CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 11 of 11

Thread: Management Server HA in AWS

  1. #1
    Join Date
    2015-01-16
    Posts
    8
    Rep Power
    0

    Default Management Server HA in AWS

    Hi can someone let me know whether can we configure HA for management server in Amazon Web Service cloud,
    Cluster XL is not supported in AWS.

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: Management Server HA in AWS

    Management HA uses ClusterXL, and thus will not work with AWS.

  3. #3
    Join Date
    2014-09-02
    Posts
    360
    Rep Power
    10

    Default Re: Management Server HA in AWS

    Quote Originally Posted by jdmoore0883 View Post
    Management HA uses ClusterXL, and thus will not work with AWS.
    This is actually incorrect. ClusterXL is only for gateway clustering. Management HA works entirely differently and doesn't even require any significant level of heartbeat, active synchronization, or any automatic traffic between the SmartCenters. In fact, we're talking apples to oranges here.

    Management HA is not clustering. MHA Synchronization is only necessary after making management changes (policies, objects, licenses, certificates, etc.), and even then it's not actually required (of course, any standby that takes over without having been synchronized would be a bit "behind the times"). That synchronization can occur automatically on a schedule, when policies are installed, or manually, but it doesn't require the active state sync mechanism that ClusterXL and VRRP do for gateway clustering. Management HA sync simply preforms database updates when it needs (or is told to). For the most part, the primary management server and any secondary (or secondaries) aren't very different from any standalone management.

    Therefore, I don't see any reason that it wouldn't be possible. As long as you select "Secondary Management" when going through the First Time Configuration Wizard you should be all set (assuming you've already build a Primary). Please not that I have not done this so I can't confirm in practice, only in theory.

    All of that said, I'm curious as to why you want to. AWS is supposed to be reliable enough that you wouldn't need MHA. If instead you're looking for an AWS management to partner with a non-AWS (on-site) management, that could be a bit tricky. My guess is that you'd be fine, but the requirements for MHA state that SmartCenters must be on the same platform (no prob) and have the same software and HFA's (makes sense). I'm also pretty sure I remember something about MHA not being supported between VMware and physical SmartCenters, but I'll admit that I can't figure out why.

    If you have more specifics on the requirements I'd be happy to think it over. I'm also curious to see if anyone else chimes in with either good or bad experience in trying this.

    -E
    Last edited by EricAnderson; 2015-01-21 at 13:26. Reason: fix typos

  4. #4
    Join Date
    2015-01-16
    Posts
    8
    Rep Power
    0

    Default Re: Management Server HA in AWS

    Hi Erick, thanks for the detailed explanation. I am not sure how stable the Amazon cloud environment will be since everything is virtual to be in safer end planning to deploy the MHA in two different regions.

    I have the answer now thanks for the help much appreciated, will update you after implementing it in practical.

  5. #5
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Management Server HA in AWS

    Quote Originally Posted by EricAnderson View Post
    AWS is supposed to be reliable enough.-E
    Is this something you know first hand from reliable sources or just hearsay?

  6. #6
    Join Date
    2014-09-02
    Posts
    360
    Rep Power
    10

    Default Re: Management Server HA in AWS

    Quote Originally Posted by hemanthsec View Post
    Hi Erick, thanks for the detailed explanation. I am not sure how stable the Amazon cloud environment will be since everything is virtual to be in safer end planning to deploy the MHA in two different regions.

    I have the answer now thanks for the help much appreciated, will update you after implementing it in practical.
    Fair enough, but I'm still curious as to the entire architecture. Are you deploying gateways in AWS, or just looking to use it for management?

    AWS support is still relatively new and I have no idea how widely (or in what numbers) AWS is being used for Check Point. However, most of the design examples are the other way around, with AWS gateways managed by existing physical SmartCenters. The typical idea is to use AWS gateways to extend protection to your AWS Software-Defined Data Center. This is also the goal of the new support for MS Azure.

    -E

  7. #7
    Join Date
    2014-09-02
    Posts
    360
    Rep Power
    10

    Default Re: Management Server HA in AWS

    Quote Originally Posted by cciesec2006 View Post
    Is this something you know first hand from reliable sources or just hearsay?
    I tried to chose my words carefully and said "is supposed to be". To be more clear, I'll make no personal claims whatsoever to the ultimate strength, reliability, or viability of the AWS platform. My exposure has only been for testing of concept, not stress. I also haven't heard any significant stories from clients, either of the success or horror variety. Better?

    As I mentioned in the above post, the more common design is to use AWS gateways to extend gateway/blade protection to your AWS cloud infrastructure (or Software-Defined Data Center). I'd have to think that if it's reliable enough for your production servers, it'd be reliable enough for the gateways protecting them. If not, the use of SDDC should be reconsidered.

    Ultimately it will usually come down to very personal and subjective criteria. Even the theoretical use of AWS (or Azure for that matter) for only management servers could be a viable alternative to using a physical location that's in a region with notoriously unreliable bandwidth or power.

    -E
    Last edited by EricAnderson; 2015-01-21 at 16:36.

  8. #8
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: Management Server HA in AWS

    I stand corrected, thanks for the info guys. ClusterXL is indeed NOT used by Management HA.

    I did some internal digging and got some more info.

    The Sync is handled by the CPD and FWM. Services/Ports used for this traffic are CPMI (TCP Port 18190), and CP_redundant (TCP Port 18221).

    So, theoretically Management HA *SHOULD* work. As for official support, I will do some more digging and see what I can determine.

  9. #9
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Management Server HA in AWS

    In general, running Management is supported in AWS.
    Because Management HA uses TCP protocols (if I recall correctly), it should work/be supported in AWS just like regular (non-HA) management is provided you have set up the Security Groups/Network ACLs to allow the traffic.
    If it used Multicast like ClusterXL does, it wouldn't work/be supported.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  10. #10
    Join Date
    2015-01-16
    Posts
    8
    Rep Power
    0

    Default Re: Management Server HA in AWS

    Thanks Guys I have deployed the management server in HA and it works fine in AWS.

    Recently Checkpoint has made a new release to support clustering of security gateways in AWS, please refer to sk104418.

    Between I have one more question, Is it possible to use a dedicated interface for MGT traffic SYN, as we select a SYNC interface while we configure clustering in security gateway.At present i don't see any such option while configuring HA for management server.

  11. #11
    Join Date
    2014-09-02
    Posts
    360
    Rep Power
    10

    Default Re: Management Server HA in AWS

    Glad to hear it's working. Well done.

    As for SYNC, remember that management is a different animal. The sync traffic is minimal (no heartbeat or constant traffic at all) and is simply follows whatever path the routing table(s) sends it by. You could dedicate interfaces, but you'd also have to change the main IP addresses so that they use those to communicate. That would create other possible issues, and really gain you nothing.

    Is there a reason that I'm missing?

    -E

Similar Threads

  1. Replies: 2
    Last Post: 2014-06-18, 08:18
  2. Replies: 1
    Last Post: 2014-04-28, 10:08
  3. Management Server HA for R65 SMS
    By Malay in forum Management High Availability
    Replies: 4
    Last Post: 2012-06-21, 06:27
  4. Standalone Security Management Server to Multi-Domain Security Management
    By DaniloNC in forum Provider-1 (Multi-Domain Management)
    Replies: 1
    Last Post: 2011-12-08, 16:59
  5. Migration from R65 Window management server to Smart-1 (SPLAT) management server
    By nick_bar in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2011-08-24, 02:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •