topic Installing Policies on an HA cluster one member at a time in Firewall and Security Management

Installing Policies on an HA cluster one member at a time

P_Williams — Tue, 10 Dec 2024 16:54:33 GMT

We have some soon-to-be-replaced 23000 gateways running r80.40 take 211 in a cluster. In the last few months it has become increasingly difficult to install policy updates on the firewalls with typically the active member of the cluster failing to install the policy and therefore the whole installation fails. I have tried failing over onto the standby and pushing policy and again it will still fail on the new active firewall.

Is a temporary tactic to uncheck the box 'For gateway clusters, if installation on a cluster member fails, do not install on that cluster' and have the install succeed on the standby member, then failover to the standby member, then push the policy again and this time it should then succeed on the new standby firewall? Thereby the new policy is installed on both firewalls.

We have the new firewalls in place and are being built by Checkpoint PS, but with the Christmas change freeze about to start we are not in a position to start using the new firewalls before Jan but we need to make minor changes to the policy.

Re: Installing Policies on an HA cluster one member at a time

PhoneBoy — Tue, 10 Dec 2024 20:49:23 GMT

I believe you can do this, yes.
Note this is something that ElasticXL "fixes" insofar as policy installation happens to the SMO only, which is responsible for copying the policy to the other members.

Re: Installing Policies on an HA cluster one member at a time

Lesley — Wed, 11 Dec 2024 00:01:24 GMT

This is indeed a workaround for this issue

Re: Installing Policies on an HA cluster one member at a time

kamilazat — Thu, 12 Dec 2024 06:34:07 GMT

What about doing fw fetch -m individually on cluster members? If I recall correctly, it pulls the policy from the server that is defined in masters file and writes it to kernel individually. But I'm not sure about the sync between members after that point. Maybe someone can add to it.

Re: Installing Policies on an HA cluster one member at a time

Tal_Paz-Fridman — Thu, 12 Dec 2024 06:49:45 GMT

Indeed fw fetch <Security Management Server name> will also work:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_CLI_ReferenceGuide/Content/Topics-CLIG/FWG/fw-fetch.htm

Seems the -c flag also allows to fetch policy from a Cluster member

Re: Installing Policies on an HA cluster one member at a time

kamilazat — Thu, 12 Dec 2024 06:57:04 GMT

Hypothetically, let's say that I did it with -m flag and forgot to do the same on the other member. Will the policies ever get synced between members, or do I need to come back and do a -c anyway?

Re: Installing Policies on an HA cluster one member at a time

Tal_Paz-Fridman — Thu, 12 Dec 2024 08:03:11 GMT

Not sure you even need the -m flag

But yes, you can either fetch the policy (on the other cluster member) directly from the Security Management Server or from the other cluster using -c

Re: Installing Policies on an HA cluster one member at a time

P_Williams — Thu, 12 Dec 2024 09:19:45 GMT

Accepting this as it was the first response. I have now tried the method and it worked. I think the two firewalls had different policies for less than 10 minutes.

I will look into the other methods listed here as well. I think though as it is an old setup about to be pulled out I dont really want to start trying out something new, but something to look into for the new environment should there be similar issues.

Thank you all for your help.