Failure Recovery
In many cases, you can recover a failed Primary Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. in a Management High Availability deployment.
Action Plan:
-
Promote an existing Secondary Multi-Domain Server to become the Multi-Domain Server Primary.
-
Promote each Secondary Domain Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to become the Primary Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS.. -
Install and configure a new Secondary Multi-Domain Server.
|
|
Important - Use Domain Management Server promotion only to recover a failed Multi-Domain Server. Do not use this procedure to change the Primary and Secondary roles on working servers. |
Procedure:
|
|
Notes:
|
-
Promote the Global Domain Management Server on the Secondary Multi-Domain Server
Step
Instruction
1 Make sure that all functional, Secondary Multi-Domain Servers and Multi-Domain Log Servers are up and running. 2 Connect with SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. one of the Secondary Multi-Domain Servers you need to promote.3 If the Global Domain Management Server is not Active, change it to Active:
-
In the Domains view, right-click the Global Domain, and then click Connect to Domain.
A SmartConsole instance opens for the Global Domain.
-
Go to > Management High Availability.
-
In the High Availability Status window, click Actions > Set Active for this Global Domain.
4
Close all SmartConsole windows.
-
-
Promote the Secondary Multi-Domain Server to Primary
This procedure is necessary because there are no automatic steps to promote a Secondary Multi-Domain Server when the Primary Multi-Domain Server fails.
Step
Instruction
1
Connect to the command line on the Secondary Multi-Domain Server you need to promote.
2
Log in to the Expert mode.
3
Run these commands in the order they appear below:
cpprod_util FwSetPrimary 1cpprod_util CPPROD_SetValue PROVIDER-1 Primary 4 1 1cpprod_util CPPROD_SetValue SIC ICAState 4 3 1ckp_regedit -d //SOFTWARE//CheckPoint//SIC OTPckp_regedit -d //SOFTWARE//CheckPoint//SIC ICAipThese commands update the required parameters in the Check Point Registry on the Secondary Multi-Domain Server.
-
Delete the object of the failed Primary Multi-Domain Server
Step
Instruction
1
Connect with the Database Tool (GuiDBEdit Tool) to the Secondary Multi-Domain Server you need to promote.
Important - You must start this tool with the "/mds" flag.
2
In the top left panel, click Tables > Other > mdss.
3
In the top right panel, locate the object of the failed Primary Multi-Domain Server > right-click this object > click Delete.
Important - The Database Tool (GuiDBEdit Tool) deletes this object without asking to confirm.
4
In the top right panel, select the object of the Secondary Multi-Domain Server you promoted.
5
In the bottom panel, double-click the primary attribute.
6
Select the value true > click OK.
7
Save the changes:
Click the File menu > click Save All.
8
Close the Database Tool (GuiDBEdit Tool).
9
Connect with SmartConsole one of the Secondary Multi-Domain Servers you promoted.
10
From the left navigation panel, click Multi Domain.
11
In the middle panel, click Domains.
12
In the right panel, from the top toolbar, right-click the object of the failed Primary Multi-Domain Server > click Delete.
-
Promote all the Secondary Domains to Primary
Follow these instructions for each Domain on the Secondary Multi-Domain Server.
Important:
-
To use this procedure, there must be at least one Active Domain Management Server on a different Multi-Domain Server.
-
To make Domain Management Server Active when there is no corresponding peer and the High Availability Status window is not available, run these commands:
mdsenv <IP Address or Name of Domain Management Server>mgmt_cli make-server-active force true --domain <Name of Domain Management Server> --user <User Name> --password <Password>These commands set the Domain Management Server to the Active state. Do this for all Domain Management Servers that do not have a High Availability peer.
Step
Instruction
1
In SmartConsole Domains view, in the left column, select a Secondary Domain to promote to Primary.
2
If the selected Domain Management Server is Standby, change it to Active:
-
Right-click the selected Domain Management Server, and then click Connect to Domain.
A SmartConsole instance opens for the Domain.
-
Go to > Management High Availability.
-
In the High Availability Status window, click Actions > Set Active.
-
Close SmartConsole
3
Run these commands on the Multi-Domain Server you promoted to Primary:
mdsenv <IP Address or Name of Domain Management Server>promote_util4
Connect with SmartConsole to the Domain Management Server you promoted:
Right-click the selected Domain Management Server, and then click Connect to Domain Server.
5
From the left navigation panel, click Gateways & Servers.
6
Right-click the object of the Domain Management Server that failed > click Where Used.
7
Delete all instances of the failed Domain Management Server, including the failed Domain Management Server itself.
8
Delete the object of the failed Domain Management Server.
9
Publish the SmartConsole session.
10
Manually synchronize the Domain Management Servers.
11
Close the SmartConsole connected to this Domain Management Server.
12
Assign Global Policies and install Policies on all managed Security Gateways.
13
If the promoted Domain Management Server is using a High Availability Domain Management Server license, replace it with a standard Domain Management Server license.
-
-
Restart Check Point Services on the Multi-Domain Server you promoted
Run these commands:
mdsstopmdsstart