This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
satryo_id
Explorer
‎2024-08-21 07:36 PM
Jump to solution

Checkpoint HA

Hi Mates,

 

I have two checkpoint 6200, one as active and other as cold backup. Each role for device are as standalone (gateway and sms).

We're planning to create HA from this checkpoint, my questios are

1. Do we need separate Security Management to control this HA,

- If no need, how to achieve this?

- for SMS can we use VM despite purchasing other checkpoint device?

 

2. Do we need to factory reset to config Cluster XL from First Time Configuration Wizard? or just create it from Smart Console?

 

Regard's

Satryo

0 Kudos
2 Solutions

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-21 07:52 PM
Jump to solution

You can do what we call a Full High Availability Cluster, where both management and gateway are on both members. Details are in the install guide:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

You can also run management on a separate VM if you wish, but you will need to purchase an additional management server license for this. 

You will need to rebuild from scratch to move to a Full HA solution. 

View solution in original post

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-23 01:22 AM
In response to satryo_id
Jump to solution

Better ask TAC for guidance - the procedure i wrote about is found in sk104699: How to configure a Standalone machine to become a part of a Full HA cluster, but this is not supported in R80 versions.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

(1)
11 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-21 07:52 PM
Jump to solution

You can do what we call a Full High Availability Cluster, where both management and gateway are on both members. Details are in the install guide:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

You can also run management on a separate VM if you wish, but you will need to purchase an additional management server license for this. 

You will need to rebuild from scratch to move to a Full HA solution. 

0 Kudos
satryo_id
Explorer
‎2024-08-21 07:58 PM
In response to emmap
Jump to solution

Sure, i have done this before (creating Full HA), but my question is, can we do without rebuild from scratch, and how to achieve this, ex using separate SMS

 

Regard's

Satryo

0 Kudos
just13pro
Collaborator
‎2024-08-21 10:58 PM
In response to satryo_id
Jump to solution

I don't think you can merge 2 standalone into a HA as they have different database.

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-22 08:55 AM
In response to just13pro
Jump to solution

As i wrote above, no merge is needed - you have a backup device with the same rulebase, or an active device with the current rulebase (that is the one i would use 😉

I wrote that one has to undergo FTW again and be designated the secondary management during installation. As planned, the primary node will the sync the database to the secondary.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-22 02:06 AM
In response to satryo_id
Jump to solution

You just have one defined as Primary and reset the second one, do FTW for secondary management there and other needed config; database will be synced with the primary SMS cluster node. As the rules are the same on both devices you will loose nothing...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-22 04:59 AM
In response to satryo_id
Jump to solution

Just to make sure, so there is no confusion, ostensibly, you want to convert full HA into 2 separate managements managing HA cluster, right?

If so, you can use below link, it details everything.

https://community.checkpoint.com/t5/General-Topics/Migrate-R80-40-Full-HA-to-distributed-Management/...

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
satryo_id
Explorer
‎2024-08-22 07:06 AM
In response to the_rock
Jump to solution

no i want to do it reverse, two standalone into HA.

 

Regard's

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-22 07:09 AM
In response to satryo_id
Jump to solution

Got it...yes, so what @emmap had said is 100% right.

Sorry for my misunderstanding. And yes, you will need to rebuild, no other way around it. I know someone while back who did it without rebuilding, but it was totally unsupported, so I wont even try to explain it lol

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-08-22 07:12 AM
In response to satryo_id
Jump to solution

For the context, this sk also might be helpful.

Andy

https://support.checkpoint.com/results/sk/sk60443

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
satryo_id
Explorer
‎2024-08-22 11:11 PM
In response to the_rock
Jump to solution

so i need to backup and then restore after HA up, when restoring from standalone device into HA, do it will replace HA configuration? and back to standalone. how about@G_W_Albrecht  solution, only secondary being rebuild.

 

regard's

satryo

 

reagrd's

satrtyo

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-23 01:22 AM
In response to satryo_id
Jump to solution

Better ask TAC for guidance - the procedure i wrote about is found in sk104699: How to configure a Standalone machine to become a part of a Full HA cluster, but this is not supported in R80 versions.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events