Release Notes - Check Point

Check Point® Provider-1/SiteManager-1 NG with Application Intelligence (R55) R55_HFA_19 Release Notes February 21, 2007

IMPORTANT Check Point recommends that customers stay up-to-date with the latest service packs, HFAs and versions of security products, as they contain security enhancements and protection against new and changing attacks. The information contained in this release note should be read in conjunction with the information in the corresponding FireWall-1 HFA. In This Section Introduction

page 2

What’s New

page 2

Security Enhancements

page 2

Supported Versions

page 3

Supported Platforms

page 4

Supported Builds

page 4

Known Limitations

page 6

Installation

page 6

Uninstall Instructions

page 7

Inspect File Replacement Utility

page 8

Resolved Issues in Provider-1_R55_HFA_19

page 10

Resolved Issues in Previous HFAs

page 10

Special Instructions

page 15

Backup and Restore

page 17

Please read these Release Notes before installing R55_HFA_19.

Introduction The Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) Hotfix Accumulator Provider-1_R55_HFA_19 is a recommended Hotfix that contains fixes for SVN Foundation, VPN-1/FireWall-1 and Provider-1 Multi-Domain Server (MDS). Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) Provider1_R55_HFA_19 is designed for use on Provider-1/SiteManager-1 Solaris, Linux and SecurePlatform operating systems. Provider-1_R55_HFA_19 is installed without removing Provider-1/SiteManager-1 NG with Application Intelligence (R55). Check Point highly recommends that customers stay up-to-date with the latest service packs, HFAs, and security product versions, as they contain security enhancements and protection against new and changing attacks. Make sure that you read this document carefully before installing Provider-1/SiteManager-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 on your system. It is also recommended to read Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) User Guide.

What’s New • •

Improved error reporting in distributed environments. VPN-1 Edge Firmware 6.5 is now supported.

Security Enhancements The Hotfix Accumulator, Provider-1_R55_HFA_19, contains the following security enhancements: 1) Vulnerability in Integrity Clientless Security (ICS) has been discovered for version 3.x or earlier. The vulnerability may be used to forge successful scan results for any client machine. For additional details refer to sk32472 2)

ASN.1 Security Vulnerability - 28 July 2004 - A vulnerability in ASN.1 has been discovered affecting Check Point VPN-1 products during IKE negotiations of a VPN tunnel which may cause a buffer overrun. Check Point Software customers who do not use Remote Access VPNs or gateway-to-gateway VPNs, are NOT affected by this vulnerability. Refer to Check Point alert site for further information: http:// www.checkpoint.com/techsupport/alerts/asn1.html

3) ISAKMP Vulnerability - 4 May 2004 - An ISAKMP vulnerability has been discovered that affects Check Point VPN-1 products during the negotiation of a VPN tunnel. The vulnerability may cause a buffer overflow, potentially compromising the gateway. Refer to Check Point alert site for further information: http://www.checkpoint.com/ techsupport/alerts/ike_vpn.html

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

4) TCP RFC Alert - April 20, 2004 - A recently published NISCC advisory (236929/ TCP) describes a potential RST attack on any operating system or software that has implemented TCP based on RFC 793 and RFC 1323. Refer to Check Point alert site for further information: http://www.checkpoint.com/techsupport/alerts/tcp_dos.html. Also see SecureKnowledge’s SK26137 5) OpenSSL Vulnerability - 26 March 2004 - Recent OpenSSL advisories reveal vulnerabilities in OpenSSL. Refer to Check Point alert site for further information: http://www.checkpoint.com/techsupport/alerts/openssl.html 6) FireWall-1 HTTP Security Server Vulnerability - 06 February 2004 - A vulnerability in the FireWall-1 HTTP Security Servers exists that may cause it to crash in certain circumstances. Refer to Check Point alert site for further information http:// www.checkpoint.com/techsupport/alerts/security_server.html. 7) H.323 Vulnerability - 26 January 2004 - A recent NISCC advisory reveals vulnerabilities in H.323 equipment including GateKeepers, endpoints (phones, softphones, video cameras, etc.), and firewalls that enforce H.323 security. Refer to Check Point alert site for further information: http://www.checkpoint.com/ techsupport/alerts/h323.html 8) Improved enforcement: • VPN-1: IKE & topology download protocol. Relevant to users of VPN-1 only. • Authentication protocols. Relevant users of Authentication capabilities in FireWall-1 only. • Client Authentication: SSL/TLS protocol. • HTTP Security Server authentication process. • FTP, FTP over HTTP, and SMTP protocols. Relevant users of FTP, HTTP and SMTP security servers. Usually used for outgoing traffic. • Check Point Secure Internal Communication (SIC) protocols. • Provider-1: GUI logs in process. • Topology download authentication

