checkpoint servisleri kapatılır!)
Stopping Check Point Software...
Stopping Eventia Reporter...
Stopping the Eventia Reporter Server.
Stopping the Eventia Reporter Log Consolidator.
Stopping Eventia Reporter Database.
Note: Database shutdown takes a few minutes. rmdstart will fail while
shutdown is in progress.
Done.
Stopping SmartView Monitor daemon ...
SmartView Monitor daemon stopped
Stopping SmartView Monitor kernel ...
SmartView Monitor kernel stopped
Stopping Check Point Software...
Stopping Eventia Reporter...
Stopping the Eventia Reporter Server.
Stopping the Eventia Reporter Log Consolidator.
Stopping Eventia Reporter Database.
Note: Database shutdown takes a few minutes. rmdstart will fail while
shutdown is in progress.
Done.
Stopping SmartView Monitor daemon ...
SmartView Monitor daemon stopped
Stopping SmartView Monitor kernel ...
SmartView Monitor kernel stopped ...
Driver is Down.
rtmstop: SmartView Monitor kernel is not loaded
FloodGate-1 is already stopped.
Cannot find pid of vpnd
VPN-1/FW-1 stopped
SVN Foundation: cpd is not running
SVN Foundation: cpWatchDog is not running
SVN Foundation stopped
Decompressing the exported file...
./
.... (bu noktadan sonra bir çok dosya kopyalama işlemi var)
Importing the files to the local machine...
Importing from NGX (R65) to NGX (R65). Upgrade is not required.
License version verification: All licenses are NGX compatible.
Importing from NGX (R65) to NGX (R65). Upgrade is not required.
License version verification: All licenses are NGX compatible.
- To upgrade to NGX R65, YOU MUST FIRST upgrade licenses for all NG products.
- NGX R65 with licenses from NG or prior to NG version WILL NOT FUNCTION.
- The license upgrade process gathers all the licenses from this machine, sends them in SSL encrypted format to the User Center, gets the upgraded licenses and installs them on the machine.
- The license upgrade process on the SmartCenter Server also handles gateway licenses in the license repository.
- After the software upgrade, open SmartUpdate and attach the new NGX licenses to the gateways.
- To simulate the license upgrade, quit the installation, run the license upgrade utility (located on the CD at <OS>\license_upgrade), and select the Simulate option.
- For more details, see the License Upgrade chapter of the Upgrade Guide (located on the CD and at the Check Point Download site).
- The license upgrade process may take some time.
Do you want to continue? (y/n) [y] ? n (lisans işleminiz varsa "y" yazın)
Warning: Failed to upgrade SmartView Reporter
Importing from NGX (R65) to NGX (R65). Upgrade is not required.
Running install for plug-in PIconnectra.
upgrade_import finished successfully!
Do you wish to start Check Point services ('cpstart')? (y/n) [y] ? y (servisleri baÅŸlatmak istiyor musunuz)
cpstart: Power-Up self tests passed successfully
cpstart: Starting product - SVN Foundation
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
cpstart: Starting product - VPN-1
FireWall-1: Starting external VPN module -- OK
FireWall-1: Starting fwd
FireWall-1: Starting fwm (SmartCenter Server)
Installing Security Policy Standard on all.all@cpmodule
Fetching Security Policy from localhost succeeded
FireWall-1: enabling bridge forwarding
FireWall-1 started
cpstart: Starting product - FloodGate-1
FloodGate-1 is disabled. If you wish to start the service, please run 'etmstart enable'.
cpstart: Starting product - SmartView Monitor
SmartView Monitor: Loading kernel ...
rtmstart: Loading SmartView Monitor kernel module
Starting SmartView Monitor kernel ...
SmartView Monitor kernel started
Starting SmartView Monitor daemon
cpstart: Starting product - Eventia Suite
Starting Eventia Reporter...
Starting Eventia Reporter Database.
[1] 14721
Starting Eventia Reporter Server.
Starting Eventia Reporter Log Consolidator.
[2] 14749
Done.
[Expert@cpmodule]# reboot (import iÅŸleminden sonra reboot etmekte fayda var)
Are you sure? (y/n) y (reboot yapılırsa tüm bağlantılar kesilecek emin misin?)
Broadcast message from root (ttyp0) (Fri Dec 28 19:02:05 2007):
The system is going down for reboot NOW!
[Expert@cpmodule]#
Checkpoint açıldıktan sonra smartdashboard'a girip "install" demekte fayda var.
Yedekten (restore/import) dönme işlemi bitti.
-----------------
Not: Import/export işlemleri esnasında local'de olmanız gerekmez ssh üzerinden rahatlıkla yapabilirsiniz reboot etmediğiniz sürece bağlantınız kesilmez.
Alıntı Yaparak Cevapla
