Synchronising 2 Management Servers

[switzer]

Hi All

We are currently going through a DR re- organisation.
We want to have two Smart Servers and we want them
to synchronise.
Do we have to put the NGX Firewalls in HA or do we have
to put the Smart Servers in HA in order to synchronise the
rule base or is there another way for them to synchronise
say at midnight each day without putting them in HA as
these are intended as Disaster Recovery and are not needed
as HA.
Hope that makes sense

Steve

[Peter Smith]

you need to get a licence for a secondary management server. You then load the checkpoint software onto the secondary management server (when you install the checkpoint software you simply specifiy a tick box saying "secondary management server"). Once you've installed the checkpoint software on the server you then have to go to the existing mangement server and create a new checkpoint object to represent the secondary management server. You then configure it to replicate with the secondary server (go into "manage high availability")
The two servers will act in active/ standby mode, not HA

[mcnallym]

You can either have it synchronize on policy install, or when you save the security policy. It will actually do the synchronization automatically.

One thing you will need to do though after building the secondary SMARTCenter is resic all of the existing gateways so that they know about the secondary management server and will establish a connection with it if the Primary SMARTCenter fails.

The secondary smartcenter license needs to be installed with the ip of the secondary smartcenter.

I also like to manually define my SMARTCenters on the gateways afterwards. The secondary SMARTCenter will not accept connections for logging etc unless you manually promote the SMARTCenter to become primary or it detects that the Primary has failed and the gateways start connecting to the secondary server.

I also ensure that I define my gateways with there public IP address and place manual routes on the internal network to get to them if necessary. This way when the failover occurs the secondary can still communicate with the gateway at the primary site.

[Routerkid1]

One thing you will need to do though after building the secondary SMARTCenter is resic all of the existing gateways so that they know about the secondary management server and will establish a connection with it if the Primary SMARTCenter fails.


Above statement is not true, the Ica operations are pushed to second mgmt station. You just need to setup sic with this mgmt station and sync. Then open each firewall object and add backup mgmt to Masters list if it does not do it automatically.