High Availability Disaster Recovery

The first Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. installed is the Primary Server and all servers installed afterwards are Secondary Servers. The Primary Server acts as the synchronization master. When the Primary server is down, secondary servers cannot synchronize their databases until a Secondary is promoted to Primary and the initial sync completes.

If the Primary Management Server becomes permanently unavailable:

Promote the Secondary Management Server to Primary, and create a new Primary Server with the IP address of the original Primary Server.

Step

Instruction

1

Change the Secondary Management Server from Standby to Active.

2

Promote the Secondary Management Server to be Primary (no need to remove instances of the old Primary Management object and install database).

Before you start - Make sure that the Primary Server is offline.

  1. Set the Secondary Server to Active.

  2. On the Secondary Management Server that you will promote, run:

    #$FWDIR/bin/promote_util

    #cpstop

  3. Remove the $FWDIR/conf/mgha* files. They contain information about the current Secondary settings. These files will be recreated when you start the Check Point services.

  4. Make sure you have a mgmtha license on the newly promoted server.

    Note - All licenses must have the IP address of the promoted Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

  5. Run cpstart on the promoted server.

  6. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., and:

    1. Remove all instances of the old Primary Management object.

      To see all of the instances, right-click the object and select Where Used.

      Note - When you remove the old Primary Management Server, all previous licenses are revoked.

    2. Install database.

3

Install the new Secondary Management Server with the IP of the old Primary Management Server.

4

Reset SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. and connect with SIC to the new Secondary Management Server

To switch back to the original setup (to set the original Primary Management Server as the Primary Management Server again):

Step

Instruction

1

Change the new Secondary Management Server from Standby to Active.

2

Promote the new Secondary Management Server to be the Primary Management Server.

Promote the Secondary Management Server to be Primary (no need to remove instances of the old Primary Management object and install database).

Before you start - Make sure that the primary server is offline.

  1. Set the Secondary Server to Active.

  2. On the Secondary Management Server that you promote, run:

    #$FWDIR/bin/promote_util

    #cpstop

  3. Remove the $FWDIR/conf/mgha* files. They contain information about the current Secondary settings. These files will be recreated when you start the Check Point services.

  4. Make sure you have a mgmtha license on the newly promoted server.

    Note - All licenses must have the IP address of the promoted Security Management Server.

  5. Run cpstart on the promoted server.

  6. Open SmartConsole, and:

    1. Remove all instances of the old Primary Management object.

      To see all of the instances, right-click the object and select Where Used.

      Note - When you remove the old Primary Management Server, all previous licenses are revoked.

    2. Install database.

3

Install the new Secondary Management Server with the IP of the old Primary Management Server.

4

Reset SIC and connect with SIC to the Secondary Management Server

Important - Check Point product licenses are linked to IP addresses. At the end of the disaster recovery you must make sure that licenses are correctly assigned to your servers