CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


 

Results 1 to 12 of 12

Thread: Recovery of Smart Center at DR Site

  1. #1
    Join Date
    2016-12-20
    Posts
    3
    Rep Power
    0

    Default Recovery of Smart Center at DR Site

    I've had a look around and Googled for hours and haven't been able to find a good fit for the question I'm about to pose so I thought I'd ask you good folks to see if you can help. I hope you can!

    The situation I have is that I need to be able to recover our Smart Center server at our DR site. I've just inherited the current setup and I've been told that we don't have budget for an HA pair of new Smart appliances for at least a year so for now I need to make the best of what I have.

    In our main data center we have a pain of 4600s in HA and a Smart-1 25 management appliance (this is the one I want to upgrade).
    In DR we have a 4207 which is also managed by the Smart-1 25 in the main site.

    All of the above are currently on R75.46 (I know!). But I'll be upgrading these to R77.30 in the coming weeks.

    The issue I have highlighted is that in a DR situation, I will not be able to manage the 4207, so if there were any changes to the policy required we're essentially up the river.

    Now, I have been tasked with finding a way around this without plumping for a pair of Smart appliances.

    Added complications are that the main site and DR site are using different subnets, both have internet links as we run internet facing websites which would need to be recovered in DR and there's MPLS connecting the main site, DR site and 2 other satellite offices (which also have 4207s in the IPVPN). As such, I wouldn't be able to use the same IP addressing in DR for any Smart Center server.

    I don't necessarily wish to be able to manage the satellite 4207s, just the one in DR.

    Any help would be greatly appreciated!

  2. #2
    Join Date
    2014-09-02
    Posts
    212
    Rep Power
    10

    Default Re: Recovery of Smart Center at DR Site

    The thread you need to read is here:
    https://www.cpug.org/forums/showthre...t=ericanderson

    It was brought up almost exactly two years ago, and elicited some cool discussion. In short, Management HA is the way to go, but it's not cheap. The "workaround" I suggested and tested may not work forever, and may not be completely within license terms. I haven't heard any responses either way.

    Take a read, and let me know what you think.

    -E

  3. #3
    Join Date
    2016-12-20
    Posts
    3
    Rep Power
    0

    Default Re: Recovery of Smart Center at DR Site

    Thanks very much for the reply Eric. Apologies for not getting back sooner but I've been out of the office for a couple of days.

    This sounds like the perfect solution but for one issue - the current management server is not a VM, it's a Smart-1 25 hardware appliance.

    Do you think I'd be able to get round this by either of these solutions:

    1. Replace Smart-1 25 with virtual appliance, reusing the same license as the hardware appliance is currently using? or;

    2. Configure an additional ethernet port on the hardware appliance, create a new VM appliance at DR with the same IPs and use export/import to copy over the config from hardware to software?


    I don't have any idea if the above is feasible, just thinking.

  4. #4
    Join Date
    2014-09-02
    Posts
    212
    Rep Power
    10

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by burden010 View Post
    This sounds like the perfect solution but for one issue - the current management server is not a VM, it's a Smart-1 25 hardware appliance.

    Do you think I'd be able to get round this by either of these solutions:

    1. Replace Smart-1 25 with virtual appliance, reusing the same license as the hardware appliance is currently using? or;

    2. Configure an additional ethernet port on the hardware appliance, create a new VM appliance at DR with the same IPs and use export/import to copy over the config from hardware to software?

    Unfortunately, the licenses that come with appliances are only for those appliances. It's not [legally] possible to use them on an open server. You may be able to "trade in" your Smart-1 for an open server license, but that definitely won't be free. Even then, the legality of the method I mentioned in that other post is still unconfirmed. I think in spirit it would be OK (as there's only one instance of the server running at any one time), but it flies in the face of the Management HA concept.

    If you're truly stuck with one server (appliance or otherwise), you may simply want to consider where it should be located. Some DR sites are more reliable, but more remote and expensive to scale. If that's the case, you could consider locating the SMS there, and managing the main site remotely. Alternatively, there's the idea of hosting (or co-locating) the SMS in a more reliable, cloud-based environment.

