Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paul_Warnagiris
Advisor

Is an open server backing up a Checkpoint appliance manager supported?

I know from experience you can use an open server to backup an appliance manager in HA.  I have done this in the past with a Smart1-205 and open server software.  The question I have is -- is it supported.  I talk to different SEs and I get different answers.   They range from it can be done and its supported to it can't be done and its not supported and everywhere in-between.  I tried to find the answer, but apparently the document is escaping me.

So the question is -- does Checkpoint support an appliance manager with an open server HA secondary.  Small or large.  Single domains and/or multi-domain?  Can you give me or point me to the official Checkpoint answer?

Thanks for your assistance.

Paul

11 Replies
Benoit_Verove
Contributor

Hi Paul,

According to sk39345, there is not restriction concerning the underlying platform. It is even mentionned : "Note: Management HA between a Virtual Machine in VMWare and a real physical machine was tested and supported."

Regards,

Benoit

Paul_Warnagiris
Advisor

Saw that as I was replying.  Thank you.

0 Kudos
Paul_Warnagiris
Advisor

Asked and answered by Pablo Suarez  See this sk39345.  Thanks for your help Pablo.

Anthony_Joubai1
Contributor

Hi Paul,

As said Benoit, sk39345 does mention that Open Server and Vmware can be done on HA Management pair.

However, Open Server and Vmware are recognized the same way by the Check Point Database, (there are both open servers).

On Check Point training, we always remind that a Management HA should be done only on the same plateform,version, hotfix etc ...

Because even if sk39345 says Open_Server/Vmware yes. I don't think that Check Point Appliance/Vmware will be supported. 

you may ask the owner of the SK to get all the scenarios Smiley Happy

Beside, I'll build a LAB and try to see if it's technically possible first


regards,

Anthony

0 Kudos
Paul_Warnagiris
Advisor

That is exactly it.  I have heard that exact thing that you say, but then I see things like sk39345 and then I hear different comments from different SEs.  I will ask one of my resources if they can clarify CP's official supported position on VMWare backing up hardware for management.  Thank you for your response.  I knew it was not a clear cut as that SK made it seem.  Maybe it is, but in my mind, from past conversations it isn't.

0 Kudos
Jerry
Mentor
Mentor

hi Paul

just a quick one though:

1. what's the point of leveraging VM with physical HW if you can have 2 VMs on different eSXI's for example?

2. wouldn't be that easier to have VM + VM but dislocated as per the DR procedures to the different physical/loglcal location?

3. which HW will prove same capacity/performance as VM? did you managed to compare the resource allocation on both as you know Management HA need to be nearly "same spac" if you know what I mean.

4. I've tried same scenario long time ago on R77.20 and ... failed due to the wrong VM resource allocation so I've gave up on this and build to different VMs - one in location A and second one in location B. You know they don't really "mirror themselves" but sort ot (kind of) support each other don't they?

-jerry-

Jerry
0 Kudos
Paul_Warnagiris
Advisor

Hi Jerry.  I just saw your reply so thought I would answer your questions.  When you are designing of course you would do appliance+appliance or vm+vm.  However the question comes from when you first get into a customer site and they have existing HW.  Then they want redundancy, but don't want to pay for another appliance.  That is the root of the questions.  Hope that explains it.

Jerry
Mentor
Mentor

absolutely Paul sure I got that Smiley Happy

Cheers and thanks for explanatory.

Jerry

Jerry
0 Kudos
G_W_Albrecht
Legend
Legend

Leaving aside the most dreaded Fool management HA Deployment , this is basically a question concerning primary and backup SMS. Out of experience, this Managment HA needs sync between the two SMS (one pit to fall in), and if the primary SMS is dead, promoting the backup SMS is not easy.

So in real life, SMS in a VM makes the most sense - apart from the GAiA Backup procedures and migrate export, i can easily have several VM Snapshots or VM clones that help to keep my data safe and my network running...

CCSE CCTE CCSM SMB Specialist
_Val_
Admin
Admin

After reading all comments, I would like to add the correct answer. Here we go:

You will have to have a separate MGMT license for your server. If you have it, the config where Primary Smart-1 appliance has a secondary Open Server SMS pair is 100% supported.  

One important note is: if you are trying to move a management license from Smart-1 to Open Server, this is a violation of EULA. 

Feel free to ask any further question for the matter.

Vladimir
Champion
Champion

This scenario is actually pretty common.

I have seen number of clients who have originally invested in a hardware management and are later want to have redundancy added to it, but see no reason to splurge on another appliance and have VM environments with resources to spare.

The more mature their virtualization environment, the likelier clients to adopt a VM solution for management.

And frankly, unless there are particular security requirements for segregation of the management from the rest of the infrastructure, it makes more sense to have it virtualized IMHO.

Very large dedicated appliances are the exception, but those are always almost destined to run MDS.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events