topic Re: Checkpoint HA in Firewall and Security Management

Checkpoint HA

satryo_id — Thu, 22 Aug 2024 02:36:12 GMT

Hi Mates,

I have two checkpoint 6200, one as active and other as cold backup. Each role for device are as standalone (gateway and sms).

We're planning to create HA from this checkpoint, my questios are

1. Do we need separate Security Management to control this HA,

- If no need, how to achieve this?

- for SMS can we use VM despite purchasing other checkpoint device?

2. Do we need to factory reset to config Cluster XL from First Time Configuration Wizard? or just create it from Smart Console?

Regard's

Satryo

Re: Checkpoint HA

emmap — Thu, 22 Aug 2024 02:52:02 GMT

You can do what we call a Full High Availability Cluster, where both management and gateway are on both members. Details are in the install guide:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/Full-HA-Cluster-on-Check-Point-Appliances.htm?TocPath=Installing%20a%20ClusterXL%2C%20VSX%20Cluster%2C%20VRRP%20Cluster%7CFull%20High%20Availability%20Cluster%20on%20Check%20Point%20Appliances%7C_____0

You can also run management on a separate VM if you wish, but you will need to purchase an additional management server license for this.

You will need to rebuild from scratch to move to a Full HA solution.

Re: Checkpoint HA

satryo_id — Thu, 22 Aug 2024 02:58:31 GMT

Sure, i have done this before (creating Full HA), but my question is, can we do without rebuild from scratch, and how to achieve this, ex using separate SMS

Regard's

Satryo

Re: Checkpoint HA

just13pro — Thu, 22 Aug 2024 05:58:29 GMT

I don't think you can merge 2 standalone into a HA as they have different database.

Re: Checkpoint HA

G_W_Albrecht — Thu, 22 Aug 2024 09:06:44 GMT

You just have one defined as Primary and reset the second one, do FTW for secondary management there and other needed config; database will be synced with the primary SMS cluster node. As the rules are the same on both devices you will loose nothing...

Re: Checkpoint HA

the_rock — Thu, 22 Aug 2024 11:59:13 GMT

Just to make sure, so there is no confusion, ostensibly, you want to convert full HA into 2 separate managements managing HA cluster, right?

If so, you can use below link, it details everything.

https://community.checkpoint.com/t5/General-Topics/Migrate-R80-40-Full-HA-to-distributed-Management/td-p/167314

Andy

Re: Checkpoint HA

satryo_id — Thu, 22 Aug 2024 14:06:12 GMT

no i want to do it reverse, two standalone into HA.

Regard's

Re: Checkpoint HA

the_rock — Thu, 22 Aug 2024 14:09:43 GMT

Got it...yes, so what @emmap had said is 100% right.

Sorry for my misunderstanding. And yes, you will need to rebuild, no other way around it. I know someone while back who did it without rebuilding, but it was totally unsupported, so I wont even try to explain it lol

Andy

Re: Checkpoint HA

the_rock — Thu, 22 Aug 2024 14:12:42 GMT

For the context, this sk also might be helpful.

Andy

https://support.checkpoint.com/results/sk/sk60443

Re: Checkpoint HA

G_W_Albrecht — Thu, 22 Aug 2024 15:55:49 GMT

As i wrote above, no merge is needed - you have a backup device with the same rulebase, or an active device with the current rulebase (that is the one i would use 😉

I wrote that one has to undergo FTW again and be designated the secondary management during installation. As planned, the primary node will the sync the database to the secondary.

Re: Checkpoint HA

satryo_id — Fri, 23 Aug 2024 06:11:52 GMT

so i need to backup and then restore after HA up, when restoring from standalone device into HA, do it will replace HA configuration? and back to standalone. how about@G_W_Albrecht solution, only secondary being rebuild.

regard's

satryo

reagrd's

satrtyo

Re: Checkpoint HA

G_W_Albrecht — Fri, 23 Aug 2024 08:22:21 GMT

Better ask TAC for guidance - the procedure i wrote about is found in sk104699: How to configure a Standalone machine to become a part of a Full HA cluster, but this is not supported in R80 versions.