Check Point NG[s]AI

Administering Check Point VPN-1/FW-1 NG for Recoverability

Recoverability is an important issue for most organizations. In some organizations, a downed firewall can have a serious impact on business. Being able to recover quickly is essential.

Making Backups

Making backups of your FW-1 configuration is relatively easy. In fact, we have already identified most of the critical files you should back up:

• objects_5_0.c

• rulebases_5_0.fws

• fwauth.NDB*

• All *.W files (not required)

• All *.pf files (not required)

• fwmusers and gui- clients (not required)

You should back up these files to a secure and safe location after any modifications are made as well as after any files that have been manually modified such as the base.def or table.def. Restoring a firewall is as easy as copying these files. The *.W and *.pf files are not required because FW-1 will recreate them.

In addition to having your configuration backed up, you should consider how to recover if the hardware fails completely. Make sure that if you have a four- hour service response contract, you can live without a firewall for four hours. If this isn t the case, you should purchase a hot-swap server or invest in a high-availability solution.

If your firewall does go down and you need to move the installation, follow these easy steps:

1. If your IP address is changing or if your license is based on a host ID, request a license change from Check Point s Licensing User Center. If you need additional licensing features, contact your Check Point VAR.

2. Install the operating system on the new hardware and patch it, implementing any OS-recommended hardening measures.

3. Install the FW-1 software from a downloaded file or via CD, and install your license.

4. Patch the FW-1 software to the same build level as the machine you are copying files from.

5. Copy the files objects_5_0.c, rulebases_5_0.fws, and fwauth.NDB* files into the $FWDIR/conf directory.

6. If you do not want to add your administrators and GUI clients again by hand, you can also copy the files fwmusers and gui-clients in $FWDIR/conf.

7. You will need to redo any SIC configuration.

8. Install the policy and test connectivity.

9. Upgrade the firewall and add any new patches beyond the build you were duplicating.

In addition, some operating systems (such as SecurePlatform and Nokia s IPSO) have built-in backup utilities that can be used to back up and restore configurations of Check Point as well as the OS. A full discussion of proper backup and restore procedures appears in Check Point NG VPN-1/FireWall-1: Advanced Configuration and Troubleshooting (Syngress Publishing, ISBN: 1-931836-97-3).