Solved: Re: The Secure Endpoint backup restore preferred ...

zong · ‎2022-02-14

Hello Everyone ,

I have some issues for HA-backup restore and read the document , in my Lab environment to test backup restore feature , in lab i use smart console to add the two secure management server to HA . I will to try restore (simulation the primary server is die , use shedule backup file to restore), restore process setting same as original primary server and add the same hotfix, but restore over login smart console add new primary server on-time password fail ( initialize install primary server not setting on-time password only select secondary server was setting ) and in document i see the HA recovery is not support have Endpoint Security server (because the customer environment must enable endpoint security)

If HA primary server is die ,will to create new server to retore, how to i add the new restore SMS back to original HA envirnment. I can't see the Full about HA SMS Disaster Recovery setup or solution

The refer document Link: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi... %20Disaster%20Recovery%7C_____0#Promotin

My lab SMS version R81.10 in vmware esxi

Or someone can shed some light mebetter suggestions for me? Thank everyone

_Val_ · ‎2022-02-15

A bit more clearer now. Initialise the machine and set it up as EPS server, install the fix, restore backup.

View solution in original post

_Val_ · ‎2022-02-14

First, HA is not a backup solution, I hope you know that. SMS HA pair allows you to continue managing your system, if one of the management servers is unavailable for whatever reason.

Now, forget you have HA. Restore your Primary SMS from backup, as you are trying to do, and connect to it with the SmartConsole. That should work, and in the HA settings you will have a conflict. Push secondary to standby manually, that should cover your situation.

If any issue, report back here.

zong · ‎2022-02-15

Thank _Val_ reply and let me know more about the difference

So your mean is use backup file restore primary SMS over, smart console connected to restore the primary SMS and destroy the original HA structure, use the restored primary SMS environment to rebuild the HA structure?

In addtion Endpoint security use HA structure , if primary SMS fail, and endpoint client should auto connecting to secondary server , but in this test endpoint client isn't auto connected , because my secondary server in management tab not enable endpoint policy management ? ( this time secondary server was cheer to active) Thank you

_Val_ · ‎2022-02-15

I am very sorry, but this does not make any sense:

So your mean is use backup file restore primary SMS over, smart console connected to restore the primary SMS and destroy the original HA structure, use the restored primary SMS environment to rebuild the HA structure?

How do you do a backup in the first place? It should not destroy any HA pairing. Please elaborate on your backup procedure, because it seems to me, you are not using standard Gaia backup in this case. So, how do you backup your management system?

zong · ‎2022-02-15

Thank you reply me

I current confused is primary SMS die (completely dead and unable to boot), and according to failover chapter setup is secondary server change to active status (in order to temporarily disconnect endpoint client). How restore back to the original HA environment

backup setup
1) i am login to web console > System Backup > manual create backup
2) export backup file
3) login to new SMS web console > System Backup > import back file
4) switch to upgrade > Status and Actions page > import hotfix (the original SMS have the hotfix )
5) restore
6) appear the restore error (the Check_Point_R81_10_KAV_MAIN_Bundle_T4_FULL.tar is fix The service for Anti-Malware signatures update is not installed on this Endpoint Management Server issues ) but if not enable EP engent, this hotfix can't import

thank you

_Val_ · ‎2022-02-15

A bit more clearer now. Initialise the machine and set it up as EPS server, install the fix, restore backup.

zong · ‎2022-02-23

Thank you _Val_ prividor me setup and professional experience, after my repeated attempts, this solution can indeed meet my needs, but i restore the new primary server successfully and after connecting with the original sencondary server, appear the "synchronize fail - Failed to restore PostgreSql DB from backup" message , and restart my two SMS servers after a day, everything is normal, what is the reason ? Have you ever encountered this situation ? Thank you

jcortez · ‎2022-02-24

@zong

At this point you should create a Case/SR with TAC so we can look at this correctly by analyzing logs and getting more details from you.

Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team

G_W_Albrecht · ‎2022-02-15

If you use R81.10 in vmware esxi Management HA makes no sense at all - you can clone, snapshot and backup a Management VM using vmware tools for complete disaster recovery. Management HA is intended for customers with physical boxes/appliances used for SMS that may also reside in different data centers.

So for your customer, Endpoint Security server and SMS as one VM makes most sense!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

zong · ‎2022-02-15

Thank you reply

Because customer environment needs endpoint security server , if endpoint server complete die , restore should include all threat log and not sure if customer environment has vmware complete disaster recovery

so your mean Smart console HA is used for HA architecture for physical devices? Thank you tell me this

G_W_Albrecht · ‎2022-02-15

You can do the following:

- use a Log Server and a SMS / EPS VM, so threat log is save

- put EPS in own VM

- define cron jobs to save important data to servers outside ESX in regular intervals

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

jcortez · ‎2022-02-17

@zong

I am concerned with this post...

In addtion Endpoint security use HA structure , if primary SMS fail, and endpoint client should auto connecting to secondary server , but in this test endpoint client isn't auto connected , because my secondary server in management tab not enable endpoint policy management ? ( this time secondary server was cheer to active) Thank you

When using our Harmony Endpoint Security Management Server and then pairing it with an HA/Secondary, there is a very specific process you have to go through and validation that would need to be done (separate from the normal SMS HA synchronization) in order to properly failover and for the HA/Secondary to be able to pickup where the Primary Harmony Endpoint Management Server left off and that it knows/has all the configuration.

If you and the customer are going to move forward with having and using a HA/Secondary Endpoint Management Server, please open a SR with TAC (specifically with our Endpoint Team) and request that you work/talk with me so I can educate you on how different HA/Secondary Sync differs when using a normal SMS vs a EP SMS.

Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team

Are you a member of CheckMates?

The Secure Endpoint backup restore preferred method