cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
MrSaintz
Nickel

Management HA

Jump to solution

Hey there everyone!

With regards to Management HA, as anyone managed to find out where can we now check sync configuration settings, I can't find it in the Global Properties as before, so I wonder if anyone has seen this elsewhere.

Also, what is the best CLI command to check HA Sync status, cpmistat provides this, but shows a lot more information unrelated to this, and I think there must be something close to this in CLI, no?

Cheers to you all, congrats for the CheckMates 1st Anniversary,

Carlos Santos

Carlos Santos
Tags (1)
0 Kudos
1 Solution

Accepted Solutions

Re: Management HA

Jump to solution

R&D responded:

For R80.x, refer to: For single domain: "Management High Availability" section in the Check Point Security Management R80 Administration Guide For multi domain: "Working with High Availability" section in the Multi-Domain Security Management R80 Administration Guide. sk was modified accordingly.

Here we read:

Management High Availability uses the built-in revisions technology and allows the High Availability procedure to synchronize only the changes done since the last synchronization. This provides:
• Real-time updates between management peers
• Minimal effect on the management server resources.

Synchronizing Active and Standby Servers
At intervals, the Active server synchronizes with the standby server or servers, and when you publish the session. Sessions that are not published are not synchronized.

So we can assume that:

- Sync will occur with every published session, reminding of the "sync with policy install" option

- Real-time updates between management peers will occur, but no sync interval can be configured

9 Replies

Re: Management HA

Jump to solution

On R80.10 Dashboard, you can find the Management High Availability... in the Menu (Top left). For CLi i know of no command.

0 Kudos

Re: Management HA

Jump to solution

Hi Carlos Santos , when you say "can't find it in the Global Properties as before": does that mean you are now in R80 or R80.10?

CLI command: cpstat mg should be enough.

You'll have all information needed in the Management High Availability section of the Check Point Security Management Administration Guide R80.10 (or the one for R77.30).

Vladimir
Jade

Re: Management HA

Jump to solution

[Expert@SMS8010:0]# cpprod_util FwIsActiveManagement

0 - means Standby. 
1 - means Active.

and

cpstat mg on both management servers:

SMS8010> cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 991140016
Is started: 1
Active status: active
Status: OK


Connected clients
-------------------------------------------------------
|Client type |Administrator|Host |Database lock|
-------------------------------------------------------
|SmartConsole|admin |yvlprecision|false |
-------------------------------------------------------


SMS8010>

8888888888888888888888888888888888888888888

SMS8010b> cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 991140016
Is started: 1
Active status: standby
Status: OK


Connected clients
----------------------------------------------
|Client type|Administrator|Host|Database lock|
----------------------------------------------
----------------------------------------------


SMS8010b>

0 Kudos
MrSaintz
Nickel

Re: Management HA

Jump to solution

Hi guys, thank you for the reply, sorry for any miss understanding.

My concern is not about state as for Active/Standby but about the Sync status(Syncronized/Lagging/Whatever), through the CLI, I mean.

About the GUI: I mean global properties where we could setup sync schedule policy:

Cheers,

Carlos

Carlos Santos
Vladimir
Jade

Re: Management HA

Jump to solution

OK, I see what you mean.

I suspect that management ha has changed with R80.10 and that each time we publish, the changes are pushed to both/all members.

Would be nice to get a confirmation of this as well as figure out if there is a notification mechanism to alert us if standby is out of sync without looking into "Management HA" properties manually.

Re: Management HA

Jump to solution

We can find in the sk54160‌ How to Configure Management HA , 'Synchronization Modes' chapter:

Important: This Synchronization Modes  section is relevant only to pre-R80 releases.

In R80.x, there is a full sync option that user can initiate from SmartCenter, or automatic sync that runs in the background, and user cannot control its intervals, or stop it.

Maybe that's a part of the explanation.

MrSaintz
Nickel

Re: Management HA

Jump to solution

Thank you, anyway, is there any idea about the intervals between each sync? I don't see that in the SK. It's not at publish for sure, because checking it's status right after I get Lagging, the base of this is to setup monitoring of the sync status and minimize errors due to sync schedule.

Carlos Santos
0 Kudos

Re: Management HA

Jump to solution

I have added the question as feedback to sk54160 How to Configure Management HA.

Re: Management HA

Jump to solution

R&D responded:

For R80.x, refer to: For single domain: "Management High Availability" section in the Check Point Security Management R80 Administration Guide For multi domain: "Working with High Availability" section in the Multi-Domain Security Management R80 Administration Guide. sk was modified accordingly.

Here we read:

Management High Availability uses the built-in revisions technology and allows the High Availability procedure to synchronize only the changes done since the last synchronization. This provides:
• Real-time updates between management peers
• Minimal effect on the management server resources.

Synchronizing Active and Standby Servers
At intervals, the Active server synchronizes with the standby server or servers, and when you publish the session. Sessions that are not published are not synchronized.

So we can assume that:

- Sync will occur with every published session, reminding of the "sync with policy install" option

- Real-time updates between management peers will occur, but no sync interval can be configured