CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 14 of 14

Thread: What to do in this scenario?

  1. #1
    Join Date
    2008-07-15
    Posts
    7
    Rep Power
    0

    Default What to do in this scenario?

    Hi All,

    Apologies if this post is in the wrong section, but didnt want to cross post..

    Anyway... this is the scenario.

    company xyz has a 10 branch offices which are all centrally managed in company xyz's HQ. The firewalls are all NGX R60. They are all also licensed centrally. All branch offices connect to the HQ via VPN, and as such can talk to each other.

    One day, company xyz's HQ disappears off the face of the earth, taking the smart center server with it.

    How would you go about creating a new smart center server, to be able to manage some or all of the firewalls again? In this scenario, there would be no way to re-use the original smart center server IP address.

    I guess the licensing is a very tricky part of it too.

    What could be done to negate the effects of this disaster? Could you take a backup of the license files before the disaster and deploy this backup through a new smart center server? Would new licenses need to be acquired?

    How would you enable the remainig firewalls to talk to the new policy server? Would you just reset SIC on all the remaining firewalls and create a new certificate for the VPN?

    All ideas would be most welcome...apologies if this has been covered elsewhere, I couldnt find a similar scenario...

    Cheers, Adam.

  2. #2
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: What to do in this scenario?

    The easiest way to avoid this is to desgnate a seconday site and deploy an HA SCS now, before you have an issue.

    Or...
    You would need to keep a copy of your latest upgrade_export off-site. Assuming you have any BCDR policies at your company, this should already be in your current 'need to have it' list.

    Then, using new server hardware, you can build a new SCS and import your config. If you insure that your hostname (FQDN) and internal IP are exactly the same, you can get your new SCS back up and running.

    Hmmm... now the only issue you have to deal with is the network at site xyz is not there... This could be tricky. I'm not sure how to deal with this part and have to run so I can't complete this. Maybe someone else has ideas on it.
    There's no place like 127.0.0.1

  3. #3
    Join Date
    2007-06-04
    Posts
    3,304
    Rep Power
    17

    Default Re: What to do in this scenario?

    Well my SMARTCenter would be on a private IP address, so that could be used at the new location anyway as is a private IP. All that would change would be the Public IP that would need to NAT too. As I license on the Private SMARTCenter IP then this has no affect on my licenses. A very good reason why you build seperate SMARTCenter and Gateways rather then installing all on one. This also has the advantage that if I change my public IP range either through change ISP or need a bigger block then is not a problem.

    I also ensure that I have a full backup regularly taken of the SMARTCenter so that I can restore this easily enough onto a new peice of hardware with the same hostname and IP address.

    I then build my new Firewall for the new office and connect to the new SMARTCenter.

    Go through the Security Policy ammending to the new Public IP for the NAT that is in the Policy. Especially the Secondary Management Server Object that has the Public IP used for the SMARTCenter.

    Push policy to the new gateway.

    On each of the branch office box then do a cpconfig reset SIC.
    Attach to the new SMARTCenter and reattach license to the box.

    Push Policy to the boxes from the new SMARTCenter.

    As I am using a restore of the config from the original SMARTCenter then is the same Cert Authority so no problems there.

    SecureCLient Users need to delete the old site with details of the destroyed HQ, and create a new site with the new IP address of the new HQ.

    Fully backup and running.


    Of course if you have your SMARTCenter installed on the Gateway at the HQ and license on the public IP without a backup then it is start from scratch as if a new company. You would just relicense in UserCenter your existing licenses and learn the lesson about putting your SMARTCenter and Gateway on one box so the Public IP is not relevant to your license along with the importance of backups.

    Of course as lammbo says if you have a HA Management system then wouldn't be a problem in the short term, and you would just need to rebuild the nework from the HQ at your new location asap. You could reuse the Private IP range so no problem there and obviously ammend the security policy on the Secondary Server to reflect the new Public IP range at the new HQ office.
    Last edited by mcnallym; 2008-07-25 at 09:16.

  4. #4
    Join Date
    2008-07-15
    Posts
    7
    Rep Power
    0

    Default Re: What to do in this scenario?

