Management High Availability

In This Section: Overview of Management High Availability Configuring a Secondary Server Synchronizing MSI Files and Drivers Online Automatic Sync Before Failover Database Migration in a High Availability Environment Updating the PAT Version on the Server Deleting a Server

Overview of Management High Availability

High Availability is redundancy and database backup for management servers. Synchronized servers have the same policies, rules, user definitions, network objects, and system configuration settings. The first management server installed is the primary. If the primary Security Management Server fails, or is off line for maintenance, the secondary server takes over.

When you use Check Point Endpoint Security, the Endpoint Security Management Server is fully integrated with the Network Security Management Server on the same computer. This means that the Security Management High Availability solution supplies backup and redundancy for the Network Security Management Server and the Endpoint Security Management Server databases.

Only one Secondary server is supported with Endpoint Security.

For general information about configuring and managing a High Availability environment, see High Availability in the Security Management Administration Guide.

Information that is different for environments with Endpoint Security is included in this guide.

Environments that include Endpoint Security require some additional steps for:

• Configuring a secondary server
• Failover
• Synchronization of MSI files and drivers

Configuring a Secondary Server

To add a secondary server for an Endpoint Security environment, you must follow the workflow defined here. You must create communication between the servers and install the database BEFORE you enable Endpoint Security. After the first database installation and synchronization are completed, you enable Endpoint Security with the Endpoint Policy Management blade, and then install the database again.

To add a secondary server and establish communication between the servers:

1. Install a new Security Management Server.
2. In SmartConsole, connect to the primary server.
3. Create a network object for the secondary server: In the Gateways & Servers tab, click the New icon and select More > Check Point Host.
4. In the General Properties page of the window that opens, enter a unique name and an IP address for the server.
5. In the Management tab of the General Properties page, select Network Policy Management.

   Secondary Server, Logging & Status, and Provisioning are selected automatically

   DO NOT enable Endpoint Policy Management on the server.

6. Click Communication to create SIC trust between the Secondary Endpoint Security Management Server and the Primary Endpoint Security Management Server.
7. In the window that opens enter these configuration parameters:
   • One-time password (twice to confirm) - SIC Activation Key that you entered in the Check Point Configuration Tool
   • Click Initialize to create a state of trust between the Endpoint Security Management Servers. If the trust creation fails, click Test SIC Status to see troubleshooting instructions
   • If you must reset the SIC, click Reset, then reset the SIC on the Secondary server and click Initialize
8. Click Close.
9. Click OK.
10. From the menu, select Install Database.
11. Wait for the peer initialization and the full sync with peer to finish.

To enable Endpoint Security on the secondary server:

1. After the previous procedure is completed, in SmartConsole, open the secondary server object.
2. In the Management tab of the General Properties page, select Endpoint Policy Management.
3. Click OK.
4. Select File > Save.
5. From the menu, select Install Database.
6. Follow the steps in Synchronizing MSI Files and Drivers.

Synchronizing MSI Files and Drivers

Each time you download a new MSI package or driver that is related to Endpoint Security, for example, a Smart Card driver, you must synchronize these file throughout the High Availability environment. This is not done automatically with synchronization because the files can be very large.

To synchronize MSI packages and drivers:

1. Manually copy the MSI folder to the Standby servers.

   Note: The MSI folder contains many folders with unique names. When you add a new file to a folder on the Active server, copy this file to the same folder on the Standby server.

   1. On the Active Security Management Server, copy these folders: $FWDIR/conf/SMC_Files/uepm/msi
   2. On the Standby Security Management Server, replace theses folders with the folders that you copied from the Active Security Management Server: $FWDIR/conf/SMC_Files/uepm/msi
   3. If necessary, manually copy the Smart Card drivers: $FWDIR/conf/SMC_Files/uepm/DRIVERS
   4. Run:
      1. cd $FWDIR/conf/SMC_Files/uepm
      2. chmod -R u+rwx,g+rwx,o-rwx msi/
      3. find msi/ -type d -exec chmod g+s {} \;
2. On the Standby Security Management Server, replace theses folders with the folders that you copied from the Active Security Management Server: $FWDIR/conf/SMC_Files/uepm/DRIVERS

Online Automatic Sync

In R80.10 and higher, the Endpoint Security database uses online synchronization. Online synchronization synchronizes the Endpoint Security Management Servers each time the database is modified.

Online synchronization is supported on Gaia servers only.

To check the status of the first synchronization:

Run this command on each server: PgOnlineSyncUtil is_initial_load_over

When the synchronization finishes, the command output is Initial load is over.

Before Failover

Whenever possible, change the Active Endpoint Security Management Server to Standby before you change the Standby Endpoint Security Management Server to Active, and check online synchronization status on the Secondary server and all Remote Help servers.

Notes - A standby Endpoint Security Management Server cannot be changed to Active until the first synchronization of the Endpoint Security database is completed. While the Primary server is offline and the Secondary server is active, external Remote Help servers do not get updates.

Database Migration in a High Availability Environment

If a High Availability configuration was exported, you must re-configure it after the import.

Best practice is to re-install all Secondary Servers and Remote Help Servers after the migrate import procedure.

Install new Secondary Servers and Remote Help Servers of the same version as the primary server and synchronize all servers.