Management High Availability

In This Section: The Need for Management High Availability The Management High Availability Solution Management High Availability Considerations Management High Availability Configuration

The Need for Management High Availability

The Security Management server consists of several databases with information on different aspects of the system, such as objects, users and policy information. This data changes each time the system administrator makes modifications to the system. It is important to maintain a backup for this data, so that crucial information is not permanently lost in the event of Security Management server failure.

Moreover, if the Security Management server fails or is down for administrative purposes, a backup server needs to be in place in order to take over its activities. In the absence of the Security Management server, essential operations performed by the gateways, such as the fetching of the Security Policy and the retrieval of the CRL, cannot take place.

The Management High Availability Solution

Backing Up the Security Management server

In Management High Availability, the Active Security Management server always has one or more backup Standby Security Management server which are ready to take over from the Active one. These Security Management servers must all be of the same operating system and version. The existence of the Standby Security Management server lets crucial backups be in place:

• For the Security Management server - the various databases in the corporate organization, such as the database of objects and users, policy information and ICA files are stored on both the Standby Security Management servers as well as the Active one. These Security Management servers are synchronized so data is maintained and ready to be used. If the Active Security Management server is down, a Standby one needs to become Active to edit and install the Security Policy.
• For the Security Gateway - certain operations that are performed by the Security Gateways with the Active Security Management server, such as fetching a Security Policy, or retrieving a CRL, can be done on a Standby Security Management server.

Management High Availability Deployment

In a Management High Availability deployment, the first installed Security Management server is specified as the Primary Security Management server. This is a regular Security Management server used by the system administrator to manage the Security Policy. When any subsequent Security Management server is installed, these must be specified as Secondary Security Management servers. Once the Secondary Security Management server has been installed and manually synchronized, the distinctions between Primary versus Secondary are no longer significant. These servers are now referred to according to their role in the Management High Availability scenario as Active or Standby, where any Security Management server can function as the Active SMS.

The Management High Availability Environment

The Management High Availability environment requires an Active SMS and at least one Standby SMS.

The Secondary SMS is created with empty databases. These databases are filled with information that the newly created Secondary SMS gleans from the Active SMS. The Secondary SMS is ready once:

• it is represented on the Primary Security Management server by a network object
• SIC has been initialized between it and the Primary Security Management server
• manual synchronization has been done with the Primary Security Management server for the first time.

It is possible to install a gateway on any of the Security Management servers. The role of these gateways is to protect the Security Management servers. Although the Security Management servers backup one another, High Availability is not implemented between the gateways installed on Security Management servers.

Active versus Standby

All management operations such as editing and installing the Security Policy and modifying users and objects, are done by the Active SMS. If the Active SMS is down, and any of the aforementioned operations need to be performed, one of the Standby SMSs should be made active by the system administrator. This transition from Standby to Active should be initiated manually.

The Standby SMSs are synchronized to the Active SMS, and therefore, are kept up to date with all changes in the databases and Security Policy. Thus Security Gateways can fetch the Security Policy and retrieve a CRL from both the Active SMS and the Standby SMS.

The frequency of the synchronization between the Standby SMS and the Active SMS is set by the System Administrator. This process can be configured to take place automatically, or it can be set to occur manually.

Backing Up Data to the Standby Security Management

In order for Management High Availability to function properly, the following data must be synchronized and backed up:

• configuration and ICA data, such as:
  • databases (such as the Objects and Users).
  • certificate information such as Certificate Authority data and the CRL which is available to be fetched by the Check Point Security Gateways.
• the latest installed Security Policy. The installed Security Policy is the applied Security Policy. The Security Gateways must be able to fetch the latest Security Policy from either the Active or the Standby SMS.

  Note - Previous versions of the Database, SmartMap data, as well as View Installed Policy data are not synchronized.

Synchronization Modes

There are two ways to perform synchronization:

• manual synchronization is a process initialized by the system administrator. It can be set to synchronize
  • databases, or
  • databases as well as the installed Security Policy.

  The former option synchronizes quicker than the latter option. It should be the preferred mode of synchronization provided that the system administrator has edited the objects or the Security Policy, but has not installed the newly edited Security Policy since the previous synchronization.

