topic Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi in General Topics

If management server goes down, will the gateway still be able to filter(accept/deny) the traffic?

praveshnayal — Fri, 06 Oct 2023 16:27:29 GMT

If the management server goes down, will the gateway still be able to filter the traffic as per the policy package target installation? Since the policy package resides on the management server I wanted to understand how the gateway could filter the traffic.

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

Ruan_Kotze — Fri, 06 Oct 2023 17:20:38 GMT

Yes, gateways will filter traffic just fine.

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

Tal_Paz-Fridman — Fri, 06 Oct 2023 17:42:40 GMT

Yes, the Security Gateway keeps working regardless on the Security Management.

When you Install Policy, the policy is sent to the Security Gateway were it is installed "locally".

You can check that the policy is installed using the following commands:

For Access Control Policy use fw stat or cpstat fw commands

For Threat Prevention Policy use fw stat -b AMW command

Both will show the policy name and when it was installed

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

the_rock — Sun, 08 Oct 2023 03:09:00 GMT

What happens is that gateway will enforce latest policy pushed to it from the management server. If mgmt server went down, traffic would still work just fine through the firewall, but huge downside to it is that you would not be able to make any further changes to the policy. as smart console would not be accessible.

Andy

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

CheckPointerXL — Sun, 08 Oct 2023 07:42:54 GMT

If i remember correctly, you should pay big attention to CRL fetching. VPN between FW on same management could potentially be disrupted if there is no communication during the 24h fetching period.

Anyone can confirm or not?

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

the_rock — Sun, 08 Oct 2023 11:13:41 GMT

Yes, that rings a bell, though couple of times mgmt was down for a customer, we never had that issue, but it could happen, for sure.

Andy

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

Fabz — Sun, 08 Oct 2023 11:23:34 GMT

Hi @Tal_Paz-Fridman curious about if the connection is lost between FW and Management. What will happens?

Last time i experinced with this in 80.x all the traffic was blocked by the FW. is it expected behaviour?

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

Tal_Paz-Fridman — Sun, 08 Oct 2023 11:30:05 GMT

Connection to Security Management Server should not affect the Security Policy that is installed on the Security Gateway.

Perhaps this was a case where connection was lost, SIC was reset which then installs the Initial Policy.

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

the_rock — Sun, 08 Oct 2023 12:25:03 GMT

@Tal_Paz-Fridman is 100% right. I would also say if there was a SIC issue, if sic is reset, then by default, it loads initial policy, which pretty muchblocks anything, except web UI on port 443 and ssh.

Tal, PLEASE be safe mate, Im praying for tolerance and peace over there 🕊🕊

Andy

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

the_rock — Sun, 08 Oct 2023 13:22:28 GMT

Btw, I found an old notes I had back in R77 days when customer had this issue and mgmt was down for 3 days, but they told me after all VPN tunnels stayed up and there was no traffic issue. Mind you, there was no cp to cp vpn tunnels, so as @CheckPointerXL said, its possible if mgmt is down for more than 24 hours, if you have any cp to cp s2s vpn tunnels, they may not work.

Andy

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

genisis__ — Sun, 08 Oct 2023 13:37:55 GMT

Yes.

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

genisis__ — Sun, 08 Oct 2023 13:39:29 GMT

This is true; I've had this happen to me before, but that is on the condition that all devices being used are managed from the same Manager.

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

the_rock — Sun, 08 Oct 2023 13:58:23 GMT

Never had that happen to me, but what @CheckPointerXL mentioned about CRL is 100% true.

Andy

Re: If management server goes down, will the gateway still be able to filter(accept/deny) the traffi

PhoneBoy — Mon, 09 Oct 2023 19:43:41 GMT

While the gateway will continue to pass traffic per the last installed policy, VPNs will fail after a period of time.
This is because the Internal CA resides on the Management Server and gateways/clients reach out to the CRL to validate the certificate.
For Site-to-Site VPNs, they will continue to work for 24 hours.
Remote Access clients (regardless of auth method) use the CRL and may fail.

Hope that clears things up.