High Availability ? yes or no

[switzer]

Hi All

We are currently going through a DR re- organisation.
We want to have two Smart Servers and we want them
to synchronise.
Do we have to put the NGX Firewalls in HA ,or do we have
to put the Smart Servers in HA in order to synchronise the
rule base or is there another way for them to synchronise
say at midnight each day without putting them in HA as
these are intended as Disaster Recovery and are not needed
as HA.
Hope that makes sense

Steve

[RayPesek]

How often do you make changes and how many firewalls do you manage? If it's just your company, you probably don't need the extremely high cost of management HA. For most usage, a firewall with hard drives will keep on working for a week even if the SmartCenter is down. If you use certificates, you may have to reset the CRL lifetime to a week. I don't remember if that is the default or not.

We snapshot ours once a night and will restore it to the DR site on a VLAN that's IP'd the same.

The problem with having two running SmartCenters, synchronized or not, is you have to license both of them.

Ray

[cciesec2006]

Problem with Management HA is that it is NOT stable. If the primary goes
down and you use the secondary to push policy. After the primary
comes back online, you get COLLISION which is NOT good. It is a broken
product if you ask me

Not to mention that it is expensive as well. Not worth the money


my 2c.

[chillyjim]

It's included with SmartCenter Pro/Power (You do need the second SmartCenter though).

I too have seen problems with sync/collision at some sites and at others it just works. No rhyme or reason that I've been able to come up with.

[cciesec2006]

"I too have seen problems with sync/collision at some sites and at others it just works. No rhyme or reason that I've been able to come up with."

This is the reason why I do NOT want to bring up to my management about
adding a backup SmartCenter to our production CMA. I do not want to be
the one to be fired when things go bad.

Until Checkpoint can prove that this Management HA is stable, my
recommendation is to stay away from it.

I first learned about Management HA back in 2004 and I think it is a great
concept. It is too bad that it is not stable.

[chuachongchee]

Hmm... not too sure though... have not had major issues with the sync state, if you ask me.. i would think its more of a user problem??

The admins themselves have to know what they are doing? Login only to the primary, do what they need to....

But i have seen the management servers swing over to the backup for no apparent reason though, i do think it might be an admin mistakely promoted the backup to active, but this is my theory, happened only once since...

Have also seen admins unable to login to the pri scs, and things seem to lockup, have advised them to do a cprestart on primary and force sync from sec to pri, works soo far?

Jus my 2 cents... oh.. Mgmt HA is on RHEL Linux update 9, Checkpoint NGX R65 HFA_02

[lammbo]

I have been running HA for quite some time (through a myriad of versions) and have had little to no issue.

IMHO, the most common issue that breaks HA in SCS is when the products list is different. This one time, at band camp.. Oh sorry, wrong story. Seriously though, the largest issue I had was when I demo'd the older version of Reporter when it was an add-on to the SCS. Because I didn't have the same products installed on both servers, sync broke. It took CP a while to figure that one out but once it was fixed, all was well again.

I choose to sync when database is saved as opposed to when policy is pushed but as stated earlier, it is automatic based on one of those events.

[coldark]

Notwithstanding the answers from the other ppl on the good the bad and the ugly of CheckPoint management HA.

Quote:

Originally Posted by switzer

Do we have to put the NGX Firewalls in HA

No - the firewalls have absolutely nothing to do with Management HA.

Quote:

Originally Posted by switzer

do we have to put the Smart Servers in HA in order to synchronise the rule base or is there another way for them to synchronise say at midnight each day without putting them in HA as these are intended as Disaster Recovery and are not needed as HA.

Management HA allows you to synchronise on one or more of the following occasions:
1) Policy Push
2) Policy Save
3) A Scheduled Event (at a certain TIME as you suggest in your post)
4) Manually by clicking a synchronise button.

Management HA is NOT like FW HA(Clustering) there is no heartbeat or synchronisation continually occuring - it only happens on one or more of the listed occasions.

In order for Management Synchronisation to occur you DO have to have one Primary and one or more Secondary SmartCenter Servers configured in high Availability Mode - it is impossible to use the CheckPoint HA facility with a sort of Cold Standby Secondary - although thinking about it - as long as the Standby box is ONLINE when you choose to synch then that will work.