    Just thinking out loud here. What your up against is the fact that Check Point does have a solution. I love trying to be creative, but cutting corners isn't always the best option.

    -E

  5. #5
    Join Date
    2016-12-20
    Posts
    3
    Rep Power
    0

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by EricAnderson View Post
    Unfortunately, the licenses that come with appliances are only for those appliances. It's not [legally] possible to use them on an open server. You may be able to "trade in" your Smart-1 for an open server license, but that definitely won't be free. Even then, the legality of the method I mentioned in that other post is still unconfirmed. I think in spirit it would be OK (as there's only one instance of the server running at any one time), but it flies in the face of the Management HA concept.

    If you're truly stuck with one server (appliance or otherwise), you may simply want to consider where it should be located. Some DR sites are more reliable, but more remote and expensive to scale. If that's the case, you could consider locating the SMS there, and managing the main site remotely. Alternatively, there's the idea of hosting (or co-locating) the SMS in a more reliable, cloud-based environment.

    Just thinking out loud here. What your up against is the fact that Check Point does have a solution. I love trying to be creative, but cutting corners isn't always the best option.

    -E
    As you say, I think, in principle at least, we might be OK as we're only using one instance at any time.

    The bigger issue is the fact i have a Smart appliance. I've been told that we don't have the budget so that's on management but at the end of the day it will be me who's pulling his hair out trying to find a solution right at the time I don't need the hassle.

    With regards to the licensing, forgive me if I'm wrong but isn't there a trial licence of 30 days or so? Could i get around this issue using that? If I did an export/import but used a trial lic on the open server could that solve my woes until I manage to get a proper solution in place?

  6. #6
    Join Date
    2006-09-26
    Posts
    2,736
    Rep Power
    13

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by burden010 View Post
    As you say, I think, in principle at least, we might be OK as we're only using one instance at any time.

    The bigger issue is the fact i have a Smart appliance. I've been told that we don't have the budget so that's on management but at the end of the day it will be me who's pulling his hair out trying to find a solution right at the time I don't need the hassle.

    With regards to the licensing, forgive me if I'm wrong but isn't there a trial licence of 30 days or so? Could i get around this issue using that? If I did an export/import but used a trial lic on the open server could that solve my woes until I manage to get a proper solution in place?
    I am trying not to pay for checkpoint license and support as much as possible, legally. I am also trying to avoid H/A SmartCenter/Management server as much as possible because it is not stable either.

    We have the exact same scenario in our environment like you. We have a Primary Data Center and DR Data Center. We have a "live" Provider-1 in our Primary DC to manage firewalls in both Primary and DR Data Center but we're not using HA. and here is how we do it:

    a- We setup a checkpoint "management" network of 192.168.1.0/24 and this is a "floating" network, meaning that with routing change, we can move this network between the Primary DC and the DR Center at anytime.
    b- build our "live" provider-1 or SmartCenter appliance with IP address of 192.168.1.1/24 (example here), and use this to manage all of the firewalls in both the Primary and DR Data Centers,
    c- perform a daily mds_backup (if you have provider-1), or migrate_export (if you have SmartCenter) and move the file over to a safe and secure external SFTP server,
    d- build a "backup" provider-1 or SmartCenter on either a VM ESXi or just a standalone physical server with the same IP address and host name as the appliance. Best to do it in the lab and get it ready. Keep in mind that you will NOT have network connectivity to this host, only console access but that is good enough.

    ----

    Now Disaster occur, let assume your primary DC is dead and un-reachacle

    a- bring up the network 192.168.1.0/24 in your DR. This can be done with routing
    b- now that you have connectivity to your "backup" SmartCenter,
    c- copy the backup from the external SFTP server to the SmartCenter,
    d- now perform migrate_import. It should take no more than 5 minutes
    e- now you should have connectivity between the "new" SmartCenter with the gateways, WITHOUT CHANGING ANYTHING. THIS IS JUST LIKE YOUR PREVIOUS SMARTCENTER IN YOUR PRIMARY DC
    f- push the policy to the gateways to confirm that everything works

    Easy right?