General Enhancements •

•

Provider-1 of version HFA_13 and above, can manage VPN-1 Edge Gateways with Firmware 5.0. SmartUpdate of version HFA_13 and above, can install packages from version R55 plus, for NOKIA IPSO 3.8.

Supported Versions •

Provider-1_R55_HFA_19 is installed on top of NG with Application Intelligence (R55) or on any preceding MDS_HFA_R55_XX.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Supported Platforms Provider-1_R55_HFA_19 is available for the following platforms: • Solaris • Linux • SecurePlatform

Supported Builds Provider-1_R55_HFA_19 consists of the following builds: Component

SVN Foundation

Build Number 541848018

Comment The output of cpshared_ver should be: This is Check Point SVN Foundation (R) NG with Application Intelligence (R55) HFA_19, Hotfix 848- Build 018

FireWall-1

541848026

The output of fw ver should be: This is Check Point VPN-1(TM) & FireWall-1 (R) NG with Application Intelligence (R55) HFA_19, Hotfix 848 – Build 026

MDS

541670001

The output of fwm mds ver should be: Check Point Provider-1 Server NG with Application Intelligence (R55), HFA_19

Hotfix 670 - Build 001

Backwards Compatibility

3416103

SofaWare

541000044

More information can be found in file swversion.txt in / opt.CPfw1-R55/bin directory

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Supported Build History The following table displays the build history from the sixth to the latest HFA: HFA/Component

SVN Foundation

FireWall-1 & Kernel

HFA_R55_19 (Current)

541848018

541848026

HFA_R55_18

541771005

541771011

HFA_R55_17

541670004

541670005

HFA_R55_16

541595005

541595006

HFA_R55_15

541528003

541528003

HFA_R55_14

541463009

541463008

HFA_R55_13

541361009

541361010

HFA_R55_12

541309003

541309007

HFA_R55_11

541304004

541304001

HFA_R55_10

541234001

541182011

HFA_R55_9

541234001

541182011

HFA_R55_8

541001006

541001001

HFA_R55_7

541179001

541179002

HFA_R55_6

41135002

541135002

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Known Limitations •

•

•

Installing R55_HFA_19 overwrites the $FWDIR/lib/vpn_table.def file. There is a backup of the vpn_table.def file for each CMA under the lib directory. If this file was manually modified perform the modification again in the new vpn_table.def file. Installing Provider-1_R55_HFA_19 overrides any current Hotfix support that has been applied to NG with Application Intelligence (R55). Before installing Provider-1_R55_HFA_19, verify that NG with Application Intelligence (R55) is installed and configured on your machine.

Installation Provider-1_R55_HFA_19 General Configuration Considerations • As part of a standard upgrade procedure it is strongly recommended that you backup MDS prior to installing the Provider-1_R55_HFA_19 Hotfix. For detailed instructions on how to run this feature, please refer to the “Backup and Restore” on page 17. • HFA_R55_19 installation packages should be placed in the /var file system, where sufficient space is available to the install scripts for installing the HFA. The Provider-1_R55_HFA_19.tgz format package consists of the following components: • • • • •

install_hfa uninstall_hfa files/cpshared_HOTFIX_HFA_R55_19_541848018.tgz files/fw1_HOTFIX_HFA_R55_19_541848026.tgz files/others…(specific files)

Installation on Different Platforms Solaris, Linux and SPLAT The package SHF_HFA_R55_19.tgz format consists of the following components: • • • • •

install_hfa uninstall_hfa files/cpshared_HOTFIX_HFA_R55_19_541848018.tgz files/fw1_HOTFIX_HFA_R55_19_541848026.tgz files/others…

