The Firewall backup can be done manually day by day if we have sufficient work force or can be done automatically.
In IPSO it is with the GUI and with the CLI very easy, but some question remains even if we read the official doks about it.
I play again with CLI, if you need a gui check it for your self.
For setup the backup we need to specify the followings:
- filename: it is generally the firewall’s hostname
- you can save your home directories if you want, I do not have anything there, I leave it now.
- log files in backup has not to much to do, but it exists nowhere if you loose your firewall data. It worth to save it..
- I do daily backups, but it can bee weekly and monthly as well.
- Every day at 00:50 the job should start
- The Checkpoint Package will be backed up as well. What is this? Maybe if you have a new hardware you only have to install IPSO but no packages as they are in the backup? I have to test it.
| set backup scheduled filename myfirewall set backup scheduled homedirs off set backup scheduled logfiles on set backup scheduled hour 0 set backup scheduled minute 50 set backup scheduled package CPsuite-R70-00 |
Check your settings
| NokiaIP290:116> show backup scheduled filename Filename: myfirewallNokiaIP290:117> show backup scheduled homedirs homedir offNokiaIP290:123> show backup scheduled logfiles Logfiles offNokiaIP290:118> show backup scheduled hour Hour: 0NokiaIP290:119> show backup scheduled minute Minute: 3NokiaIP290:121> show backup scheduled package CPsuite-R70-00 pkg onNokiaIP290:122> show backup scheduled status Date Day Hour Minute Statusn/a n/a 0 3 on |
Logging out of Backup:
IF you do not want to save the logs in the backup you should setup a syslog server that can store the IPSO OS messages. I have already set the following syslog settings:
| NokiaIP290:110> show syslog log-remote-address 6.6.6.6 alertNokiaIP290:106> show syslog auditlog permanentNokiaIP290:108> show syslog filename /var/log/messagesNokiaIP290:107> show syslog auditlog-presentation text enableNokiaIP290:111> show syslog voyager-auditlog onNokiaIP290:112> show syslog all Syslog Parameters Accept Syslog Messages from Remote Machines off Remote Address 6.6.6.6 Levels alert System Configuration Auditlog permanent Destination Log Filename /var/log/messages System Configuration Auditlog Textual Presentation enable Voyager Audit Log on |
That’s fine we can do a backup, but normally we do not want to hold all the backups till we live, we should rotate it.
But where can I set it??
After some digging I have realised that nowhere. The crontab config for IPSO is in /etc/crontab and if you check the config file you will find a parameter called MAX_ARCHIVE, that is set to 5, that means you can have maximum 5 backups, older no way. You have to save from them from /var/backup/sched/ to another planet:
| myfirewall[admin]# ls -lat /etc/crontab lrwxr-xr-x 1 root wheel 24 Mar 20 2011 /etc/crontab -> ../../../var/etc/crontabmyfirewall[admin]# less ../../../var/etc/crontab # This file was AUTOMATICALLY GENERATED # Generated by /bin/cron_xlate on Thu Feb 16 13:01:25 2012 # # DO NOT EDIT # SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log MAILTO=”” # #tzone minute hour mnthday month weekday user command # local 5 * * * * root /etc/hourly 1>>/var/log/hourly 2>&1 local 30 0 * * 7 root /etc/weekly 1>>/var/log/weekly 2>&1 local 0 * * * * root newsyslog local */11 * * * * operator /usr/libexec/save-entropy local 50 0 * * * admin /etc/backup -f /var/etc/sched_backup_vars.sh local 15 0 * * * root /usr/bin/pam_nonuse_daily -d /var/etc/loginhist2 -c pwcontrol:nonuse 1>>/dev/null 2>&1 local 15 0 * * * root /etc/daily 1>>/var/log/daily 2>&1 local 30 0 * * 7 root /etc/cleanup_userhist 1>>/dev/null 2>&1 local 45 0 1 * * root /etc/monthly 1>>/var/log/monthly 2>&1myfirewall[admin]# less /var/etc/sched_backup_vars.sh # This file was AUTOMATICALLY GENERATED # Generated by archive_xlate on Thu Feb 16 13:01:24 2012 # # DO NOT EDIT # MAX_ARCHIVE=”5″ ARCHIVEDIR=”/var/backup/sched” ARCHIVE=”myfirewall” DIRS=”/var/cron /var/etc/ /config /var/log” PKGNAMES=” CPsuite-R70-00 /opt/CPsuite-R65″ |
itsecworks 
Posted on February 16, 2012
0