- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi Team,
We have a Management server HA configured.
Both the management servers(A & B) are at different locations and connected through MPLS.
We have multiple gateways managed by these mgmt servers.
All the gateways are connected through Site-to-Site VPN.
Primary Mgmt server A is responsible for CA.This certifcate is used for VPN tunnels authorization.
Our primary server A went down,we have made secondary server B as active and promoted it to primary,renewed VPN certificate but still we see the certificate of A.
I have a set of queries here:
1)When primary mgmt server A goes down,do we need to make secondary mgmt server B as active manually ?
2)Since A is the Certificate authority,what happens for our VPN tunnels ?
3)How does all the gateways come to know that primary A is dead and should reach to Secondary B.
4)Is there a policy installation required for all the gateways if there is a failover in mgmt server ?
Management HA pair shares the same CA root certificate with the data of the original server details. there is no need to change that even if you changed Primary and Secondary role. Resetting ICA will invalidate all SIC and certificates signed with root.
Hi Phoneboy,
Thanks for the reply.We have promoted B server as a primary server and renewed the VPN certificate.Still it shows A server certificate.
If we regenerate the ICA with B server as a primary,which certificate it will show ?
Or it will always shows the first installed server certificate in either cases(If A primary or with B as primary)
Management HA pair shares the same CA root certificate with the data of the original server details. there is no need to change that even if you changed Primary and Secondary role. Resetting ICA will invalidate all SIC and certificates signed with root.
Hi Valeri,
Thanks for the reply.
Currently server A is the certificate issuer,if we reset SIC or if we re-generate ICA(with B as primary),who will be the certificate issuer ?
Hi Phoneboy,
Thanks for the reply.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 13 | |
| 12 | |
| 9 | |
| 7 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY