Management High Availability
High Availability is redundancy and database backup for management servers. Synchronized servers have the same policies, rules, user definitions, network objects, and system configuration settings. The first management server installed is the primary. If the primary Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. fails, or is off line for maintenance, the secondary server takes over.
When you use Check Point Endpoint Security, the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. is fully integrated with the Network Security Management Server on the same computer. This means that the Security Management High Availability solution supplies backup and redundancy for the Network Security Management Server and the Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. databases.
Only one Secondary server is supported with Endpoint Security.
To learn how to configure and manage a High Availability environment, see "Management High Availability" in the R81.10 Security Management Administration Guide.
Information that is different for environments with Endpoint Security is included in this guide.
Environments that include Endpoint Security require some additional steps for:
-
Configuring a secondary server
-
Failover
-
Synchronization of MSI files and drivers
Configuring a Secondary Server
To add a secondary server for an Endpoint Security environment, you must follow the workflow defined here. You must create communication between the servers and install the database BEFORE you enable Endpoint Security. After the first database installation and synchronization are completed, you enable Endpoint Security with the Endpoint Policy Management component, and then install the database again.
To add a secondary server and establish communication between the servers:
-
Install a new Security Management Server.
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., connect to the primary server.
-
Create a network object for the secondary server: In the Gateways & Servers tab, click the New icon and select Network Objects > Gateways and Servers > Check Point Host.
-
In the General Properties page of the window that opens, enter a unique name and an IP address for the server.
-
In the Management tab of the General Properties page, select Network Policy Management.
Secondary Server, Logging & Status, and Provisioning are selected automatically
DO NOT enable Endpoint Policy Management Check Point Software Blade on a Management Server to manage an on-premises Harmony Endpoint Security environment. on the server.
-
Click Communication to create SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust between the Secondary Endpoint Security Management Server and the Primary Endpoint Security Management Server.
-
In the window that opens enter these configuration parameters:
-
One-time password (twice to confirm) - SIC Activation Key that you entered in the Check Point Configuration Tool
-
Click Initialize to create a state of trust between the Endpoint Security Management Servers. If the trust creation fails, click Test SIC Status to see troubleshooting instructions
-
If you must reset the SIC, click Reset, then reset the SIC on the Secondary server and click Initialize.
-
-
Click Close.
-
Click OK.
-
From the menu, select Install Database.
-
Wait for the peer initialization and the full sync with peer to finish.
To enable Endpoint Security on the secondary server:
-
After the previous procedure is completed, in SmartConsole, open the secondary server object.
-
In the Management tab of the General Properties page, select Endpoint Policy Management.
-
Click OK.
-
Select File > Save.
-
From the menu, select Install Database.
-
Follow the steps in Synchronizing MSI Files, Dynamic Packages and Drivers.
Synchronizing MSI Files, Dynamic Packages and Drivers
Each time you download a new MSI package, Dynamic Package or a driver related to Endpoint Security client, for example, a Smart Card driver, you must manually synchronize these files in all the High Availability environments. The synchronization is not performed automatically due to large file size.
To synchronize MSI Files, Dynamic Packages and Drivers:
-
Manually copy the MSI folder to the Standby servers.
Note: The MSI folder contains many folders with unique names. When you add a new file to a folder on the Active server, copy this file to the same folder on the Standby server.
-
On the Active Security Management Server, copy these folders:
-
$FWDIR/conf/SMC_Files/uepm/msi
-
$FWDIR/conf/SMC_Files/uepm/packages
-
$FWDIR/conf/SMC_Files/uepm/recimg
-
$FWDIR/conf/SMC_Files/uepm/archives
-
-
On the Standby Security Management Server, replace theses folders with the folders that you copied from the Active Security Management Server:
$FWDIR/conf/SMC_Files/uepm/msi
-
$FWDIR/conf/SMC_Files/uepm/packages
-
$FWDIR/conf/SMC_Files/uepm/recimg
-
$FWDIR/conf/SMC_Files/uepm/archives
-
If necessary, manually copy the Smart Card drivers:
$FWDIR/conf/SMC_Files/uepm/DRIVERS
-
Run:
-
cd $FWDIR/conf/SMC_Files/uepm
-
chmod –R u+rwx,g+rwx,0-rwx msi/
-
chmod –R u+rwx,g+rwx,0-rwx packages/
-
chmod –R u+rwx,g+rwx,0-rwx recimg/
-
chmod –R u+rwx,g+rwx,0-rwx archives/
-
find msi/ -type d –exec chmod g+s {} \;
-
find packages/ -type d –exec chmod g+s {} \;
-
find recimg/ -type d –exec chmod g+s {} \;
-
find archives/ -type d –exec chmod g+s {} \;
-
-
-
On the Standby Security Management Server, replace theses folders with the folders that you copied from the Active Security Management Server:
$FWDIR/conf/SMC_Files/uepm/DRIVERS
Online Automatic Sync
In R80.10 and higher, the Endpoint Security database uses online synchronization. Online synchronization synchronizes the Endpoint Security Management Servers each time the database is modified.
Online synchronization is supported on Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. servers only.
To check the status of the first synchronization:
Run this command on each server: PgOnlineSyncUtil is_initial_load_over
When the synchronization finishes, the command output is Initial load is over
.
Before Failover
Whenever possible, change the Active Endpoint Security Management Server to Standby before you change the Standby Endpoint Security Management Server to Active, and check online synchronization status on the Secondary server and all Remote Help Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure. servers.
|
Notes -
|
Database Migration in a High Availability Environment
If a High Availability configuration was exported, you must re-configure it after the import.
Best practice is to re-install all Secondary Servers and Remote Help Servers after the migrate import procedure.
Install new Secondary Servers and Remote Help Servers of the same version as the primary server and synchronize all servers.
Updating the PAT Version on the Server
When you change a Standby Security Management Server to Active, the new Active Security Management Server can have an older Policy Assignment Table (PAT) version than the clients. If the PAT version on the server is lower than the PAT version on the client, the client will not download policy updates.
To fix this, update the PAT number on the Active server.
To get the PAT version:
If the Active Security Management Server is available, get the last PAT version from it.
On the Active Server:
Run: uepm patver get
If the Active Security Management Server is not available, get the last PAT version from a client that was connected to the server before it went down.
On the client computer:
-
Open the Windows registry.
-
Find
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\EndPoint Security\Device Agent
-
Double-click the PATVersion value.
The Edit String window opens.
-
Copy the number in the Value data field. This is the PAT version number.
To change the PAT version on the server:
-
Open a command prompt.
-
Run the Endpoint Security Management Security utility (
uepm.exe)
and set the new PAT version:uepm patver set <old_PAT_version_number> + 10
-
Make sure the new PAT version is set by running:
uepm patver get
Deleting a Server
You can delete a Remote Help server or a Secondary Endpoint Security Management Server. Before you do that, make sure none of the remaining servers have connectivity to the deleted entities.