• automatic synchronization is a process configured by the system administrator to allow the Standby SMSs to be synchronized with the Active SMSs at set intervals of time. This is generally the preferred mode of synchronization, since it keeps the Standby SMSs updated. The basis for the synchronization schedule is that when the Security Policy is installed, both the installed Security Policy and all the databases are synchronized. Additionally, it is possible to synchronize the Standby SMSs when:
  • the system administrator saves the Security Policy
  • at a specified scheduled time

  Even when automatic synchronization has been selected as the synchronization mode, it is possible to perform a manual synchronization.

Synchronization Status

The synchronization status indicates the status of the peer SMSs in relation to that of the selected Security Management server. This status can be viewed in the Management High Availability Servers window or in SmartView Monitor, whether you are connected to the Active or Standby SMS.

The possible synchronization statuses are:

• Never been synchronized - immediately after the Secondary Security Management server has been installed, it has not yet undergone the first manual synchronization that brings it up to date with the Primary Security Management server.
• Synchronized - the peer is properly synchronized and has the same database information and installed Security Policy.
• Lagging - the peer SMS has not been synchronized properly.

  For instance, on account of the fact that the Active SMS has undergone changes since the previous synchronization (objects have been edited, or the Security Policy has been newly installed), the information on the Standby SMS is lagging.

• Advanced - the peer SMS is more up-to-date.

  For instance, in the above figure, if a system administrators logs into Security Management server B before it has been synchronized with the Security Management server A, the status of the Security Management server A is Advanced, since it contains more up-to-date information which the former does not have.

  In this case, manual synchronization must be initiated by the system administrator by changing the Active SMS to a Standby SMS. Perform a synch me operation from the more advanced server to the Standby SMS. Change the Standby SMS to the Active SMS.

• Collision - the Active SMS and its peer have different installed policies and databases. The administrator must perform manual synchronization and decide which of the SMSs to overwrite.

  For instance, in the above figure, when Security Management server A fails before a synchronization takes place, the changes made (to databases or to the Security Policy) cannot be synchronized with Security Management server B. When Security Management server B takes over from Security Management server A, the system administrator may decide to modify the Security Policy.

  In this case, both Security Management server A and B have some information which is not synchronized with its peer. In order to remedy the collision state, one of the Security Management servers will need to be overwritten. The Security Management server which is found to have the dominant or significant changes should be the Security Management server on which manual synchronization is initiated.

  At this point the system administrator needs to decide which of the Security Management server's should become the Standby SMS, and change its status, if necessary.

  Note - Changes made by the CA, such as the issuance of certificates, could lead to breaches of security if they are overwritten; therefore, any CA changes that are made are merged in order to eliminate security issues.

Changing the Status of the Security Management

Although Security Gateways can use the Standby Security Management server to fetch a Security Policy or a fresh CRL, in the event that the Active one fails, the Standby Security Management server must become the Active one for two predominant reasons:

1. The Standby Security Management server cannot perform management operations such as editing and installing the Security Policy. While the Standby Security Management server is identical in its databases and installed Security Policy to the Active one, if changes are needed for the Security Policy the Standby one does not have the capacity to make them.
2. The ICA database can only be modified on the Active Security Management server.

If the Active Security Management server is going down for administrative purposes, the system administrator should login to the Standby one and manually set it as the Active Security Management server.

Thereafter manual synchronization should be initiated. Once the Standby Security Management server has become Active, we recommend that you install the policy to make sure that this server is the Active Security Management server.

If the Active Security Management server is in failover, it is likely that the synchronization status of the Active Security Management server and its peer will be collision. In this case the system administrator will need to decide which information will be overwritten.

Synchronization Diagnostics

The status of all Security Management servers can be viewed in the Management High Availability Servers window in SmartDashboard or via SmartView Monitor.

Audit Logs can be used to view and track management operations as well as Synchronization operations in the SmartView Tracker.

