The Check Point firewall running on SecurePlatform (SPLAT), contains two different mechanisms to backup the firewall configuration. Unfortunately both backup completely different file sets. Additionally, one is improperly documented and doesn’t appear to support customizations to the backup file name, and the other shuts down the Check Point daemons when you run the backup.
Needless to say when I set out to backup Check Point firewalls under SPLAT, I decided to write my own shell script to handle the duties. The script below is the outcome of that work. The setup goes as follows:
- Create the old logs directory:
mkdir /var/oldlogs - Create an ssh key without a passphrase (so that the session can be automated.)
ssh-keygen -t rsa -b 3092
Leave the passphrase blank if you intend to do this automated. Yes this is less secure but then again, automated backups are less secure. - Copy the public key to your remote SSH server.
- Copy the script below to your firewall.
- Add any files or directories that you need to the FILES_TO_BACKUP variable. Note this step is important! This list works well for me but your mileage may vary.
- Add the make_backup command to your crontab. A line like the following works well. (Note that my system is in GMT time, thus the 11:00 am start time. This gets me 5:00 or 6:00 CST.)
0 11 * * * /home/admin/make_backup - Run the make_backup command manually.
- Test your backup by restoring it on another system and verifying functionality.
This script is set to use SCP to handle the file transfers for the sake of security. I have to note that I don’t guarantee any success in your actual application as I can’t guarantee the fitness of the script to your specific situation.
As always, use at your own risk and ALWAYS test your backups.
#!/bin/bash
#
# Copyright (C) 2005 James Bly
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# Backup command, creates gzip file with some exclusions
BACKUP_CMD="tar czfX"
BACKUP_DIR=/var/backup
BACKUP_FILE=`hostname`-`/bin/date +%H%M_%m_%d_%Y`.tgz
OLD_LOG_DIR=/var/oldlogs
EXCLUDE_FILE=exclude-list
CPDIR=/opt/CPshrd-R55
SENDMAIL=/opt/CPfw1-R55/bin/sendmail
SENDMAIL_HOST=smtp.domain.com
SENDMAIL_FROM=firewall@domain.com
SENDMAIL_TO=firewall@domain.com
BACKUP_ERROR="Unknown Error"
# Source the Check Point profile for library settings
. $CPDIR/tmp/.CPprofile.sh
SSH_BACKUP_USER="cpbuser"
SSH_BACKUP_HOST="myhost.domain.com"
SSH_BACKUP_DIR="/where/to/put/files/"
FILES_TO_BACKUP="/etc\
/home\
/var/backup\
$CPDIR/registry\
$CPDIR/conf\
$CPDIR/database\
$FWDIR/conf\
$FWDIR/database\
$FWDIR/state\
/var/spool/cron\
/var/opt/CPfw1-R55\
/var/opt/CPshrd-R55/conf\
/var/net-snmp\
/var/opt/CPshrd-R55/registry"
# Our crash-bang error out
crash() {
echo -e "Firewall backup for `hostname` failed!\n\nError was: $BACKUP_ERROR" | $SENDMAIL \
-t $SENDMAIL_HOST -s "Backup Failure: `hostname`" -f $SENDMAIL_FROM $SENDMAIL_TO
echo "Error: $BACKUP_ERROR"
cleanup
exit;
}
# Our clean up function
cleanup() {
rm $BACKUP_DIR/$BACKUP_FILE > /dev/null 2>&1
rm $BACKUP_DIR/$EXCLUDE_FILE > /dev/null 2>&1
}
# Check our staging
if [ ! -d $BACKUP_DIR ] ; then
mkdir $BACKUP_DIR > /dev/null 2>&1
if [ ! -d $BACKUP_DIR ] ; then
BACKUP_ERROR="Could not create backup directory!"
crash
fi
fi
# Take-over necessary files
if [ -f $BACKUP_DIR/$BACKUP_FILE ] ; then
rm -f $BACKUP_DIR/$BACKUP_FILE > /dev/null 2>&1
fi
touch $BACKUP_DIR/$BACKUP_FILE
if [ -f $BACKUP_DIR/$EXCLUDE_FILE ] ; then
rm -f $EXCLUDE_FILE > /dev/null 2>&1
fi
touch $BACKUP_DIR/$EXCLUDE_FILE
# Switch the old log
if [ "$1" == "rotate" ] ; then
$FWDIR/bin/fw logswitch
fi
# Start by moving all old log files.
if [ ! -d $OLD_LOG_DIR ] ; then
mkdir $OLD_LOG_DIR > /dev/null 2>&1
if [ ! -d $OLD_LOG_DIR ] ; then
BACKUP_ERROR="Could not create old log directory!"
crash
fi
fi
find /var/opt/CPfw1-R55/log -name "*.log*" -mtime +14 -exec mv {} $OLD_LOG_DIR \;
# Setup the exclude filter
# Remove the log line if you want to backup log files
FILES_TO_EXCLUDE="*.o\
/var/opt/CPfw1-R55/log/*
$EXCLUDE_FILE\
$BACKUP_FILE"
FILES_TO_EXCLUDE=`echo $FILES_TO_EXCLUDE | sed 's/ /\\\\n/g'`
echo -e $FILES_TO_EXCLUDE > $BACKUP_DIR/$EXCLUDE_FILE
# Run the backup
$BACKUP_CMD $BACKUP_DIR/$BACKUP_FILE $BACKUP_DIR/$EXCLUDE_FILE $FILES_TO_BACKUP > /dev/null 2>&1
if [ ! -f $BACKUP_DIR/$BACKUP_FILE ] ; then
BACKUP_ERROR="Could not create the backup file!"
crash
fi
# Transfer the backup and log its md5sum
scp $BACKUP_DIR/$BACKUP_FILE ${SSH_BACKUP_USER}@${SSH_BACKUP_HOST}:${SSH_BACKUP_DIR} > /dev/null 2>&1
if [ ! $? == 0 ] ; then
BACKUP_ERROR="Could not copy the backup file to the server!"
rm $BACKUP_DIR/$BACKUP_FILE
crash
fi
# Log the results
MD5SUM=`/usr/bin/md5sum $BACKUP_DIR/$BACKUP_FILE | awk '{ print $1; }'`
/usr/bin/logger "BACKUP: ${BACKUP_FILE} created with md5sum ${MD5SUM}"
cleanup