This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2021-02-13 09:41 AM
Jump to solution

Forcing Primary Standby Management Server to become Active

Well, I have done it:)

Using recovery procedure, created and promoted the new Primary Management server from "migrate export" created on Secondary /Active.

Cleaned-up all of the remnants of the old Primary in SmartConsole and policies.

At the end, old primary was still visible in Management HA, so I've decided to toggle the only live server to "Standby" and to "Active" again, figuring that since it is the only one running, there is enough intelligence in the process not to lock myself out.

Well, it did set the server to Standby, but I am now stuck trying to get it to Active state:

Management_HA_Recovery_from_Secondary_Active_01.pngManagement_HA_Recovery_from_Secondary_Active_02.pngManagement_HA_Recovery_from_Secondary_Active_03.png

 

...as my connectivity to this server via SmartConsole is in a Read Only mode now.

 

2ndryMGMTpromoted> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@2ndryMGMTpromoted:0]# grep Primary $CPDIR//registry/HKLM_registry.data
:Primary ("[4]1")


[Expert@2ndryMGMTpromoted:0]# cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 994000034
Is started: 1
Active status: standby
Status: OK


Connected clients
----------------------------------------------
|Client type|Administrator|Host|Database lock|
----------------------------------------------
----------------------------------------------


[Expert@2ndryMGMTpromoted:0]#

[Expert@2ndryMGMTpromoted:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 20406
CPM Started 9010 Check Point Security Management Server is running and ready
FWM Started 8470
APACHE Started 7946

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 4434 (a non-default port)
When running mgmt_cli commands add '--port 4434'
When using web-services, add port 4434 to the URL

Profile:
------------
Machine profile: Medium env resources profile
CPM heap size:
API heap size:

 

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@2ndryMGMTpromoted:0]#


For MDS, there is an option to force Standby to become active:
mgmt_cli make-server-active force true --domain <domain_name> --user <user_name> --password <password>

I cannot find corresponding option for Management server.

Can someone recommend a way out of this situation?

No TAC suggestions please: this is a lab environment.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-02-15 08:40 AM
In response to Vladimir
Jump to solution

Try:

  1. # cpstop
  2. # cpprod_util FwSetActiveManagement 1
  3. # cpstart
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

9 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-02-15 01:13 AM
Jump to solution

Security Management R80.40 Administration Guide p.319:

To promote a Secondary Management Server to become the Primary Management Server
Before you start - make sure that the primary server is offline.
1. Set the Secondary server to Active.
2. On the Secondary Management Server that you will promote, run:
#$FWDIR/bin/promote_util
#cpstop
3. Remove the $FWDIR/conf/mgha* files. They contain information about the current Secondary
settings. These files will be recreated when you start the Check Point services.
4. Make sure you have a mgmtha license on the newly promoted server.
Note - All licenses must have the IP address of the promoted Security Management Server.
5. Run cpstart on the promoted server.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Vladimir
Champion
Champion
‎2021-02-15 06:57 AM
In response to G_W_Albrecht
Jump to solution

@G_W_Albrecht , the promotion part has happened earlier in the process:

"Using recovery procedure, created and promoted the new Primary Management server from "migrate export" created on Secondary /Active."

The "recovery procedure" I am referring to is the one you are describing.

It's what happened afterwards that is a problem: I was able to toggle the only operational server from "Active" to "Standby" and cannot flip it back.

It is still a promoted primary that I cannot force to become active.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-02-15 08:40 AM
In response to Vladimir
Jump to solution

Try:

  1. # cpstop
  2. # cpprod_util FwSetActiveManagement 1
  3. # cpstart
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Vladimir
Champion
Champion
‎2021-02-15 10:20 AM
In response to G_W_Albrecht
Jump to solution

Thank you!

This did the trick:)

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-02-15 10:52 AM
In response to Vladimir
Jump to solution

This is from sk34495: Changing the HA status of the Management station from command line 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion
‎2021-02-15 11:49 AM
In response to G_W_Albrecht
Jump to solution

Thanks!

I have no idea how I've missed that one: I've tried ~20 different queries.

The only thing that comes to mind is that they call SMS "Management Station" instead of Management Server, which I have always had problems with.

Going in my toolbox now:)

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-02-15 12:17 PM
In response to Vladimir
Jump to solution

The cpprod_util  is not a command used very frequently and poorly documented, too.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion
‎2021-02-16 09:02 AM
In response to G_W_Albrecht
Jump to solution

That's a shame, about it being poorly documented: I've just listed all the options it allows to be set and that's quite a list.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-02-16 09:32 AM
In response to Vladimir
Jump to solution

I also know this and i can see what a lot of the Get params mean. But a lot of what we see remains rather misterious:

Usage: cpprod_util [-e effective_version] funcname <arg>
Some of the functions require additional parameter(s),
some return integer char* or return 0/1 in status

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events