This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zong
Explorer
‎2022-02-14 12:55 AM
Jump to solution

The Secure Endpoint backup restore preferred method

Hello Everyone ,

I have some issues for HA-backup restore and read the document , in my Lab environment to test backup restore feature , in lab i use smart console to add the two secure management server to HA . I will to try restore (simulation the primary server is die , use shedule backup file to restore), restore process setting same as original primary server and add the same hotfix, but restore over login smart console add new primary server on-time password fail ( initialize install primary server not setting on-time password only select secondary server was setting ) and in document i see the HA recovery is not support have Endpoint Security server (because the customer environment must enable endpoint security)

If HA primary server is die ,will to create new server to retore, how to i add the new restore SMS back to original HA envirnment. I can't see the Full about HA SMS Disaster Recovery setup or solution

The refer document Link: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi... %20Disaster%20Recovery%7C_____0#Promotin

My lab SMS version R81.10 in vmware esxi

Or someone can shed some light mebetter suggestions for me? Thank everyone 

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2022-02-15 07:08 AM
In response to zong
Jump to solution

A bit more clearer now. Initialise the machine and set it up as EPS server, install the fix, restore backup.

View solution in original post

0 Kudos
(1)
11 Replies
_Val_
Admin
Admin
‎2022-02-14 04:26 AM
Jump to solution

First, HA is not a backup solution, I hope you know that. SMS HA pair allows you to continue managing your system, if one of the management servers is unavailable for whatever reason.

Now, forget you have HA. Restore your Primary SMS from backup, as you are trying to do, and connect to it with the SmartConsole. That should work, and in the HA settings you will have a conflict. Push secondary to standby manually, that should cover your situation.

If any issue, report back here. 

0 Kudos
zong
Explorer
‎2022-02-15 01:14 AM
In response to _Val_
Jump to solution

Thank _Val_ reply and let me know more about the difference

So your mean is use backup file restore primary SMS over, smart console connected to restore the primary SMS and destroy the original HA structure, use the restored primary SMS environment to rebuild the HA structure?

In addtion Endpoint security use HA structure , if primary SMS fail, and endpoint client should auto connecting to secondary server , but in this test endpoint client isn't auto connected , because my secondary server in management tab not enable endpoint policy management ? ( this time secondary server was cheer to active) Thank you

0 Kudos
_Val_
Admin
Admin
‎2022-02-15 01:25 AM
In response to zong
Jump to solution

I am very sorry, but this does not make any sense: 

So your mean is use backup file restore primary SMS over, smart console connected to restore the primary SMS and destroy the original HA structure, use the restored primary SMS environment to rebuild the HA structure?

How do you do a backup in the first place? It should not destroy any HA pairing. Please elaborate on your backup procedure, because it seems to me, you are not using standard Gaia backup in this case. So, how do you backup your management system?

 

0 Kudos
zong
Explorer
‎2022-02-15 03:33 AM
In response to _Val_
Jump to solution

Thank you reply me

I current confused is primary SMS die (completely dead and unable to boot), and according to failover chapter setup is secondary server change to active status (in order to temporarily disconnect endpoint client). How restore back to the original HA environment 

backup setup
1) i am login to web console > System Backup > manual create backup
2) export backup file
3) login to new SMS web console > System Backup > import back file
4) switch to upgrade > Status and Actions page > import hotfix (the original SMS have the hotfix )
5) restore
6) appear the restore error (the Check_Point_R81_10_KAV_MAIN_Bundle_T4_FULL.tar is fix The service for Anti-Malware signatures update is not installed on this Endpoint Management Server issues ) but if not enable EP engent, this hotfix can't import

thank you

Preview file
11 KB
0 Kudos
_Val_
Admin
Admin
‎2022-02-15 07:08 AM
In response to zong
Jump to solution

A bit more clearer now. Initialise the machine and set it up as EPS server, install the fix, restore backup.

0 Kudos
(1)
zong
Explorer
‎2022-02-23 07:37 PM
In response to _Val_
Jump to solution

Thank you _Val_ prividor me setup and professional experience, after my repeated attempts, this solution can indeed meet my needs, but i restore the new primary server successfully and after connecting with the original sencondary server, appear the "synchronize fail - Failed to restore PostgreSql DB from backup" message , and restart my two SMS servers after a day, everything is normal, what is the reason ? Have you ever encountered this situation ? Thank you

Preview file
48 KB
0 Kudos
jcortez
Employee
Employee
‎2022-02-24 05:49 AM
In response to zong
Jump to solution

@zong

At this point you should create a Case/SR with TAC so we can look at this correctly by analyzing logs and getting more details from you.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-02-15 01:35 AM
Jump to solution

If you use R81.10 in vmware esxi Management HA makes no sense at all - you can clone, snapshot and backup a Management VM using vmware tools for complete disaster recovery. Management HA is intended for customers with physical boxes/appliances used for SMS that may also reside in different data centers.

So for your customer, Endpoint Security server and SMS as one VM makes most sense!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
zong
Explorer
‎2022-02-15 03:33 AM
In response to G_W_Albrecht
Jump to solution

Thank you reply

Because customer environment needs endpoint security server , if endpoint server complete die , restore should include all threat log and not sure if customer environment has vmware complete disaster recovery

so your mean Smart console HA is used for HA architecture for physical devices? Thank you tell me this

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-02-15 03:42 AM
In response to zong
Jump to solution

You can do the following:

- use a Log Server and a SMS / EPS VM, so threat log is save

- put EPS in own VM

- define cron jobs to save important data to servers outside ESX in regular intervals

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
jcortez
Employee
Employee
‎2022-02-17 06:11 AM
In response to G_W_Albrecht
Jump to solution

@zong 

I am concerned with this post...

In addtion Endpoint security use HA structure , if primary SMS fail, and endpoint client should auto connecting to secondary server , but in this test endpoint client isn't auto connected , because my secondary server in management tab not enable endpoint policy management ? ( this time secondary server was cheer to active) Thank you

 

When using our Harmony Endpoint Security Management Server and then pairing it with an HA/Secondary, there is a very specific process you have to go through and validation that would need to be done (separate from the normal SMS HA synchronization) in order to properly failover and for the HA/Secondary to be able to pickup where the Primary Harmony Endpoint Management Server left off and that it knows/has all the configuration.

If you and the customer are going to move forward with having and using a HA/Secondary Endpoint Management Server, please open a SR with TAC (specifically with our Endpoint Team) and request that you work/talk with me so I can educate you on how different HA/Secondary Sync differs when using a normal SMS vs a EP SMS.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events