1 Extract the package to a temporary directory. 2 Stop MDS by running mdsstop. 3 Execute the install_hfa script in order to start the installation. 4 When the installation is complete, reboot the machine. 5 Re-install the security policy on all gateways.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Uninstall Instructions Provider-1_R55_HFA_19 1) Stop MDS by running mdsstop. 2) Set the directory as the directory from which you installed the Provider1_R55_HFA_19. If you replace the def file utility that was executed the restore def file utility must be executed before removing the HFA. 3) Execute the uninstall_hfa script from the installation directory. 4) Reboot the machine.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Inspect File Replacement Utility Provider-1_R55_HFA_19 - Linux The Hotfix installation does not modify the current *.def INSPECT files. New files (*_HFA.def) are placed in the /opt/CPfw1-R55/lib/ directory. In addition, the corresponding hash files (*_HFA.def.hash) are created in the /opt/CPfw1-R55/hash/ directory. Replacing INSPECT Files 1) Change the directory to the directory from which you installed the HFA. The script can be found in the ./files/ directory. 2) Run the ./replace_inspect_files script. 3) The script will verify whether or not manual modifications were made to the INSPECT files in each CMA before replacing them. • If modifications were made, a notification will be presented and the user will be able to choose whether to replace the file or not. • The replacement is automatically performed for CMAs that were not modified. 4) For each file replaced, there will be a backup file with the following extension: _pre15. For example, table.def will be table_pre14.def. Notes: a. Do not run the replace_inspect_files script more than once, consecutively. If you wish to run this script again, run the restore_inspect_files script, (See Restoring INSPECT files), and then run the replace_inspect_files again. a. If you choose not to replace files of a specific CMA during the execution of the replace_inspect_files script, you can replace those files later, manually. Before manually replacing the CMA’s INSPECT files, please save the original files and corresponding hash files with the extention _pre15. For example, to replace the table.def file manually, save it with the name table_pre15.def in $FWDIR/lib, and save its corresponding hash file with the name table_pre15.def.hash, in $FWDIR/ hash. Restoring INSPECT files The CMA INSPECT files replacement operation can be reversed as follows: 1) Change the directory to the directory from which you installed the Provider1_R55_HFA_19. The restore_inspect_files script can be found under the files/ directory, under the installation directory. 2) Run ./restore_inspect_files. 3) The restoration is automatically performed for all CMAs.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

The INSPECT files with the _preXX extension, saved by the replacement script, will be restored instead of the Provider-1_R55_HFA_19 INSPECT files.

Provider-1_R55_HFA_19 - Solaris The Hotfix installation does not modify the current *.def INSPECT files. New files (*_HFA.def) are placed in the /opt/CPfw1-R55/lib/ directory. In addition, the corresponding hash files (*_HFA.def.hash) are created in the /opt/CPfw1-R55/hash/ directory. In order to replace the new files in all the CMAs, the install_def_files script can be executed after installing HFA. Replacing INSPECT Files 1) Change the directory to the directory from which you installed the HFA. The script can be found in the ./files/ directory. 2) Run ./install_def_files. 3) The script will verify whether or not modifications were made to the replaced file in each CMA, before replacing it. a. If modifications were made, a notification will be presented with the following options: The replacement utility can be run in the following modes: Enter [1] to replace all CMA INSPECT files. Enter [2] to replace specific CMA INSPECT files. Enter [3] to exit without replacing any INSPECT files. b. The replacement is automatically performed for CMAs that were not modified. 4) For each file replaced, there will be a backup file with the following extension: pre_

For example, table.def will become table.def_pre_HFA_R55_XX. Restoring INSPECT files The CMA replacement operation can be reversed as follows: 1) Change the directory to the directory from which you installed the HFA. The script can be found in the ../files/ directory. 2) run ./restore_inspect_files. 3) The script will verify whether or not modifications were made to the replaced file in each CMA before replacing it. a. If modifications were made, a notification will be presented with the following options:

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

The replacement utility can be run in the following modes: Enter [1] to restore all CMA INSPECT files. Enter [2] to restore specific INSPECT files. Enter [3] to exit without replacing any INSPECT files. b. The replacement is automatically performed for CMAs that were not modified.

