topic Using cloud smart-1 mgmt server as a backup in Firewall and Security Management

Using cloud smart-1 mgmt server as a backup

the_rock — Thu, 10 Dec 2020 14:46:33 GMT

Hey guys,

Im 99% sure this is not possible, but want to ask anyway : ). I have a prospective CP customer asking me if its possible or feasible at all to have say regular physical smart-1 mgmt server managing their gateways and then also buy smart-1 cloud instance as a backup. Im almost positive that would never work, as they cant manage already managed gateways with a different server, as that only works in management HA...unless they maybe do migrate export from physical smart-1 and then use import feature in cloud instance, not sure if that would function or not...

Tx for any feedback!

Re: Using cloud smart-1 mgmt server as a backup

the_rock — Thu, 10 Dec 2020 14:55:45 GMT

Just something I forgot to mention...I know while back in R75 I believe, there was a customer I worked with who tried something similar on 2 different smart-1 servers and was able to make it work, but issue in that case was than say if a cluster is managed by smart-1 (lets call it mgmt1) and then you wish to manage same cluster with mgmt2, then you have to break SIC, re-establish all over again, so it was doable, but servers are not in sync, so dont know if thats really best way to go about it...

Re: Using cloud smart-1 mgmt server as a backup

PhoneBoy — Thu, 10 Dec 2020 15:53:18 GMT

Management HA between a cloud and on-prem instance is not currently supported.
Management HA between an on-prem instance and one you install/manage yourself in the cloud is supported.
However, you don’t get any of the benefits of Smart-1 Cloud that way.

Re: Using cloud smart-1 mgmt server as a backup

the_rock — Thu, 10 Dec 2020 16:05:03 GMT

Phoneboy, you are always on top of this community, I love it man : ). Ok, so just to CLARIFY, so I am not mistaken. Are you saying below?

-ONLY management HA can be used? They can not use single smart-1 and sync it with Cloud? Say if they had single smart-1 on prem and wanted to sync it with cloud server, that would not work? Correct? By the way, why would they not get any benefit?

Also, do you know for example if they did that, would they not have to re-establish sic again? I guess maybe that would not matter too much if policies are the same, but obviously gateways can only be managed by one mgmt server at the time...

Andy

Re: Using cloud smart-1 mgmt server as a backup

PhoneBoy — Thu, 10 Dec 2020 16:29:04 GMT

You got it.

Management HA between an on-premise Smart-1 and a self-managed instance in a public cloud is supported.
If you need to fail over in this case, no re-SIC required as management HA syncs the ICA (among other things) and the gateways are aware of the other manager.
However…lots of things traffic-wise will be required in/out from that cloud instance.

Re: Using cloud smart-1 mgmt server as a backup

35d69756-ac75-3 — Thu, 10 Dec 2020 16:33:03 GMT

I know once I tested copying policy from one lab mgmt to another and worked fine when I pushed the policy, but I guess that never needed sic reset since both servers and gateways were on same subnet. I think on cloud it would be wayyyyy different...2 questions, 1 related and one not : )

1. Is there any official doc stating what you told me?

2. On unrelated note, is there a way to actually JUST move network objects and hosts from one mgmt server to another? Some type of script or something?

Tx as always

Andy

Re: Using cloud smart-1 mgmt server as a backup

the_rock — Thu, 10 Dec 2020 16:42:07 GMT

Thanks as always. So, I have 2 questions:

1) Is there any official document as to what you told me and why would management HA be needed instead of single management, just curious?

and

2) More unrelated, but just wondering, is there a script or some way say if you wanted to export ONLY objects and hosts from one mgmt to another without migrating the whole policy?

tx as always

Andy

Re: Using cloud smart-1 mgmt server as a backup

PhoneBoy — Thu, 10 Dec 2020 17:22:02 GMT

Theoretically, you can do what you describe: change the management server to a different one without HA.
However, it means manually syncing the data and a re-SIC whenever you want to switch over to the other management.
And...relicensing.
All of this involves some amount of downtime.
If you use management HA, you won't have to worry about any of this.
Your secondary management is effectively a hot standby.
Note: this doesn't remove the need to do regular backups.

If you just want to have some way to recover in case your on-premise Smart-1 fails, then your best bet is to take a Migrate Export on a periodic basis.
This can be restored on another Smart-1 (either appliance or VM) or even stood up in Smart-1 Cloud.
You will still have to re-license if the management IP/hardware changes, but you can get this up and running fairly quickly.

There are ways (with the API) to copy out objects if you want to do that.
https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/CLI-API-Example-for-exporting-importing-and-deleting-different/m-p/40850#M2766 is one example (and there are others).

It really depends on your goal and the amount of downtime you're willing to tolerate.

Re: Using cloud smart-1 mgmt server as a backup

the_rock — Thu, 10 Dec 2020 17:44:45 GMT

Thanks Dameon...it would be nice if there was an official document or something stating whats supported for this and whats not...otherwise, makes it bit harder for this customer to make a decision. Anyway, on the other hand, for that link you sent, I did see that before, but was not sure which script is right one...any idea? All I want is to export ALL the objects (hosts, networks...etc) from one mgmt server and import them into another one.

Let me look via clish, as I know with some vendors, you just get the config and copy whatever you need without uuid for objects.

Re: Using cloud smart-1 mgmt server as a backup

PhoneBoy — Thu, 10 Dec 2020 18:59:03 GMT

For Security Management information (objects, etc), you need to query using the API or using CLI-based API commands.
What I pointed you at was the one that has the information separated out so you can import/export just the information you asked for in a relatively easy-to-consume format (CSV).
The Python Export/Import script (findable on the community) gives you everything relevant to a given Policy Package.

For the larger issue of documentation, problem is: it's not clear to me what problem the customer is actually trying to solve.
Even so, I suspect the answer is not contained in a single document as you've presented numerous scenarios.

For backups of your Security Management (and related items): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108902&partition=Basic&product=All

Can you restore a migrate export in Smart-1 Cloud? Yes, but you need to use the correct migration tool.
See: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-Guide/Topics-Smart-1-Cloud/Using-the-Settings.htm#Migrate

Management HA is covered in the relevant Security Management admin guide.

Partial copy of configuration from one management to another? Yes, possible using the API.

Which one is appropriate for the customer? It depends.
In general, we recommend employing multiple backup/HA strategies as it gives you multiple recovery options in case something goes pear-shaped.