When Synchronization Fails

There are several instances in which the synchronization process might fail:

• synchronization failure - for instance, the Active SMS was unable to make a connection with the Standby SMS at the moment of synchronization. To solve this:
  • manually synchronize the Standby SMS at a later opportunity, or
  • if you are working in automatic mode, reinstall the Security Policy when the Standby SMS can be reached. After the install operation takes place, synchronization occurs automatically.
• Collision between the Security Management servers. In this case the system administrator should perform a manual synchronization and decide which database is the dominant database. The CA is always merged in order to eliminate security issues.

  When a collision occurs and one of the Security Management servers is overwritten, it is very useful to follow management operations performed on the overwritten Security Management server in the audit logs of the SmartView Tracker. In this manner it is possible to track and redo these operations, where necessary, on the dominant Security Management server.

Management High Availability Considerations

Remote and Local Deployments

In the Management High Availability deployment the Secondary Security Management server is often installed locally on the LAN. The system administrator should consider the usefulness of maintaining a remote Standby Security Management server. This remote Security Management server will not be affected in the case of networking problems on the LAN. This Standby Security Management server can be made into the Active Security Management server by the remote system administrator.

Different Methods of Synchronization

Automatic synchronization keeps the peer SMSs updated. However the synchronization may take some time and affect the system performance. It may be useful to schedule a synchronization event that automatically synchronizes the Security Management servers after working hours when the system performance cannot affect the regular work of the employees.

Manual synchronization can be initiated at any stage by the system administrator. Manual synchronization is recommended when changing the Standby SMS to Active (if the Active SMS is about to go down for administrative purposes). It is essential when the synchronization status is collision.

Data Overload During Synchronization

The data saved during the synchronization process is very heavy. Synchronization is optimized if the connectivity between the Security Management server is fast and efficient.

Management High Availability Configuration

Secondary Management Creation and Synchronization - The First Time

1. Install the Security Management server in a Management High Availability deployment, select Secondary Management.
2. In SmartDashboard, configure the object for the Secondary Security Management server.
   1. In the Network Objects tree, right-click Check Point and select Host.

      The Host General Properties window opens.

   2. Enter the name and IP address.
   3. In the Software Blades section, select the Management > Secondary Server.
   1. Select the other Software Blades as necessary.
   1. Click Communication to initialize SIC between the Secondary and Active Security Management server.
3. Optional: Configure a secondary Security Management server to work as a Log Server when the Primary Security Management server is not available.
   1. Double-click the Security Gateway, and select Logs > Log Servers.
   2. From the In case one of the above log servers is unreachable section, add the Security Management server.
   3. Click OK.
4. If the Security Management server is in a standalone configuration and there is also a Security Gateway, install the policy on the Security Gateway.
5. From the menu bar, select Policy > Management High Availability and click Synchronize.

   The Secondary and Active Security Management servers are synchronized.

Changing Active Security Management to Standby

1. On the Active Security Management server, show the Management High Availability Server window by selecting Policy > Management High Availability.
2. In the displayed window, click Change to Standby.

Changing the Standby SMS to the Active SMS

1. When logging in to the Standby SMS, the Standby window is displayed.
2. In the displayed window, select Change to Active.

Refreshing the Synchronization Status

If you suspect that the status of the Security Management server has changed, you may decide to do a refresh operation.

1. Display the Management High Availability Servers window for the selected Security Management server by selecting Policy > Management High Availability
2. In the displayed window, click Refresh.

Selecting the Synchronization Method

The manner in which the Standby Security Management server synchronizes with the Active Security Management server is defined in the Global Properties - Management High Availability window. This window is displayed by selecting Policy > Global Properties > Management High Availability. The Standby Security Management server can be synchronized automatically when the policy is installed, saved or on a specified scheduled event. Alternatively, the Standby Security Management server can be synchronized manually. If manual synchronization is the method of choice, the system administrator will need to initiate the manual synchronization in the Management High Availability Servers window. For more information, see Synchronization Modes.

Tracking Management High Availability Throughout the System

The statuses of all the Security Management servers in the system are displayed in the Management High Availability window. This window is displayed by selecting Policy > Management High Availability. Details about the Security Management server and its peers that are displayed include the name, status and type of Security Management server.

All Management High Availability management operations can be viewed in the SmartView Tracker in Audit mode.