Resolved Issues in Provider-1_R55_HFA_19 All relevant fixes for SmartCenter Firewall-1 R55_HFA_19 are resolved in Provider1_R55_HFA_19. For details please refer to the VPN-1 Pro HFA_R55_19 Release Notes. Number/HFA Description R55_19_1

Provider-1: Status Monitoring

Improved errors reporting in distributed environments. R55_19-2

Provider-1: Global Policy

Improved stability in specific cases of Global Policy Assignment. R55_19-3

Clientless VPN: CVPN SNX

Vulnerability in Integrity Clientless Security (ICS) has been discovered for version 3.x or earlier. The vulnerability may be used to forge successful scan results for any client machine. For additional details refer to sk32472. For additional information refer “Known Limitations” on page 6. R55_19-4

VPN-1 Edge

VPN-1 Edge Firmware 6.5 is now supported.

Resolved Issues in Previous HFAs In This Section MDS_HFA_R66_18

page 11

MDS_HFA_R66_17

page 11

MDS_HFA_R66_16

page 11

MDS_HFA_R55_15

page 11

MDS_HFA_R55_14

page 11

MDS_HFA_R55_13

page 12

MDS_HFA_R55_12

page 12

MDS_HFA_R55_09

page 13

MDS_HFA_R55_08

page 13

MDS_HFA_R55_07

page 13

MDS_HFA_R55_06

page 13

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

MDS_HFA_R66_18 Number/HFA Description R55_18_1

Firewall-1: Policy Installation

Improved Security Policy installation in a R55 and R55W mixed gateway environment. R55_18-2

Provider-1: Miscellaneous

Improved memory usage when logging in via SmartDashboard to a CMA. Install On: Provider-1 Multi Domain Server

MDS_HFA_R66_17 Number/HFA Description R55_17_1

Provider-1 Global Policy

When migrating the Global Policy, there is no need to import the fwauth.NDB file from the source global database. R55_17-2

SmartUpdate

The command line cprinstall get gateway now works from a CMA environment when the gateway is a resilience box.

MDS_HFA_R66_16 Number/HFA Description R55_16_1

Synch can now be established in Management High Availability when $FWDIR of the Primary Management is installed on a path with spaces. Previously, the primary Management was unable to create a backup tar.tgz file and a message Failed to backup was displayed.

MDS_HFA_R55_15 Number/HFA Description R55_15_1

Syslog per CMA is now supported

MDS_HFA_R55_14 Number/HFA Description R55_14_1

Increased amount of file descriptors per process in Solaris.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

MDS_HFA_R55_13 Number/HFA Description R55_13-1

Applications whose status is unknown can now be handled by the MDS.

R55_13-2

Improved speed of Policy installation on a VPN-1 Edge profile.

R55_13-3

In the context of global VPN communities where two gateways are involved and managed by different CMAs and use dynamic interface resolving and have more than one interface that is routable from each other, the value of the property interface_resolving_ha_GW defined on a VPN gateway object defined on one CMA is not transferred to the other but should. _________________________________________________________________ The workaround is to use static interface resolving, set the property value in $FWDIR/conf/objects_5_0.C manually on each CMA for the object defined on another CMA, or to not use interface resolving at all (just use the address to which IKE traffic should be sent in the object's General Properties tab). Improved connectivity with the Web Visualization tool.

R55_13-4 R55_13-5

Audits are sent for the following Provider-1 operations:

• Global Policy operations • Enable/Disable global use • Start/Stop CMA

MDS_HFA_R55_12 Number/HFA Description R55_12-1

R55_12-3

In the context of global VPN communities where two gateways are involved and managed by different CMAs and use dynamic interface resolving and have more than one interface that is routable from each other, the value of the property resolve_multiple_interfaces_GW defined on a VPN gateway object defined on one CMA is not transferred to the other but should. _________________________________________________________________ The workaround is to use static interface resolving, set the property value in $FWDIR/conf/objects_5_0.C manually on each CMA for the object defined on another CMA, or to not use interface resolving at all (just use the address to which IKE traffic should be sent in the object's General Properties tab). Resolved issue where there was a problem connecting to the Customer Logging Module's SmartView Tracker while installing a database on primary and secondary CLMs. Corrections made to scripts that prompt the user to reboot.

