High Availability Disaster Recovery
If the primary Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. becomes permanently unavailable:
-
Create a new Primary server with the IP address of the original Primary server.
Note - This is not supported for environments with Endpoint Security.
Step
Instruction
1
Change the Secondary Management Server from Standby to Active.
2
Promote the Secondary Management Server to be Primary. Follow the procedure of promoting a Secondary Management Server (see Promote the Secondary Management Server to Primary and create new licenses. - no need to remove instances of the old Primary Management object and install database).
3
Install the new Secondary Management Server with the IP of the old Primary Management Server.
4
Reset SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. and connect with SIC to the new Secondary Management Server
To switch back to the original setup (to set the original Primary Management Server as the Primary Management Server again):
Step
Instruction
1
Change the new Secondary Management Server from Standby to Active.
2
Promote the new Secondary Management Server to be the Primary Management Server. Follow the procedure of promoting a Secondary Management Server (See Promote the Secondary Management Server to Primary and create new licenses. - no need to remove instances of the original Primary Management object and install database).
3
Install the new Secondary Management Server with the IP of the old Primary Management Server.
4
Reset SIC and connect with SIC to the Secondary Management Server
-
Promote the Secondary Management Server to Primary and create new licenses.
The first Management Server installed is the Primary Server and all servers installed afterwards are Secondary servers. The Primary server acts as the synchronization master. When the Primary server is down, secondary servers cannot synchronize their databases until a Secondary is promoted to Primary and the initial sync completes.
Note - This is the disaster recovery method supported for High Availability environments with Endpoint Security.
Important - Check Point product licenses are linked to IP addresses. At the end of the disaster recovery you must make sure that licenses are correctly assigned to your servers.
Before you start - make sure that the primary server is offline.
Step
Instruction
1
Set the Secondary server to Active.
2
On the Secondary Management Server that you will promote, run:
#$FWDIR/bin/promote_util
#cpstop
3
Remove the
$FWDIR/conf/mgha*
files. They contain information about the current Secondary settings. These files will be recreated when you start the Check Point services.4
Make sure you have a
mgmtha
license on the newly promoted server.Note - All licenses must have the IP address of the promoted Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
5
Run
cpstart
on the promoted server.6
-
Remove all instances of the old Primary Management object.
To see all of the instances, right-click the object and select Where Used.
Note - When you remove the old Primary Management Server, all previous licenses are revoked.
-
Install database.
-