Backup the Firewall

Posted on February 16, 2012


The Firewall backup can be done manually day by day if we have sufficient work force or can be done automatically.
In IPSO it is with the GUI and with the CLI very easy, but some question remains even if we read the official doks about it.

I play again with CLI, if you need a gui check it for your self.

For setup the backup we need to specify the followings:

  • filename: it is generally the firewall’s hostname
  • you can save your home directories if you want, I do not have anything there, I leave it now.
  • log files in backup has not to much to do, but it exists nowhere if you loose your firewall data. It worth to save it..
  • I do daily backups, but it can bee weekly and monthly as well.
  • Every day at 00:50 the job should start
  • The Checkpoint Package will be backed up as well. What is this? Maybe if you have a new hardware you only have to install IPSO but no packages as they are in the backup? I have to test it.
set backup scheduled filename myfirewall
set backup scheduled homedirs off
set backup scheduled logfiles on
set backup scheduled hour 0
set backup scheduled minute 50
set backup scheduled package CPsuite-R70-00

Check your settings

NokiaIP290:116> show backup scheduled filename
Filename: myfirewallNokiaIP290:117> show backup scheduled homedirs
homedir offNokiaIP290:123> show backup scheduled logfiles
Logfiles offNokiaIP290:118> show backup scheduled hour
Hour: 0NokiaIP290:119> show backup scheduled minute
Minute: 3NokiaIP290:121> show backup scheduled package CPsuite-R70-00
pkg onNokiaIP290:122> show backup scheduled status
Date Day Hour Minute Statusn/a n/a 0 3 on

Logging out of Backup:

IF you do not want to save the logs in the backup you should setup a syslog server that can store the IPSO OS messages. I have already set the following syslog settings:

NokiaIP290:110> show syslog log-remote-address
alertNokiaIP290:106> show syslog auditlog
permanentNokiaIP290:108> show syslog filename
/var/log/messagesNokiaIP290:107> show syslog auditlog-presentation text
enableNokiaIP290:111> show syslog voyager-auditlog
onNokiaIP290:112> show syslog all
Syslog Parameters
Accept Syslog Messages from Remote Machines off
Remote Address
Levels alert
System Configuration Auditlog permanent
Destination Log Filename /var/log/messages
System Configuration Auditlog Textual Presentation enable
Voyager Audit Log on

That’s fine we can do a backup, but normally we do not want to hold all the backups till we live, we should rotate it.
But where can I set it??
After some digging I have realised that nowhere. The crontab config for IPSO is in /etc/crontab and if you check the config file you will find a parameter called MAX_ARCHIVE, that is set to 5, that means you can have maximum 5 backups, older no way. You have to save from them from /var/backup/sched/ to another planet:

myfirewall[admin]# ls -lat /etc/crontab
lrwxr-xr-x 1 root wheel 24 Mar 20 2011 /etc/crontab -> ../../../var/etc/crontabmyfirewall[admin]# less ../../../var/etc/crontab
# Generated by /bin/cron_xlate on Thu Feb 16 13:01:25 2012
#tzone minute hour mnthday month weekday user command
local 5 * * * * root /etc/hourly 1>>/var/log/hourly 2>&1
local 30 0 * * 7 root /etc/weekly 1>>/var/log/weekly 2>&1
local 0 * * * * root newsyslog
local */11 * * * * operator /usr/libexec/save-entropy
local 50 0 * * * admin /etc/backup -f /var/etc/
local 15 0 * * * root /usr/bin/pam_nonuse_daily -d /var/etc/loginhist2 -c pwcontrol:nonuse 1>>/dev/null 2>&1
local 15 0 * * * root /etc/daily 1>>/var/log/daily 2>&1
local 30 0 * * 7 root /etc/cleanup_userhist 1>>/dev/null 2>&1
local 45 0 1 * * root /etc/monthly 1>>/var/log/monthly 2>&1myfirewall[admin]# less /var/etc/
# Generated by archive_xlate on Thu Feb 16 13:01:24 2012
DIRS=”/var/cron /var/etc/ /config /var/log”
PKGNAMES=” CPsuite-R70-00 /opt/CPsuite-R65″
Tagged: ,