Check Point Backups

Oversimplified Executive Summary

-A upgrade_export contains just Check Point configuration
-A backup is an upgrade_export plus SPLAT OS configuration
-A snapshot is a backup plus binary files, both Check Point and SPLAT OS
-As a general rule of thumb, if your restoring on the same hardware a
snapshot would be the easiest to use since it contains the most info and an
upgrade_export would be the worst, since you’d have to manually restore the
most stuff.


-It doesn’t backup any OS (i.e. SPLAT) settings, it only backup up CheckPoint settings
-It will let you export on one OS and then import on a different OS (i.e. go from Windows to SPLAT)
-You can upgrade_import on different hardware (i.e. go from IBM to HP)
-You can restore an export from an older version to a newer version of Check
Point. A SPLAT backup/restore requires that you have the exact same
versions. Note that when upgrading from an older to newer version, you must
use the newer version’s upgrade_export utility to create the export file.
-It restores the product list as well. The SPLAT restore command won’t
restore the Check Point settings if you don’t have the exact same products
(and product versions) installed.


-A SPLAT backup will back up both the SPLAT OS settings as well as the Check
Point settings
-Basically it’s an upgrade_export with OS settings added in
-Restoring a backup file requires the exact same software installation.
I.e. you can’t restore a backup from R55 on to R60 (the HFA level must match
as well). The installed product list must match as well. Note that you can
still restore the OS settings even if your installed Check Point product
list doesn’t match.
-The SPLAT OS settings are hardware specific. If you restore the system
settings you must restore on the same hardware. However, if you only
restore the Check Point settings you can restore on different hardware.
Restoring just the Check Point settings is essentially the same thing as
doing an “upgrade_import” of an exported file.


-A snapshot is even better than a backup since it contains binary files.
I.e. you can revert from R60 to R55 with a snapshot. The downside to this
is that a snapshot file is much larger than an upgrade_export or backup
-A snapshot can also roll you forward for minor software changes. For
example if I revert from R60 HFA05 to HFA01 I can later revert back to R60
HFA05 from R60 HFA01
-A snapshot cannot revert to a newer major release of Check Point. I.e. you
can’t revert from R55 to R60.
-If you’re reinstalling SPLAT on the same hardware you don’t have to install
any HFA’s or change any configuration. Simply reverting to your saved
snapshot file will restore all configurations and HFAs. The only
stipulation is that the major software version must match. I.e. a R60
snapshot file will only work on a R60 install (regardless of HFA level).
-You can only revert on the same hardware, since the snapshot file contains
hardware specific SPLAT settings.

An exception to the rules

-If you’re feeling lucky I’ve noticed that you can actually restore a backup
file or snapshot file on different hardware as long as you:
-Delete “/etc/sysconfig/hwconf” (this is automatically re-created
during the reboot)
-In the case of a snapshot file also delete “/etc/modules.conf”
-Backups don’t contain this file
-modules.conf controls which drivers are loaded
-This is be automatically re-created during the reboot
-Remove the “hwaddr” lines from /etc/sysconfig/netconf.C
-You must remove the hwaddr lines since the firewall will use the MAC
addresses stored in the snapshot/backup file, not your network card’s
physical MAC addresses. You can verify which MAC addresses you’re using
with these commands:
ifconfig |grep HWaddr
-This shows which MACs you’re currently using
grep hwaddr /etc/sysconfig/hwconf
-This should contains your NICs’ physical MAC addresses. If
in doubt, delete this file, reboot and this file will be automatically
created on startup.
grep hwaddr /etc/sysconfig/netconf.C
-This shows which MACs your server is configured to use. If
there are no “hwaddr” lines, then your NIC’s physical MACs will be used. If
there are no “hwaddr” lines you can create them by running “cpnetconf
-To remove the hwaddr lines in “/etc/sysconfig/netconf.C” run these

cd /etc/sysconfig
mv netconf.C netconf.C.old
grep -v hwaddr netconf.C.old >netconf.C
rm /etc/sysconfig/hwconf
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial