High Availability Disaster Recovery

If the primary Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. becomes permanently unavailable:

  		1.

    Note - This is not supported for environments with Endpoint Security.

    Step

    Instruction

    1

    Change the Secondary Management Server from Standby to Active.

    2

    Promote the Secondary Management Server to be Primary. Follow the procedure of promoting a Secondary Management Server (see Promote the Secondary Management Server to Primary and create new licenses. - no need to remove instances of the old Primary Management object and install database).

    3

    Install the new Secondary Management Server with the IP of the old Primary Management Server.

    4

    Reset SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. and connect with SIC to the new Secondary Management Server

    To switch back to the original setup (to set the original Primary Management Server as the Primary Management Server again):

    Step

    Instruction

    1

    Change the new Secondary Management Server from Standby to Active.

    2

    Promote the new Secondary Management Server to be the Primary Management Server. Follow the procedure of promoting a Secondary Management Server (See Promote the Secondary Management Server to Primary and create new licenses. - no need to remove instances of the original Primary Management object and install database).

    3

    Install the new Secondary Management Server with the IP of the old Primary Management Server.

    4

    Reset SIC and connect with SIC to the Secondary Management Server

  2. The first Management Server installed is the Primary Server and all servers installed afterwards are Secondary servers. The Primary server acts as the synchronization master. When the Primary server is down, secondary servers cannot synchronize their databases until a Secondary is promoted to Primary and the initial sync completes.

    Note - This is the disaster recovery method supported for High Availability environments with Endpoint Security.

    Important - Check Point product licenses are linked to IP addresses. At the end of the disaster recovery you must make sure that licenses are correctly assigned to your servers.

    Before you start - make sure that the primary server is offline.

    Step

    Instruction

    1

    Set the Secondary server to Active.

    2

    On the Secondary Management Server that you will promote, run:

    #$FWDIR/bin/promote_util

    #cpstop

    3

    Remove the $FWDIR/conf/mgha* files. They contain information about the current Secondary settings. These files will be recreated when you start the Check Point services.

    4

    Make sure you have a mgmtha license on the newly promoted server.

    Note - All licenses must have the IP address of the promoted Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

    5

    Run cpstart on the promoted server.

    6

    Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., and:

    1. Remove all instances of the old Primary Management object.

      To see all of the instances, right-click the object and select Where Used.

      Note - When you remove the old Primary Management Server, all previous licenses are revoked.

    2. Install database.