    Some good input there, thanks chaps...

    Ok, in this instance the gateway and SCS are the same box at the HQ (yes, I know that is bad - but when picking up the pieces you dont get a choice in this matter) It appears the license is also attached to the public IP in this instance...

    So moving forward and minimising issues if this were to happen, then a HA Management system I'm guessing would require an additional SCS license? All that would be done in this instance is before disaster strikes a new SCS box is installed in an alternative location, so if the HQ does disappear you can move on with relative ease... with a copy of all the configs and issued licenses in SC?

    If however, you were unable to install a HA Management system, what would need to be backed up to prevent a disaster turning into complete meltdown?

  5. #5
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: What to do in this scenario?

    You should work on splitting the SmartCenter to its own box as soon as possible and using central licensing to its private IP adress. That would make moving it to a new location much, much easier.

    An upgrade_export of the SmartCenter will allow you to fully recover it.

    A SmartCenter HA solution is extremely expensive. You need two HA licenses and a second SmartCenter license.

    Ray

  6. #6
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: What to do in this scenario?

    Quote Originally Posted by RayPesek View Post
    You should work on splitting the SmartCenter to its own box as soon as possible and using central licensing to its private IP adress. That would make moving it to a new location much, much easier.

    An upgrade_export of the SmartCenter will allow you to fully recover it.

    A SmartCenter HA solution is extremely expensive. You need two HA licenses and a second SmartCenter license.

    Ray
    I believe that only 1 HA license is required to enable it but you still need a second SCS license. And I may be wrong here, but I think the newest licensing model no longer requires the HA for SCS (I have old SCS licenses, I only needed 1 HA license)

    Sorry for bailing on my answer earlier (slight emergency), but mcnallm finished it up nicely. I also have a distributed SCS and you should be licensing your internal IP.

    SIC reset is fairly easy unless you do not have access, whcih should be another one of your concerns. As a standard precaution, you should always have another host at one of your other sites that is allowed SSH/Web UI access so you can actually access the gateways from that site as well as your primary site.

    Everything else appears to be covered now.
    There's no place like 127.0.0.1

  7. #7
    Join Date
    2007-06-04
    Posts
    3,304
    Rep Power
    17

    Default Re: What to do in this scenario?

    I have synched a SMARTCenter to a SMARTCenter Pro so only had one Mgmt HA license on the SMARTCenter Pro.

    However whilst it works Check Point insist that both boxes be identically licensed so both should have been SMARTCenter Pro.

    If using SMARTCenter Power then the Mgmt HA license comes as part of that anyway.

  8. #8
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: What to do in this scenario?

    Quote Originally Posted by mcnallym View Post
    Check Point insist that both boxes be identically licensed so both should have been SMARTCenter Pro.
    Actually, they insist on the same PRODUCTS installed to be the same, not licenses. I have seen this break HA sync personally. Prior to buying the Eventia Suite, I had 1 license for the Reporter add-on to SCS. When I enabled it on my primary, it broke sync to my secondary until I removed it.

    In fact, the only license attached to your Secondary SCS is the license for SCS itself. The HA, SecureClient, Web Intelligence and SVM licenses are all attached to the primary SmartCenter.

    Edit: After taking a second look at your wording, you may probably be correct that if 1 SCS is Pro, the other should be also. Both of my SCS are CPMP-ESC-U (old school here)


    Quote Originally Posted by mcnallym View Post
    If using SMARTCenter Power then the Mgmt HA license comes as part of that anyway.
    Yeah, that's the new licensing model I was speaking of of earlier, thanks for the clarification.
    Last edited by lammbo; 2008-07-28 at 09:12.
    There's no place like 127.0.0.1

  9. #9
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    15

    Default Re: What to do in this scenario?

    Quote Originally Posted by mcnallym View Post
    I have synched a SMARTCenter to a SMARTCenter Pro so only had one Mgmt HA license on the SMARTCenter Pro.
    Did the PRO features (LDAP, SmartView Monitor, SmartMap) work on the Secondary SCS? I would think they might sync, but you'd have a crippled feature set....

