High Availability Environment

In a High Availability (HA) environment, you may need to run some vsec_lic_cli commands (see Managing CloudGuard Central Licenses) on both the Primary (Active) and Secondary (Standby) Management Servers or Multi-Domain Servers. (In such cases, the tool displays instruction messages on the screen.Otherwise, information syncs automatically between the HA machines.)

A Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and Multi-Domain Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. can manage up to 1500 Security Gateways or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, allowing concurrent policy installation on all Security Gateways or Cluster Members at once.

High Availability Management Server

In this HA configuration, the Central LicenseClosed A Central License is a CloudGuard Security Gateway license. It is deployed and managed on the Security Management Server or Multi-Domain Server and distributed from a license pool to all CloudGuard Security Gateways connected to corresponding Management Servers. tool can only manage, add, remove, and distribute licenses from the Active Management Server.

Important - In versions R81.20 with Jumbo HFA Take 26 and higher, you must add and remove licenses on Standby Management Servers using the cplic tool.

Example

From the Standby Management Server, run:

cplic put <The same license string related to the IP of the Active Management Server>

High Availability Multi-Domain Server

On a HA Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., the Central License tool runs in two modes: MDS (System) Mode or Domain Mode (see Multi-Domain Server Modes).

  1. In Domain Mode, you can manage licenses only from the Active Domain ServerClosed The only Domain Management Server in a Management High Availability deployment that can manage a specified Domain. (CMA).

  2. In MDS (System) Mode, each Multi-Domain Server manages licenses for Security Gateways connected to its Active Domain Servers (CMAs). For Security Gateways managed by secondary Multi-Domain Servers, perform license management operations from each corresponding Multi-Domain Server.

Distributing Licenses to Security Gateways in MDS (System) Mode

In MDS (System) Mode, you add, manage and distribute licenses from the Active Multi-Domain Server. The licenses are then automatically synchronized between all Standby Multi-Domain Servers (it can take a maximum of 3 minutes). You can also run Sync Now from the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to synchronize the licenses instantly. After that, each Multi-Domain Server distributes the licenses to all Security Gateways connected to its Active Domain Servers (CMAs).

Important - In versions R81.20 with Jumbo HFA Take 26 and higher, you must add and remove licenses on all secondary Multi-Domain Servers using the cplic tool.

This example shows how to add licenses and distribute them on the HA Multi-Domain Server:

On the Primary Multi-Domain Server, run:

  1. vsec_lic_cli on

  2. vsec_lic_cli add <license string related to the IP of the primary MDS>

  3. vsec_lic_cli distribute

On the Secondary Multi-Domain Server, run:

  1. vsec_lic_cli on

  2. In versions R81.20 with Jumbo HFA Take 26 and higher, run:

    cplic put <The same license string related to the IP of the primary MDS>

  3. vsec_lic_cli distribute

This example shows how to remove a license from the HA Multi-Domain Server:

On the Primary Multi-Domain Server run:

  1. vsec_lic_cli on

  2. vsec_lic_cli remove <license CK>

  3. vsec_lic_cli distribute

On the Secondary Multi-Domain Server run:

  1. vsec_lic_cli on

  2. In versions R81.20 with Jumbo HFA Take 26 and higher, run:

    cplic del <license signature>

    To find the license signature, use one of these commands on the Secondary Multi-Domain Server:

    • cplic print -n -x | grep <the CK of the license deleted on the primary MDS>

    • mgmt_cli -r true show central-licenses

  3. vsec_lic_cli distribute

Notes:

  • License distribution runs daily on each Multi-Domain Server and distributes licenses to all Active Domain Servers.

  • Policy installation on any Active Domain Server triggers license distribution to Security Gateways connected to this server only when the largeScaleThreshold parameter value is greater than the total number of Security Gateways. If the value of the largeScaleThreshold parameter is less than the total number of Security Gateways, the licenses will be distributed only during nightly distribution jobs. The largeScaleThreshold parameter value can be configured in the central_license.cfg file.