NokiaBackup

From FrogspawnWiki

Note that this was written based on an older version of IPSO, there are probably better ways to accomplish this now.

This guide will have your Nokia (Check Point) IP security device making scheduled backups, and using FTP to transfer them to a centralised backup server.

Contents 1 Configure automatic backups 2 Configure auto transfer 2.1 FTP Transfers 2.2 Schedule the transfer 3 Verify 4 Checkpoint Backups

Configure automatic backups

Log in to Voyager go to Configuration > System Configuration > Backup and Restore

Create a Scheduled Backup job, it's common to use the name of the firewall as the backup file name.

The firewall will now create a backup according to the schedule and store it in /var/backup/sched, however you probably want to automatically move that backup to a remote server.

Configure auto transfer

Voyager doesn't provide a good way to do this, so you need to get handy with IPSO, which of course is a *nix type OS. Telnet or SSH to the Nokia IP and log in as admin.

How you proceed from here depends on how you want to transfer the file. You could go with FTP or you could use SCP.

In the following <servername> will be replaced with the hostname or IP address of your ftp server, and <username> and <password> will be replaced by the username and password respectively for that server. You will also want to modify the paths.

FTP Transfers

Create a script called backup, it will contain the following...

ftp <servername>
rm /var/backup/sched/*

chmod it +x so that it can be run

Also create a .netrc file, it will contain a script that is run whenever the Nokia connects to your FTP server.

machine <servername> login <username> password <password> macdef init
prompt
cd /firewallbackups
lcd /var/backup/sched
bi
mput *
bye

chmod .netrc so that only the user has read and write access (chmod 600 .netrc) and note the empty line at the end of the file, it IS required.

Schedule the transfer

Back to Voyager, go to Configuration > System Configuration > Job Scheduler. Give your new job a name, the command will be the full path to the backup script you just created (if you're stuck type pwd in your CLI session to find the path), I'm going to use /var/admin/backup. Select a repetition schedule then hit apply to choose the run time. You need to schedule this for after your backup job runs, I like to leave at least 30 minutes.

Hit apply again and a cron job will be created for you.

Verify

I found that sometimes the backup job didn't properly schedule. So I habitually check in /etc/crontab to see that both the backup and the transfer jobs are properly scheduled. You should see "/etc/backup -f /var/etc/sched_backup_vars.sh" for the Nokia backup job, and "/var/admin/backup" (or whatever you called yours) for the transfer job.

Checkpoint Backups

If you haven't already done so, you'll want to make sure that you're also backing up your smartcenter server, or you could lose your firewall rulebase and objects database. That would be a disaster so check here to find a guide.