Managing Autoscaling with Management High Availability

Security Management Server High Availability

You can deploy and configure a Secondary Security Management Server as a Standby Security Management Server to provide High Availability in case of a failure or of unexpected downtime on the Primary Security Management Server.

For more information, see the Security Management Administration Guide for your version > section Management High Availability.

Notes:

  • The Network Security Group must enable these ports on both Security Management Servers:

    • Port 18211 - Used for SIC with the Secondary Security Management Server.

    • Port 18221 - Used for synchronization between the Security Management Servers.

    • Port 18192 - Used for internal connection between the Security Management Servers.

  • Use the same template, Check Point Security Management , to deploy a Standby Security Management Server.
    During the deployment, select the installation type configured manually. Next, configure the second Virtual Machine as a Secondary Security Management Server. See the Security Management Administration Guide for your version > section Configuring a Secondary Server in SmartConsole.

While the Secondary Security Management Server acts as a Standby server, make sure that the autoprovisioning script does not run on the Standby server.

To do this, run these commands in Expert mode on the Standby server:

service cme stop

chkconfig --del cme

To demote the Active Security Management Server to the Standby role:

Step

Description

1

Disable autoscaling.

2

Connect to the command line on the Active Security Management Server.

3

Log in to the Expert mode.

4

Run these commands:

service cme stop

chkconfig --del cme

5

Change the Active Security Management Server to the Standby:

  1. Connect with SmartConsole to the Active Security Management Server.

  2. Click Menu > Management High Availability.

  3. Use the Action button to change the Active server to Standby.

For more information, see the Security Management Administration Guide for your version > section Changing a Server to Active or Standby).

6

Enable autoscaling.

Multi-Domain Server High Availability

You can deploy and configure a Secondary Multi-Domain Server as a Standby Multi-Domain Server to provide High Availability in case of a failure, or of unexpected downtime on the Primary Multi-Domain Server.

Make sure to read the Managing Auto-Scale with One Multi-Domain Server.

Important:

  • The Security Multi-Domain Server log in credentials should allow the script to access all the applicable Domain Management Servers in each Multi-Domain Server.

  • There must be two instances of the CME service that are responsible for provisioning in all the Domain Management Servers and in each Multi-Domain Server.

  • Configure the first deployed Multi-Domain Server as Primary in the First Time Configuration Wizard.

  • Configure all other deployed Multi-Domain Servers as Secondary in the First Time Configuration Wizard.

  • CME service script must run on both Primary and Secondary Multi-Domain Servers.

  • To add a new Domain Management Server in an existing Domain:

    Step

    Description

    1

    In the existing Domain, determine which Multi-Domain Server runs the Active Domain Management Server.

    2

    Stop the CME service on that Multi-Domain Server:

    service cme stop

    3

    Add a new Domain Management Server on an applicable Multi-Domain Server.

    4

    Start the CME service on the Multi-Domain Server (the same Multi-Domain Server on which you stopped the CME service):

    service cme start

  • If you demote the Active Domain Management Server to Standby role and then promote the Standby Domain Management Server to the Active role in the same Domain, you must restart the CME service on the Multi-Domain Server that runs the new Active Domain Management Server.
    Run this command in Expert mode to restart the CME service:

    service cme restart

  • All configuration updates on the Primary Multi-Domain Server require the restart of the CME service on all the Secondary Multi-Domain Servers.

  • To restart the autoprovision service on all Primary and Secondary Multi-Domain Servers:

    Step

    Description

    1

    Connect to the command line on each Secondary Multi-Domain Server.

    2

    Log in to the Expert mode.

    3

    Make sure that the configuration file is already synchronized from the Primary Multi-Domain Server:

    autoprov_cfg show all

    4

    Restart the CME service.

    service cme restart

  • To add a Multi-Domain Log Server, see the CME and Autoprovision and Multi-Domain Log Server Configuration.

  • To add a new Domain Log Server in an existing Domain:

    Step

    Description

    1

    In SmartConsole, determine which Multi-Domain Server runs the Active Domain Management Server in the existing Domain.

    2

    Connect to the command line on that Multi-Domain Server.

    3

    Log in to the Expert mode.

    4

    Stop the CME service on that Multi-Domain Server:

    service cme stop

    5

    In SmartConsole, add a new Domain Log Server on an applicable Multi-Domain Server.

    6

    Start the CME service on the Multi-Domain Server (the same Multi-Domain Server on which you stopped the CME service):

    service cme start