R55_12-4

Corrections to scripts according to customer request.

R55_12-5

install_hfa and uninstall_hfa scripts now backup a number of files which were manually replaced.

R55_12-2

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Number/HFA Description R55-12-6

Improved logging in the install_hfa and uninstall_hfa scripts.

MDS_HFA_R55_09 Number/HFA Description R55_09-1

R55_09-2 R55_09-3

Provider-1 Failure of IKE negotiations when dynamic interface resolving is enabled. See special instructions: R55_09-1 Provider-1 Coexistence of R55W and HFA_09 now supported on MDS installation. Provider-1 Provider-1/SiteManager-1 NG with Application Intelligence HFA 09 supports the new licenses for Provider-1 Enterprise Edition Products (Part Numbers CPMP-PRE-3-NG and CPMP-PRE-5-NG). These licenses are being distributed and are available for purchase from July 2004. However, these licenses are not recognized by previous versions of Provider-1/SiteManager-1 VPN-1 VSX NG with Application Intelligence.

MDS_HFA_R55_08 Number/HFA Description R55_08-1

Provider-1 - Miscellaneous: Failure to manage VPN-1 Edge devices resolved

MDS_HFA_R55_07 Number/HFA Description R55_07-1

R55_07-2

Provider-1 - Miscellaneous: The VPN-1 Edge device can now connect to Provider-1 behind NAT. To configure this scenario, see Special Instructions: MDS_HFA_R55_07. Provider-1 - Miscellaneous: Improved ability to create and restore Database Revisions using Smart Dashboard.

MDS_HFA_R55_06 Number/HFA Description R55_06-1

Provider-1 - Migrate: In certain scenarios, cma migration may not work.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Number/HFA Description R55_06-2

R55_06-3

R55_05-1 R55_05-2 R55_04-1 R55_03-1

Provider-1- Miscellaneous: Each CMA tries to load certain dlls (persistentagent and statisticaloid) which it shouldn’t load. See Special Instructions: MDS_HFA_R55_06 Provider-1 - Miscellaneous: During the creation of the secondary CMA/CLM, when the start command is executed and the Primary CMA is meant to push the certification to the secondary CMA, the push operation doesn’t always succeed. This happens because the Update Object operation takes place instead of the New Mirror CMA operation. Resolved connection issue to Edge device from a Provider-1 SmartCenter Server when the Provider-1 is behind NAT. Prevents Provider-1 from identifying a host with a dash in the name as an IP range and not a host name. Resolved libpersistentAgent.so to causes CMA cpd stability issues. Can now un-exclude services that were assigned to a CMA using GVC.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

Special Instructions In This Section FireWall-1 HTTP Security Servers

page 15

MDS_HFA_R55_07

page 13

HFA_R55_06

page 17

FireWall-1 HTTP Security Servers FireWall-1 HTTP Security Servers information disclosure in automatic client and user authentication. In most deployments, the cpsc.conf file, located in the $FWDIR/lib/ directory and the cpsc.en_us file, located in the $FWDIR/conf/cpsc/ directory have not been adjusted manually. The HFA installation replaces these files. If the cpsc.en_us file (located in the $FWDIR/conf/cpsc/ directory) has been changed manually and the customer does not wish to override the changes, the following steps should be taken prior to installing this HFA: 1 Backup the current $FWDIR/conf/cpsc/cpsc.en_us file. 2 Install HFA. 3 Restore the backup file. 4 Edit the $FWDIR/conf/cpsc/cpsc.en_us file. Note - If you are using a language other than English, replace the cpsc.XXX file with the file appropriate for your language.

5 Search inside the file for the label: CPSC_HTTP_FW_UNAUTH 1024 "\n\n#local_host# Unauthorized to access the document.

Authorization is needed for FW-1.

\n" (local_host realm user auth_prompt reason_title reason new_loc).

