Create a Post
Daniel_Fischler
Participant

vsec controller status on standby machine (partial data)

Jump to solution

Hi 

We are using an R80.40 Management in HA. There is a vSec Integration (for datacenter obects) implemented. This is where the management gets the objects dynamically from the vCenter and sends these data center objects to the gateways.

On the primary management I can se this status:

vSEC Controller Status: on, Number of imported Data Center Objects: 100

At the same time I can see on the standby management system:

vsec controller status on, standby machine (partial data), Number of imported Data Center Objects: 85

This does not change over time. On both machines I can see the vCenter status "connected".

Is this normal? What will happen if primary management fails? Will we only have 85 DC objects?

Unfortunately I was not able to find any sk or documentation for vSEC controller redundancy. Any hints?

thanks.

0 Kudos
1 Solution

Accepted Solutions
Gil_Sudai
Employee
Employee

You are right, this is a current limitation and it is on the roadmap to fix. 

If you are planning a long downtime to the mgmt server, do a failover to the secondary mgmt and the CloudGuard Controller there will update the GWs.

View solution in original post

3 Replies
Gil_Sudai
Employee
Employee

Hi Daniel, not sure why the on the Standby it show 85.

On Standby, the CloudGuard Controller (old name vsec) is not doing much. Only the instance on the Active mgmt is really doing the work.

After the Standby will be set to Active (this is done from SmartConsole) the CloudGuard Controller (old name is vsec) will re-start and will handle all the tasks.

HTH,

Gil

0 Kudos
Daniel_Fischler
Participant

Hi Gil

Thanks for the reply. That means if the active mgmt goes down there are no more updates for the gateways. There is no automatic failover for the CloudGard Controller itself? I know that the mgmt failover is a manual task (the mgmt itself is not relevant for a working firewall, so this is ok and most people do not panic if the mgmt goes down or is out of order during an upgrade 🙂 ).

But a not working CloudGard Controller will interrupt traffic at least after some time when the object changes! Is there any way to make the CloudGard Controller redundant / high available? Or do you have any suggestions what to do during an upgrade of the active mgmt (that could go some hours)?

0 Kudos
Gil_Sudai
Employee
Employee

You are right, this is a current limitation and it is on the roadmap to fix. 

If you are planning a long downtime to the mgmt server, do a failover to the secondary mgmt and the CloudGuard Controller there will update the GWs.