This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
McFlash
Explorer
‎2024-09-10 05:19 AM

Identities and EPG on standby

I hope there is anyone who can give me some insight in this matter.

We have a 6 clusters with a cloud connector to a couple of Cisco ACI Apics. We also use Identities from an IDC connected to PxGrid and ISE. Furthermore the firewalls get supplemental group information via LDAP to MS AD.

We just did an upgrade from R81.10 to R81.20 and for 2 of our clusters everything was going great. All the EPG:s were working and the identities were updated after failover. When we reached the third cluster we lost all the EPG and ID information and everything was down for about 7 minutes when we did a failback to R81.10. Everything started to work after that.

The information that i got from CP support is that Identity Awereness do not work during a mvc failover and they also bundled in EPG:s via cloud connector/vsec controller in that statement.

Last night we did a new failover and ran vsec_controller_cli and resended all associations to the cluster and everything worked as a charm.

After that experience a few questions popped up and i have tried to search for an answer on CP Support, but i cant seem to find any answers, so i throw then out here and hope that someone can give me some info..

-Is there any way to see what information the Standby node have on EPG:s & Identities before a failover?

-Does the standby have any information about EPG:s & Identities at all?

-Is that information synked during a "normal" failover or does it start from scratch everytime you do a failover?

-Why do you have to run the vsec_controller_cli stunt during a mvc upgradefailover and not during a hotfix upgrade dito?

-Can you do a similar bulkjob for Identities from the IDC that do the same as vsec_controller_cli?

Regards

Gordon

0 Kudos
1 Reply
tomlev
Employee
Employee
‎2024-09-10 07:42 AM

Hi Gordon, the command that we use to verify CloudGuard Controller's identities on the GW is 'pdp m a' to monitor all, and 'pdp m ip <ip>' if you want to verify specific IP address.

The identities should be synched between the members, but they do not survive a reboot.

What MGMT and GW version and JHF takes do you have?

Did you install policy before vsec_controller_cli?

Did you see any GW update errors in SmartConsole logs? Try under 

blade:"CloudGuard IaaS" AND severity:Critical

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events