Updating the PAT Version on the Server

When you change a Standby Security Management to Active, the new Active Security Management can have an older Policy Assignment Table (PAT) version than the clients. If you cannot synchronize the Security Management servers before you change a Standby server to Active, this will probably occur. If the PAT version on the server is lower than the PAT version on the client, the client will not download policy updates.

To fix this, update the PAT number on the Active server.

To get the PAT version:

If the Active Security Management is available, get the last PAT version from it.

On the Active Server:

Run: uepm patver get

If the Active Security Management is not available, get the last PAT version from a client that was connected to the server before it went down.

On the client computer:

1. Open the Windows registry.
2. Find HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\EndPoint Security\Device Agent
3. Double-click the PATVersion value.

   The Edit String window opens.

4. Copy the number in the Value data field. This is the PAT version number.

To change the PAT version on the server:

1. Open a command prompt.
2. Run the Endpoint Security Management Security utility (uepm.exe) and set the new PAT version:

   Windows: uepm patver set <old_PAT_version_number> + 10

   SecurePlatform and Gaia: uepm patver set <old_PAT_version_number> + 10

3. Make sure the new PAT version is set by running:

   Windows: uepm patver get

   SecurePlatform and Gaia: uepm patver get

Deleting a Server

You can delete a Remote Help server or a Secondary Endpoint Security Management Server. Before you do that, make sure none of the remaining servers have connectivity to the deleted entities.

Synchronization with Endpoint Security

Network Security Management servers (without Endpoint Security) only synchronize static configuration data. These Active and Standby servers stay synchronized until policies or other objects are changed.

When the High Availability environment includes Endpoint Security, some Endpoint Security data is updated dynamically, even while synchronization occurs. Dynamic updates are necessary to make sure that critical communication between the Active Security Management and clients is always available. For example, recovery data for Full Disk Encryption and Media Encryption & Port Protection, endpoint monitoring data, and endpoint heartbeat data is dynamically updated during synchronization.

Dynamic updates during synchronization can cause Active and Standby Security Management servers to be out of synchronization (in the Lagging status) almost immediately after the synchronization completes. This behavior is normal for Security Management servers with Endpoint Security.

Disaster Recovery with High Availability

In a situation where the Primary server becomes permanently unavailable, you must promote the Secondary server to Primary or create a new Primary server. By default, the first server installed is called the Primary server. You can only export the database from a Primary server. It is not sufficient to do the failover procedure and change the Standby server to Active.

If you use Endpoint Security management, Endpoint Security Management Servers are on the Security Management servers. Therefore the same procedures apply for Security Management recovery and Security Management with Endpoint Security Management Server recovery.

In addition, licenses are linked to IP addresses. At the end of the disaster recovery you must make sure that licenses are correctly assigned to your servers.

Choose from one of these workflows:

• Create a new Primary server with the IP address of the original Primary server (not supported for environments with Endpoint Security).
• Promote the Secondary server to Primary and create new licenses.

Recovery with a New Primary Server

Note - This procedure is not supported for environments with an Endpoint Security Management Server. Use Recovery by Promoting a Secondary Server in environments with Endpoint Security.

After your Primary server becomes permanently unavailable:

1. Change the Secondary server from Standby to Active.
2. Install a new Primary server with the same IP address and hostname as the original Primary server.
3. Synchronize the new Primary server with your Active server.
4. Change the new Primary server to the Active server and the original Secondary server to Standby.
5. Promote the new Primary server to be Primary.
6. Make sure the licenses work and if necessary, reassign them.

Recovery by Promoting a Secondary Server

After your Primary server becomes permanently unavailable:

1. Promote the Secondary server to Primary.
2. Create and install new licenses.
3. Delete the original Primary server from the database.
4. Install a new Secondary server and synchronize it with the Primary server.

   Note - While the Primary server is off line and the Secondary server is active, Endpoint Security Remote Help servers do not get updates.

Promoting a Secondary Server to Primary

The first management server installed is the Primary Server and all servers installed afterwards are Secondary servers. As part of disaster recovery with High Availability it might be necessary to promote a Secondary server to become the Primary server.

Primary server acts as the synchronization master. It synchronizes the databases of one Secondary Endpoint Security Management Server and the master Remote Help server. All other Remote Help servers synchronize their databases with the Remote Help master. The synchronization speed depends on the network and the hardware characteristics.

Important - When Primary server is down, all other servers cannot synchronize their databases, until a Secondary server is promoted to Primary and the initial sync is finished. While the servers are re-syncing, the Remote Help server is unavailable. Therefore, we recommend that you schedule promoting a Secondary server to the Primary during non-working hours.

Before you promote a Secondary Endpoint Security Management Server to the Primary one, make sure they are synchronized.

To promote a Secondary server to become the Primary server:

1. On the Secondary Server that you will promote, run cpstop to stop all Check Point services.
2. Make a backup of the objects_5_0.C file.
3. Edit the objects_5_0.c file:
   1. Edit the Primary Object definitions to look like this:

   :primary_management (true) ® :primary management (false) Remove from admin_info the following attribute :Deleteable (false)

   1. Edit the Secondary Object Definitions to look like this:

   :primary_management (false) ® :primary management (true) Add under admin_info the following attribute :Deleteable (false)

4. To change the registry and set this server to be the Primary server, run: cpprod_util FwSetPrimary 1
5. Remove the $FWDIR/conf/mgha* files. They contain information about the current Secondary settings. These files will be recreated when you start the Check Point services.
6. Make sure you have a mgmtha license on the newly promoted server.

   Note - All licenses must have the IP address of the promoted Security Management.

7. Run cpstart on the promoted server.
8. In SmartDashboard, select the Secondary server.
9. Select Change Active.

   If SmartDashboard fails to connect, reboot the server.

10. In SmartDashboard:
    1. Remove all instances of the old Primary Management object. To see all of the instances, right-click the object and select Where Used.

       Note - When you remove the old Primary server, all previous licenses are revoked.

    2. Install database.