Management High Availability

In This Section: Configuring a Secondary Server in SmartDashboard Failover Synchronizing Active and Standby Servers Environments with Endpoint Security Disaster Recovery with High Availability

Configuring a Secondary Server in SmartDashboard

In the SmartDashboard connected to the Primary server, you create a network object to represent the Secondary Security Management. You then synchronize the Primary and Secondary Security Management servers.

To configure the secondary server in SmartDashboard:

1. Open SmartDashboard.
2. In the Network Objects tree, right-click Check Point and select Host.
3. In the Check Point Host window, enter a unique name and IP address for the server.
4. In the Software Blades, section, select the Management tab.
5. Select Network Policy Management.

   This automatically selects the Secondary Server, Logging and Status, and Provisioning options.

6. Optional: To use Endpoint Security, select Endpoint Policy Management.
7. Click Communication to create SIC trust between the Secondary Security Management and the Primary Security Management.
   1. Enter and confirm the SIC Activation Key that you entered in the Check Point Configuration Tool.
   2. Click Initialize to create a state of trust between the Security Management servers.
   3. If the trust is not created, click Test SIC Status to see what you must do to create the trust successfully.
   4. If you have to reset the SIC, click Reset, reset the SIC on the Secondary Server and then click Initialize.
   5. Click Close.
8. Click OK.
9. Select File > Save.
10. Start manual synchronization.

For environments with Endpoint Security, see Manual Synchronization with Endpoint Security.

Failover

Security Management failover is a manual procedure. If the Active Security Management fails or it is necessary to change the Active Security Management to a Standby, you must do these steps to prevent data loss:

If the Active Security Management is responsive:

1. Manually synchronize the Active and Standby Security Management servers.
2. Change the Active Security Management to Standby.
3. Change the Standby Security Management to Active.

If the Active Security Management has failed and you cannot change it:

Manually change the Standby Security Management to Active.

Important - If you have two Security Management servers that are set to Active at the same time, unexpected behavior can occur.

If your environment includes Endpoint Security:

After you change the Standby Security Management to Active, edit the PAT version on the new Active Security Management.

Changing a Server to Active or Standby

Whenever possible, change the Active Security Management to Standby before you change the Standby Security Management to Active.

To change an Active Endpoint Security Management Server to Standby:

1. Connect to the Active Security Management with SmartDashboard.
2. Go to Policy > Management High Availability.
3. Click Change to Standby.
4. Click Yes to confirm the change.

To change a Standby Security Management to Active:

1. Connect to the Standby Security Management with SmartDashboard.
2. The Server Login window opens.
3. Make sure that no peer server is Active.
4. Click Change to Active.
5. Click Yes to confirm the change.

Understanding Server Status

Before you make changes to the High Availability environment, make sure that you know the status of each Security Management. It is very important to know which Security Management servers are in Active mode and which are in Standby.

To see the status of the servers in your High Availability environment:

1. In the SmartDashboard of a Security Management, select Policy > Management High Availability.
2. In the localhost window that opens, see the status of the Security Management you are on in My Status.
3. See the status of other Security Management servers in Peer Status.

The fields are:

Field	Values	Description
Server Name	Any	The SmartDashboard name of the server.
Type	Primary or Secondary	This is only the order of the installation and does not impact the environment.
Mode	Active or Standby	If the Security Management is currently Active or Standby.
Reachable	Yes or No	This field is only in the Peer Status. It shows if the local server has connectivity with that peer.
Status	Never been synchronized, Synchronized , Lagging, Database has been changed, Advanced, or Collision	The status of synchronization between the Security Management servers. See Synchronization Status for complete descriptions.

Synchronizing Active and Standby Servers

After you install the Standby servers, you must do the first synchronization manually even if you configure the system for automatic synchronization. After the first synchronization, you can configure the frequency of automatic synchronization.

Synchronization Procedures

Note - While the synchronization is in progress, the databases are locked. A message shows in SmartEndpoint. SmartDashboard shows a Not Responding message.

To synchronize manually:

1. In SmartDashboard connected to the Primary or Secondary server, select File > Policy > Management High Availability.
2. Click Synchronize.
3. Click OK.