  10. #10
    Join Date
    2007-06-04
    Posts
    3,304
    Rep Power
    17

    Default Re: What to do in this scenario?

    Exactly what happens. The other pro features don't work on the second smartcenter. It is why Check Point say should have same license and products installed as causes issues if only on Primary and expect to work on the secondary.

  11. #11
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: What to do in this scenario?

    Quote Originally Posted by mcnallym View Post
    Exactly what happens.
    Assuming you are asking me, SYNC between HA SCS breaks and it barks that the installed products are different. No mention of licenses.

    Quote Originally Posted by mcnallym View Post
    The other pro features don't work on the second smartcenter. It is why Check Point say should have same license and products installed as causes issues if only on Primary and expect to work on the secondary.
    But CP will not issue you 2 sets of SecureClient or Web Intelligence licenses so you can have duplicates on your HA SCS. Part of the SCS failover is that these functions should continue to work from the secondary ONLY if the primary SCS is down, as it is supposedly aware of all of the attached licenses on the primary. I don't know what the exact mechanics that are involved in the failover, but I've been told this is how it is.
    There's no place like 127.0.0.1

  12. #12
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    15

    Default Re: What to do in this scenario?

    Quote Originally Posted by lammbo View Post

    But CP will not issue you 2 sets of SecureClient or Web Intelligence licenses so you can have duplicates on your HA SCS. Part of the SCS failover is that these functions should continue to work from the secondary ONLY if the primary SCS is down, as it is supposedly aware of all of the attached licenses on the primary. I don't know what the exact mechanics that are involved in the failover, but I've been told this is how it is.
    SecureClient Policy Servers and Web Intelligence are enforced on the Gateway, not the SCS. There is no dependency on SCS functions for enforcement, license compliance to only required for the policy install.

    Although that does make me wonder about LDAP and SmartView Monitor.... hmmm....

  13. #13
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: What to do in this scenario?

    Quote Originally Posted by Thorpuse View Post
    Although that does make me wonder about LDAP and SmartView Monitor.... hmmm....
    I have just recieved a quote from CP for 2ea. SmartDirectory Licenses because I have old SCS licenses that do not include that. I must install and license both servers for that product or HA will break. If you are also running something like SVM as an add-on, you must also install and license it on both SCS.

    All I'm saying is that ALL licenses that are assigned to SCS do not have to be installed on the Secondary. Based on this discussion to date, I would have to say this is my conclusion:
    1) If the license affects products actually running on SCS, it must be licensed and installed on both or the products.ini will not match. This includes SVM and SVR add-ons, SmartDirectory (LDAP), (and I assume) URLF and AV fall into these categories as well.

    2) If the license is attached to SCS, but enforced on a gateway, the license need only be applied to the primary SCS. Which is good, because you only get 1 license file anyway unless you buy 2 of everything, which would be ridiculous.
    There's no place like 127.0.0.1

  14. #14
    Join Date
    2006-10-24
    Posts
    20
    Rep Power
    0

    Default Re: What to do in this scenario?

    I decided to skip all the hazzles with failower, so I have one single smartcenter server running as a virtual machine under vmware.
    Once per month we take a full image backup and stash it offsite, getting it online is a snap since the image can be run from any vmware installation on whatever hardware. =)

    Like several others have said, the SC server sits on a private IP so I can move it around.

Similar Threads

  1. test scenario connection against rules
    By sectech in forum SmartDashboard
    Replies: 3
    Last Post: 2010-05-05, 11:58
  2. zero downtime upgrade in VRRP only scenario
    By Jhonnywalker in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2010-02-18, 00:49
  3. Upgrading Scenario
    By sjerfi in forum Installing And Upgrading
    Replies: 3
    Last Post: 2009-07-29, 09:09
  4. VRRPmc Scenario
    By tkalas in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2008-08-05, 00:36
  5. Which is the best platform for the following scenario ?
    By Rsslove123 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 8
    Last Post: 2008-07-23, 02:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •