Changing a Server to Active or Standby

The Active server synchronizes with the Standby server or servers at intervals, and when you publish the session. Sessions that are not published are not synchronized.

When the administrator initiates changeover, all public data is synchronized from the new Active to the new Standby server after the Standby becomes Active. Data from the new Active overrides the data on the new Standby. Unpublished changes are not synchronized.

Best Practice - We recommend that you publish changes before initiating a changeover to the Standby.

To Interchange the Active and Standby:

1. Open SmartConsole.
2. Connect to the Standby server.
3. On the Menu button, select High Availability.

   The High Availability Status window opens.

4. Use the Action buttons to change the Standby server to Active.

This changes the previous Active server to Standby.

Related Topics Working in Collision Mode

Working in Collision Mode

You can make more than one server Active. You may need to do that if there is no connectivity to the primary. When you change the Standby to Active, it becomes Active without telling the current Active server to become Standby. This is known as collision mode. You can later change one of the Active servers to Standby, and return to the standard configuration.

When in collision mode, the Active servers do not sync even if they have network connectivity. When you change one of them to Standby, sync starts and overwrites the data on the Standby server with the remaining Active data.

High Availability Troubleshooting

These error messages show in the High Availability Status window when synchronization fails:

Not communicating

Solution:

1. Check connectivity between the servers.
2. Test SIC.

Collision or HA Conflict

More than one management server is configured as active.

Solution:

1. From the main SmartConsole menu, select Management High Availability.

   The High Availability Status window opens.

2. Use the Actions button to set one of the active servers to standby.

   Warning - When this server becomes the Standby, all its data is overwritten by the active server.

Sync Error

Solution:

Do a manual sync.

Environments with Endpoint Security

Environments that include Endpoint Security require additional steps and information.

See High Availability in the R80.20 Endpoint Security Administration Guide for details.

High Availability Disaster Recovery

If the primary management server becomes permanently unavailable:

• Create a new Primary server with the IP address of the original Primary server

  Note - This is not supported for environments with Endpoint Security.

• Promote the Secondary server to Primary and create new licenses.

  IMPORTANT: Check Point product licenses are linked to IP addresses. At the end of the disaster recovery you must make sure that licenses are correctly assigned to your servers.

Creating a New Primary Management Server

To create a new Primary Management Server:

1. Change the Secondary Management Server from Standby to Active.
2. Promote the Secondary Management Server to be Primary. Follow the procedure of Promoting a Secondary Management Server (no need to do step 5).
3. Install the new Secondary Management Server with the IP of the old Primary Management Server.
4. Reset SIC and connect with SIC to the new Secondary Management Server.

To set the old Primary Management Server as the new Primary Management Server:

1. Change the new Secondary Management Server from Standby to Active.
2. Promote the new Secondary Management Server to be the Primary Management Server. Follow the procedure of Promoting a Secondary Management Server (no need to do step 5).
3. Create the Secondary Management Server on the old Secondary Management Server with the original IP of the old Secondary Management Server.
4. Reset SIC and connect with SIC to the Secondary Management Server.

Promoting a Secondary Server to Primary

The first management server installed is the Primary Server and all servers installed afterwards are Secondary servers. The Primary server acts as the synchronization master. When the Primary server is down, secondary servers cannot synchronize their databases until a Secondary is promoted to Primary and the initial syncs completes.

Note - This is the disaster recovery method supported for High Availability environments with Endpoint Security.

To promote a Secondary server to become the Primary server:

1. On the Secondary Server that you will promote, run:

   #$FWDIR/bin/promote_util
#cpstop

2. Remove the $FWDIR/conf/mgha* files. They contain information about the current Secondary settings. These files will be recreated when you start the Check Point services.
3. Make sure you have a mgmtha license on the newly promoted server.

   Note - All licenses must have the IP address of the promoted Security Management Server.

4. Run cpstart on the promoted server.
5. Open SmartConsole, and:
   1. Make the secondary server active.
   2. Remove all instances of the old Primary Management object. To see all of the instances, right-click the object and select Where Used.

      Note - When you remove the old Primary server, all previous licenses are revoked.

   3. Install database.