For environments with Endpoint Security, see Manual Synchronization with Endpoint Security.

To configure when Synchronization occurs:

1. In SmartDashboard, go to Policy > Global Properties > Management High Availability.
2. Select from the options:
   • Automatic Synchronization when policy is installed - If you choose to have the synchronization occur automatically, the Active and Standby Security Management servers automatically synchronize each time the Policy is installed in SmartDashboard or SmartEndpoint.

     You can choose to do automatic synchronization more frequently. If you choose one of these options, the synchronization also starts when the Security Policy is installed:

     • Every time a policy is saved - Synchronizes each time a policy is saved in SmartDashboard or SmartEndpoint.
     • On scheduled event - Synchronizes based on a schedule that you set, for example, daily at 1:00 AM, or every three hours.

     Important - If you set the synchronization to occur at regular time intervals, do not set it to be more frequent than every 1 hour.

   • Manual synchronization only - If you select this, you must start a manual synchronization each time it is necessary to synchronize the Active and Standby Endpoint Security Management Servers.
3. Optional: For Type of notification for Management High Availability tracking, select the way you are notified about changes in the High Availability environment. The default is through Popup Alerts.
4. Click OK.

If automatic synchronization is selected as the synchronization mode, you can also synchronize manually when necessary.

Which Data is Synchronized

When synchronization occurs, this data is backed up and synchronized:

• Network Security Management databases:
  • Network security polices and settings
  • Network objects
  • Services and resources
  • Check Point User Database
  • OPSEC applications
  • Custom queries and reports
• Configuration and Internal Certificate Authority data:
  • Databases (such as the Objects and Users).
  • Certificate information such as Certificate Authority data and the CRL which is available to be fetched by the Check Point Security Gateways.
• The Endpoint Security databases:
  • Objects: Computers, users and Servers (including Active Directory data)
  • Client deployment rules
  • Custom reports

Important - Endpoint Security client deployment packages (MSI files) and Smart Card drivers are NOT synchronized. In an environment with Endpoint Security, you must manually copy these items to the Standby servers.

How Synchronization Works

Synchronization can run automatically or you can start it manually. When synchronizing, the system does these steps without user intervention:

1. Locks the policy and object databases on the Active Security Management.
2. Takes a snapshot of the databases and save it to local disk.
3. Unlocks policy and object databases.
4. Compresses snapshot data and copies the snapshot from Active Security Management to all standby Security Management servers.
5. The Standby Security Management servers overwrite their databases with the snapshot.
6. Standby Security Management servers send a Restore status notification to the Active Security Management.
7. The Active and Standby servers delete the snapshots.

While the Active Security Management is taking a snapshot (step 2 above), the databases are locked and you cannot add, change or delete these system objects:

• Security Gateways, Security Management servers and other network objects
• VPN Communities
• Services, resources and OPSEC applications
• Policies and rules
• Deployment rules and packages
• Reports and queries

This is necessary to prevent database corruption and other errors.

If the environment includes Endpoint Security, the Active Security Management and clients continue to dynamically update these database objects even while the Security Management takes a snapshot:

• Full Disk Encryption recovery data
• Media Encryption & Port Protection recovery data
• Endpoint monitoring data
• Endpoint heartbeat data

Synchronization Status

The synchronization status shows the status of the peer Security Management servers in relation to the selected Security Management. You can see this status if you are connected to the Active Security Management or a Standby Security Management. The Synchronization Status is in the SmartDashboard > Management High Availability Servers window in the status column or in SmartView Monitor.

The possible synchronization statuses are:

• Never been synchronized - A newly installed Secondary Security Management has not yet been manually synchronized with the Active Security Management.
• Synchronized - The Secondary Security Management is fully synchronized with the Active Security Management. The databases are identical.
• Lagging or Database has been changed - Changes were made to the Active Security Management after the last synchronization, which were not synchronized with the Standby Security Management servers. This can occur when changes are made to the Active Security Management database during the Synchronization process.
• Advanced - The Standby Security Management is more up-to-date than the Active Security Management. This can occur after there was a failover to the Standby and then a second failover back to the original Active server.
• Collision - The Active Security Management and Standby servers have different policies and databases and it is not immediately obvious which server is the most up-to-date. This can happen when an Active server fails over to a Standby and the Standby fails over back to the Active server before synchronization.