The following instructions must be executed after installing HFA: a. Stop the MDS by running mdsstop. b. Run the command /bin/mv $CPDIR/lib/libpersistentAgent.so $CPDIR/lib/ libpersistentAgent.so.not_used

c. Start MDS by running mdsstart.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

HFA_R55_09 R55_09-1 In the context of global VPN communities involving two gateways, each gateway managed by different CMAs using dynamic interface resolving and each gateway has more than one interface that is routable to the other, the value of the property resolve_multiple_interfaces_GW defined on a VPN gateway object defined on one CMA is not transferred to the other. Because this property is needed for IKE to work properly, IKE negotiations may fail when dynamic interface resolving is used. The workaround is to: 1 Use static interface resolving. 2 For each CMA, open its $FWDIR/conf/objects_5_0.C in a text editor, and manually

set the property resolve_multiple_intefaces_GW to TRUE for the object defined on the other CMA. Alternatively, do not use interface resolving at all. Instead, use the address to which IKE traffic should be sent in the object's General Properties tab.

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

HFA_R55_07 •

R55_07-1:

The VPN-1 Edge device can now connect to Provider-1 behind NAT. To configure this scenario, proceed as follows:

1 Stop the SMS by issuing smsstop, while in the CMA environment. 2 For each CMA edit the file $FWDIR/conf/sofaware/SWManagementServer.ini. 3 Search for the keyword; [Server], below it, add: ExternalIP=hiding_ip BindIP=cma_ip

4 Replace hiding_ip with the statically NATed IP address. 5 Replace cma_ip with the IP address of the CMA. 6 Start the sms by issuing smsstart, while in the CMA environment.

HFA_R55_06 Each CMA tries to load certain dlls (persistentagent and statisticaloid) which it shouldn’t load. In order to activate this fix follow the instructions below:

R55_06-2 -

1. backup existing $MDSDIR/scripts/mdsadd_customer 2. rename $MDSDIR/scripts/mdsadd_customer_HFA to $MDSDIR/scripts/ mdsadd_customer. The HFA will now solve the problem for new CMAs only. To solve the problem for CMAs that have already been defined, execute the following for each CMA: 1 mdsenv 2 $CPDIR/bin/amon_config cpstatdll rem Persistency 3 $CPDIR/bin/amon_config cpstatdll rem STATISTICAL

Backup and Restore The purpose of the backup/restore utility is to backup MDS as a whole (that is, including all the CMAs it maintains), and to restore it, when necessary. The restoration procedure reverts the MDS to the state it was in when the backup procedure was executed. The backup saves both user data and binaries. Restoration can be performed on the original machine, or, if your intention is to upgrade to another machine, by replicating your MDS for testing purposes. During the backup process, it is possible to view but not to modify any data using MDGs, SmartConsole clients or other clients. If the Provider-1/SiteManager-1 system consists of several MDS servers, the backup procedure must be performed on each and every MDS server. Likewise, when the restoration procedure takes place, it should be performed on all MDS servers concurrently. Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.

mds_backup Running mds_backup requires super-user privileges. The mds_backup archives the data and binary root directories of a Provider-1 MDS installation. Additional information located under these directories is also backed up, except from files that are specified in the mds_exclude.dat ($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file. The name of the created archive file is constructed by the date and time of the backup, followed by the extension .mdsbk.tgz (for example, 13Sep2002-141437.mdsbk.tgz). The file is placed in the current working directory; therefore, it is important not to run mds_backup from one of the directories that will be backed up. For example, when backing up a NG FP3 MDS, do not run mds_backup from /opt/CPmds-53 because you will not be able to zip the directory to which you are writing the files. Usage mds_backup

mds_restore Restores an MDS that was previously stored with mds_backup. For the operation to work successfully, mds_restore requires a fresh MDS installation with the same version as the MDS that needs to be restored. Usage For NG with Application Intelligence since (R54): mds_restore

For NG prior to NG with Application Intelligence since (R54): mds_restore $MDSDIR/bin/set_mds_info -b -y

Source: Upgrade Guide NG with Application Intelligence (R55), Upgrading Provider-1

Check Point Provider-1/SiteManger-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 Release Notes.