High Availability Environment

In a High Availability (HA) environment, you may need to run some vsec_lic_cli commands (see Managing Cloud Firewall Central Licenses) on both the Primary (Active) and Secondary (Standby) Management Servers or Multi-Domain Servers. (In such cases, the tool displays instruction messages on the screen.Otherwise, information syncs automatically between the HA machines.)

A Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and Multi-Domain Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. can manage up to 1500 Security Gateways or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, allowing concurrent policy installation on all Security Gateways or Cluster Members at once.

High Availability Management Server

In this HA configuration, the Central LicenseClosed A Central License is a CloudGuard Security Gateway license. It is deployed and managed on the Security Management Server or Multi-Domain Server and distributed from a license pool to all CloudGuard Security Gateways connected to corresponding Management Servers. tool can only manage, add, remove, and distribute licenses from the Active Management Server.

Important - Starting from R81.20 Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 26, you must add and remove licenses on Standby Management Servers using the cplic tool.

Example

From the Standby Management Server, run:

cplic put <The same license string related to the IP address of the Active Management Server>

Multi-Domain Servers in Management High Availability

On a Multi-Domain Servers configured in Management High Availability, the Central License tool runs in two modes: MDS (System) Mode or Domain Mode (see Multi-Domain Server Modes).

  1. In Domain Mode, you can manage licenses only from the Active Domain Management ServerClosed Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS..

  2. In MDS (System) Mode, each Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. manages licenses for Security Gateways connected to its Active Domain Management Servers. For Security Gateways managed by secondary Multi-Domain Servers, perform license management operations from each corresponding Multi-Domain Server.

Distributing Licenses to Security Gateways in MDS (System) Mode

In MDS (System) Mode, you add, manage and distribute licenses from the Active Multi-Domain Server. The licenses are then automatically synchronized between all Standby Multi-Domain Servers (it can take a maximum of 3 minutes). You can also run Sync Now from the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to synchronize the licenses instantly. After that, each Multi-Domain Server distributes the licenses to all Security Gateways connected to its Active Domain Management Servers.

Important - Starting from R81.20 Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator Take 26, you must add and remove licenses on all secondary Multi-Domain Servers using the cplic tool.

This example shows how to add licenses and distribute them on the Multi-Domain Server in Management High Availability:

On the Primary Multi-Domain Server, run:

  1. vsec_lic_cli on

  2. vsec_lic_cli add <license string related to the IP address of the primary MDS>

  3. vsec_lic_cli distribute

On the Secondary Multi-Domain Server, run:

  1. vsec_lic_cli on

  2. Starting from R81.20 Jumbo Hotfix Accumulator Take 26, run:

    cplic put <The same license string related to the IP address of the primary MDS>

  3. vsec_lic_cli distribute

This example shows how to remove a license from the Multi-Domain Server in Management High Availability:

On the Primary Multi-Domain Server run:

  1. vsec_lic_cli on

  2. vsec_lic_cli remove <license CK>

  3. vsec_lic_cli distribute

On the Secondary Multi-Domain Server run:

  1. vsec_lic_cli on

  2. Starting from R81.20 Jumbo Hotfix Accumulator Take 26, run:

    cplic del <license signature>

    To find the license signature, use one of these commands on the Secondary Multi-Domain Server:

    • cplic print -n -x | grep <the CK of the license deleted on the primary MDS>

    • mgmt_cli -r true show central-licenses

  3. vsec_lic_cli distribute

Notes:

  • License distribution runs daily on each Multi-Domain Server and distributes licenses to all Active Domain Management Servers.

  • Policy installation on any Active Domain Management Server triggers license distribution to Security Gateways connected to this server only when the "largeScaleThreshold" parameter value is greater than the total number of Security Gateways. If the value of the "largeScaleThreshold" parameter is less than the total number of Security Gateways, the licenses will be distributed only during nightly distribution jobs. The "largeScaleThreshold" parameter value can be configured in the "central_license.cfg" file.