  In this case, make a decision as to which Security Management contains the most recent updates. Usually this is the Security Management that has more changes. If necessary, change this Security Management status to Active and all others to Standby.

  Manually synchronize the newly specified Active Security Management to the Standby servers. For Endpoint Security, it might also be necessary to update the PAT version on the Security Management.

You can use SmartView Tracker to monitor management and synchronization operations.

Synchronization Troubleshooting

The synchronization can fail in these situations:

• Failure for technical reasons, for example the Active Security Management did not connect with the Standby Security Management. To resolve this you can do one of these when the technical problem is fixed:
  • Manually synchronize the Standby Security Management.
  • If automatic synchronization is configured, install the Policy again on the Active Security Management. Then synchronization occurs automatically.
• A collision occurs between the Security Management servers. In this situation the system administrator does a manual synchronization and chooses which database is the dominant database. The CA is always merged to prevent security issues.

When a collision occurs and one of the Security Management servers is overwritten, you can use the Audit Logs in SmartView Tracker to better understand the situation. We recommend that you look at the management operations done recently on the overwritten Security Management. Do these operations again, if necessary, on the dominant Security Management.

Environments with Endpoint Security

Environments that include Endpoint Security require some additional steps for:

• The initial manual synchronization
• Failover
• Synchronization of MSI files and drivers
• Optional: Configure automatic sync on database change

  Important - When you add an Endpoint Policy Server to a High Availability deployment, you must install the database in SmartDashboard on all Endpoint Security Management Servers and the Endpoint Policy Server. To do this, select Policy > Install Database.

Manual Synchronization with Endpoint Security

To synchronize Security Management servers with Endpoint Security manually:

1. In SmartDashboard of the Active Security Management, select Policy > Management High Availability.
2. Click Synchronize.
3. Click OK.
4. Select Policy > Install database
5. In the first synchronization after installation, the Servers automatically synchronize again according to the settings configured in SmartDashboard, including the synchronization schedule. If you configured the manual synchronization settings in SmartDashboard, you must synchronize manually.

   While the synchronization takes place, SmartDashboard shows Not Responding.

6. Do the steps in Synchronizing MSI Files and Drivers.

Online Automatic Sync

You can configure a new synchronization type, which synchronizes the Endpoint Security Management Servers each time the database is modified. This is called online synchronization.

To use online synchronization, all servers in the High Availability environment must be R77.20 or higher. Online synchronization is supported on Gaia servers only.

If there is one or more external Remote Help Server in an environment, you must use online synchronization.

To configure the secondary server with online synchronization:

1. In SmartDashboard, select Policy > Global Properties.

   The Global Properties window opens.

2. In the navigation tree, select Management High Availability.
3. Select Manual synchronization only.
4. Click OK.
5. In the Network Objects tree, right-click Check Point and select Host.
6. In the window that opens, enter a unique name and an IP address for the server.
7. In the Software Blades section, select the Management tab.
8. Select a policy management option:
   • Network Policy Management - the Secondary Server, Logging and Status, and Provisioning are selected automatically
   • Endpoint Policy Management
9. Click Communication to create SIC trust between the Secondary Endpoint Security Management Server and the Primary Endpoint Security Management Server.
10. In the window that opens enter these configuration parameters:
    • One-time password (twice to confirm) - SIC Activation Key that you entered in the Check Point Configuration Tool
    • Click Initialize to create a state of trust between the Endpoint Security Management Servers. If the trust creation fails, click Test SIC Status to see troubleshooting instructions
    • If you must reset the SIC, click Reset, then reset the SIC on the Secondary server and click Initialize
11. Click Close.
12. Click OK.
13. Select File > Save.
14. Select Policy > Install Database.
15. Select Policy > Global Properties.

    The Global Properties window opens.

16. In the navigation tree, select Management High Availability.
17. Select Automatic synchronization when policy is installed and Every time Endpoint Server database is modified.
18. Click OK.

    The synchronization begins.

19. Click Save.
20. To make sure the synchronization finishes, go to Policy > Management High Availability.

    While synchronization continues, this warning shows: Failed to receive current status. Reason: Synchronization is in progress. Try again Later. When synchronization finishes, the status of the Secondary server changes to synchronized.
    Note - If Remote Help servers are present, the status of the Secondary server remains Never synchronized until Database installation.

21. Select Policy > Install Database.
22. Do steps in Synchronizing MSI Files and Drivers.

Before Failover

Whenever possible, change the Active Endpoint Security Management Server to Standby before you change the Standby Endpoint Security Management Server to Active, and check online synchronization status on the Secondary server and all Remote Help servers.

Notes - A standby Endpoint Security Management Server cannot be changed to Active until the online synchronization is completed. While the Primary server is offline and the Secondary server is active, external Remote Help servers do not get updates.

To check online synchronization status:

Run this command on each server: PgOnlineSyncUtil is_initial_load_over

When the synchronization finishes, the command output is Initial load is over.

Running Migrate in Online Synchronization Environment

If a configuration was exported during Automatic Synchronization, it must be re-configured after the import.

To reconfigure Automatic Synchronization:

1. In SmartDashboard, go to Policy > Edit Global Properties.

   Global Properties window opens.

2. In the navigation tree, select Management High Availability.
3. Select Manual synchronization only.
4. Click OK.
5. Click Save.
6. Go to Policy > Edit Global Properties.

   Global Properties window opens.

7. In the navigation tree, select Management High Availability.
8. Select Automatic synchronization when policy is installed and Every time Endpoint Server database is modified.
9. Click OK.

   As soon as you click OK, the synchronization begins.

10. Click Save.
11. To make sure the synchronization finishes, go to Policy > Management High Availability.

    While synchronization continues, this warning shows: Failed to receive current status. Reason: Synchronization is in progress. Try again Later. When synchronization finishes, the status of the Secondary server changes to synchronized.
    Note - If Remote Help servers are present, the status of the Secondary server remains Never synchronized until Database installation.

12. Go to Policy > Install Database.

Synchronizing MSI Files and Drivers

Each time you download a new MSI package or driver that is related to Endpoint Security, for example, a Smart Card driver, you must synchronize these file throughout the High Availability environment. This is not done automatically with synchronization because the files can be very large.

To synchronize MSI packages and drivers:

1. Manually copy the MSI folder to the Standby servers.

   Note: The MSI folder contains many folders with unique names. When you add a new file to a folder on the Active server, copy this file to the same folder on the Standby server.

   1. On the Active Security Management, copy these folders:
      • On Windows platforms: %fwdir%\conf\SMC_Files\uepm\msi
      • On SecurePlatform or Gaia: $FWDIR/conf/SMC_Files/uepm/msi
   2. On the Standby Security Management, replace theses folders with the folders that you copied from the Active Security Management:
      • On Windows platforms: %fwdir%\conf\SMC_Files\uepm\msi
      • On SecurePlatform or Gaia: $FWDIR/conf/SMC_Files/uepm/msi
   3. If necessary, manually copy the Smart Card drivers.
      • On Windows platforms: %fwdir%\conf\SMC_Files\uepm\DRIVERS
      • On SecurePlatform or Gaia: $FWDIR/conf/SMC_Files/uepm/DRIVERS
   4. On Gaia, SecurePlatform or Linux, run:
      1. cd $FWDIR/conf/SMC_Files/uepm
      2. chmod -R u+rwx,g+rwx,o-rwx msi/ -
      3. find msi/ -type d -exec chmod g+s {} \;
2. On the Standby Security Management, replace theses folders with the folders that you copied from the Active Security Management:
   • On Windows platforms: %fwdir%\conf\SMC_Files\uepm\DRIVERS
   • On SecurePlatform or Gaia: $FWDIR/conf/SMC_Files/uepm/DRIVERS