Removing a Member from an Existing Cluster

Important - Schedule a full maintenance window to perform this procedure.

Best Practice - Before you change the current configuration, export a complete management database with "migrate_server" command. See the R81.20 CLI Reference Guide.

1. Configure the cluster object in SmartConsole

   1. Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

   2. From the left navigation panel, click Gateways & Servers.

   3. Open the existing cluster object.

   4. From the left tree, click Cluster Members page.

   5. Click Remove > Delete Cluster Member.

      Confirm when prompted.

      Important: This operation deletes the object. There must be at least two Cluster Members in the cluster object.

   6. From the left tree, click Network Management.

      • Make sure all interfaces are defined correctly.

      • Make sure all IP addresses are defined correctly.

   7. Click OK.

   8. Install the Access Control Policy on the cluster object.

2. Restart the clustering and examine the cluster state

   On each existing Cluster Member Security Gateway that is part of a cluster.:

   1. Connect to the command line.

   2. Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or the Expert mode.

   3. Restart the clustering.

      Run:

      cphastop cphastart

      Important - This temporarily causes the Cluster Member not to be a part of the cluster. As a result, cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. can occur.

   4. Make sure all Cluster Members detect each other and agree on their cluster states. Run:

      Shell	Command
      Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish	set virtual-system <VSID> show cluster state
      Expert mode	cphaprob [-vs <VSID>] state

3. Configure the removed Cluster Member

   On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. you removed from the existing cluster:

   1. Connect to the command line.

   2. Log in to Gaia Clish or the Expert mode.

   3. Start the Check Point Configuration Tool. Run:

      cpconfig

   4. Select the option Disable cluster membership for this gateway and enter y to confirm.

   5. Select the option Secure Internal Communication > enter y to confirm > enter the new Activation Key. Make sure to write it down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster..

   6. Exit from the cpconfig menu.

   7. Reboot the Security Gateway.

4. Establish SIC with the removed Security Gateway

   If you need to use the Security Gateway you removed from the existing cluster, then establish Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) with it.

   1. Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.

   2. From the left navigation panel, click Gateways & Servers.

   3. Create a new Security Gateway object in one of these ways:

      • From the top toolbar, click the New () > Gateway.

      • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

      • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

   4. Follow the instructions on the screen.

      Enter the same Activation Key you entered earlier in the cpconfig menu.

   5. Click OK.

   6. Publish the SmartConsole session.

   7. Install the Access Control Policy on the Security Gateway object.

   8. Install the Threat Prevention Policy on the Security Gateway object.