topic Re: Synchronization of gateways in Firewall and Security Management

Synchronization of gateways

gemechisd — Thu, 10 Nov 2022 17:17:13 GMT

We have 2 checkpoint 7000 series appliances. We have configured them as a cluster. Last time the standby server hardware unable to reboot and now we are pushing policies on 1 gateway only.

I want to know what happens when the 2nd gateway gets fixed. Does the policies that are installed on the active gateway synchronized with the standby one?

Re: Synchronization of gateways

PhoneBoy — Thu, 10 Nov 2022 18:53:44 GMT

When a gateway boots up, it will try to load one of the following policies in order:

Gateway will fetch last compiled and installed policy from management
If the gateway cannot reach the management, the gateway will use a locally cached copy of the last policy installed
If no policy was installed, the policy is corrupt/compiled for the wrong version, or there is an issue with the firewall license, the gateway will load DefaultFilter, which blocks all traffic.

The much shorter answer is yes, but it pulls the current policy from management, not the other gateway.

Re: Synchronization of gateways

the_rock — Thu, 10 Nov 2022 20:21:28 GMT

To add to this, I also find that most of the time, for step 2 phoneboy mentioned, IF gateway cant "talk" to the management, it will usually load initial policy (though this usually may happen after major upgrade, which requires a reboot), which pretty much block everything, but unlike default filter, it would let you ssh and web UI, but only on default port 443, nothing else.

Andy

Re: Synchronization of gateways

gemechisd — Fri, 11 Nov 2022 05:18:55 GMT

@PhoneBoy Thank You for the immediate response.

Which means when we start configuring the second gateway as a cluster with the one currently working it will push the gateway from SMS?

Re: Synchronization of gateways

PhoneBoy — Fri, 11 Nov 2022 16:14:08 GMT

If you restore from a system backup onto identical hardware, you shouldn't need to do anything special.
If you rebuild the cluster member from scratch, it's possible you may need to push policy from management, which you should probably do anyway just to confirm proper operation.

Re: Synchronization of gateways

gemechisd — Mon, 05 Dec 2022 15:15:39 GMT

@PhoneBoy

Is there any steps to be followed during the process?

We have bought a new 7000 series device. Now we want to configure the new gateway (the standby cluster before), to the existing cluster.

So, how could we do that? If there is any steps to be followed?

Re: Synchronization of gateways

PhoneBoy — Tue, 06 Dec 2022 00:52:37 GMT

Configure the OS settings the same as the one you're replacing it with.
You will need to reset SIC with the device and push policy.

Re: Synchronization of gateways

gemechisd — Tue, 06 Dec 2022 05:11:17 GMT

So that it will get all the policies installed on the active gateway including static routes on GAIA, Right?

Re: Synchronization of gateways

Blason_R — Tue, 06 Dec 2022 05:57:14 GMT

Nope - Configuration persisting to device itself wont be recovered from policy push like @PhoneBoy mentioned. Those settings either has to be restored from backup or manually from other service from clish with > show configuration and then picking up specific commands like changing the IP addresses of interfaces. You will get the routes though and other settings which can be stay common on both the devices.

Like routes/snmp/users etc.