    I've found this approach works MUCH better and cheaper than the H/A Smart-1 appliance advertised by Checkpoint. Based on my experience with Checkpoint Management H/A in version R55 and R55w, it is really buggy. You will run into "collision" issue some where along the way.

    Disclaimer: I've NOT tested the migrate_import and migrate_export since version NGx R70 but I've done mds_backup and mds_restore on provider-1 in version 77.30 and even R80 and it works out well. In version 75.x, you can use the same license on the smart-1 appliance over to the open server as well. Whether that is supported, that's another matter.

  7. #7
    Join Date
    2014-09-02
    Posts
    212
    Rep Power
    10

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by cciesec2006 View Post
    I am also trying to avoid H/A SmartCenter/Management server as much as possible because it is not stable either.
    I'm really not sure where/how you find Management HA unstable. It's pretty rock-solid for what it does, which is relatively simple...

    Quote Originally Posted by cciesec2006 View Post
    Based on my experience with Checkpoint Management H/A in version R55 and R55w, it is really buggy. You will run into "collision" issue some where along the way.
    ...really? That's like complaining that Windows 3.11 is unstable on my 7th Gen i7 laptop, or (for the Apple folks) that MacOS is unstable on my new Macbook. You know better than that ;)

    Currently (and for many versions/years now), Management HA is very solid. Collisions will only occur if changes are made on more than one active SMS, which should be avoidable. Of course, MDS adds some fun to the mix, but the OP is talking about a single MDS - and only using HA for DR.


    Quote Originally Posted by cciesec2006 View Post
    In version 75.x, you can use the same license on the smart-1 appliance over to the open server as well. Whether that is supported, that's another matter.
    While the only license validation/checking I'm aware of is still simply based on IP address (meaning this will work), it's still not legal (never mind "supported"). I really want to avoid discussions over how to "get around" licensing issues. It wouldn't be that hard for CP to do more to enforce license restrictions, but I'd rather they not be forced to.


    Don't get me wrong, cciesec2006, the rest of the solution is exactly what we're all interested in and try to offer up. I think most viable options hinge on running SMS in a VM/open-server manner. Physical appliances are geographically limiting.


    -E

  8. #8
    Join Date
    2006-09-26
    Posts
    2,736
    Rep Power
    13

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by EricAnderson View Post
    I'm really not sure where/how you find Management HA unstable. It's pretty rock-solid for what it does, which is relatively simple...
    The problem with this thinking is that your Checkpoint Management is an "application" and it has to "rely" on the network for transport. If the network itself is not stable, you will experience collison.
    It happens more than you think

    Quote Originally Posted by EricAnderson View Post
    Currently (and for many versions/years now), Management HA is very solid. Collisions will only occur if changes are made on more than one active SMS, which should be avoidable. Of course, MDS adds some fun to the mix, but the OP is talking about a single MDS - and only using HA for DR.
    I can't really comment on SmartCenter, my experience is only with MDS/CMA and I can say for my personal experience, I rather stay away from H/A. Yes, H/A or even Active/Active on gateways is a must. H/A on Management is not desirable, IMHO. If you have a solid backup and engineering design, like mine :-), Management H/A is not necessary.



    While the only license validation/checking I'm aware of is still simply based on IP address (meaning this will work), it's still not legal (never mind "supported"). I really want to avoid discussions over how to "get around" licensing issues. It wouldn't be that hard for CP to do more to enforce license restrictions, but I'd rather they not be forced to.


    Quote Originally Posted by EricAnderson View Post
    I think most viable options hinge on running SMS in a VM/open-server manner. Physical appliances are geographically limiting.-E
    I like VMWare ESX as well; however, based on my experience, I would not use VM to run Checkpoint in a production environment, for lab and QA, yes, but not production. There are many things that can go wrong with VM, especially in a critical environment :-)

    my 2c

  9. #9
    Join Date
    2014-09-02
    Posts
    212
    Rep Power
    10

    Default Re: Recovery of Smart Center at DR Site

    I really don't want to hijack this thread with a discussion on the validity of Management HA, but I do want to clarify what's being discussed, even if the OP has no budget for it.


    Quote Originally Posted by cciesec2006 View Post
    I can't really comment on SmartCenter, my experience is only with MDS/CMA and I can say for my personal experience, I rather stay away from H/A.
    As with citing experiences based on R5x, this isn't really relevant to the OP's situation. I'd prefer we refrain from making recommendations, either for or against something, based off of a completely different experience. For example, many of the issues that plague gateway load-sharing clusters have no bearing on the merits of gateway HA clusters, so I wouldn't want to talk someone out of clustering based on a different use case.


    Quote Originally Posted by cciesec2006 View Post
    The problem with this thinking is that your Checkpoint Management is an "application" and it has to "rely" on the network for transport. If the network itself is not stable, you will experience collision.
    It happens more than you think
    I'm concerned that the use or expectation of Management HA is somehow incorrect, and that others may be incorrectly scared off.

    Just for the understanding of those who aren't familiar with it, Management HA allows creation of "secondary" management servers. Servers then synchronize policies, objects, licenses, users, internal certificate authority, etc. Sync can be set to automatic (either on schedule or upon policy install), manual, or both. Once built and synchronized, any SMS can be "Active", but all others are intended to be "Standby". Just as you can only have one Admin in read/write (to avoid database corruption), you can [or are supposed to] only have one Active SMS.

    When a standby SMS is made active, it first tries to make the currently active SMS go into standby. If it can't reach it (as would be the case in a DR situation), it becomes active and allows read/write. If the other SMS remains active (but was just not reachable), and if changes are made on both without synchronization, then you have a collision. Network reliability, or even a complete outage, will not cause a collision by itself. This should not be a common occurrence, and should not be a big deterrent from deploying HA.



    -E

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    644
    Rep Power
    11

    Default Re: Recovery of Smart Center at DR Site

    I second Eric here. MGMT HA is the standard way to maintain proper management pair for the main and DR sites. You can be creative, of course, but MGMT HA is working out of the box, quite simple to set up and very reliable.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    495
    Rep Power
    4

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by EricAnderson View Post
    I really don't want to hijack this thread with a discussion on the validity of Management HA, but I do want to clarify what's being discussed, even if the OP has no budget for it.

    Just for the understanding of those who aren't familiar with it, Management HA allows creation of "secondary" management servers. Servers then synchronize policies, objects, licenses, users, internal certificate authority, etc. Sync can be set to automatic (either on schedule or upon policy install), manual, or both. Once built and synchronized, any SMS can be "Active", but all others are intended to be "Standby". Just as you can only have one Admin in read/write (to avoid database corruption), you can [or are supposed to] only have one Active SMS.

    When a standby SMS is made active, it first tries to make the currently active SMS go into standby. If it can't reach it (as would be the case in a DR situation), it becomes active and allows read/write. If the other SMS remains active (but was just not reachable), and if changes are made on both without synchronization, then you have a collision. Network reliability, or even a complete outage, will not cause a collision by itself. This should not be a common occurrence, and should not be a big deterrent from deploying HA.



    -E

    Any idea if R80 mgmt. server adds any significant changes?

  12. #12
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    644
    Rep Power
    11

    Default Re: Recovery of Smart Center at DR Site

    Quote Originally Posted by laf_c View Post
    Any idea if R80 mgmt. server adds any significant changes?
    No, same as before. This is by design.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. disaster recovery site
    By *tomo* in forum Check Point Disaster Recovery
    Replies: 5
    Last Post: 2010-04-20, 09:04
  2. UTM-1 Smart Center server recovery
    By dgraham in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2010-04-19, 13:22
  3. Smart Center
    By eyang in forum Installing And Upgrading
    Replies: 3
    Last Post: 2010-02-03, 14:49
  4. Smart Center Server Disaster Recovery Test
    By avilT in forum Check Point Disaster Recovery
    Replies: 3
    Last Post: 2009-09-02, 09:23
  5. Moving Smart Center R65 to R70 - new OS?
    By tlmedia in forum Installing And Upgrading
    Replies: 4
    Last Post: 2009-05-14, 19:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •