This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2022-01-31 07:39 AM

Management HA and make the secondary primary for migration

Hi,

We currently have 2 management servers running R81.10, to manage our numerous gateways spread across the world. We created the second one to support our migration plan, as the datacenter hosting the Primary will be closed in 2 months.

So we are in a Management HA scenario. The Secondary lies in AWS, and is now the Active. This works great. Of course, when we tested to shutdown the Primary (or issue a cpstop), some issues occurred, with our IPSEC VPN for instance. We later understood it was because the Primary still holds the CA role, even if it's not the Active server.

We now need to validate how we could make the Secondary-Active to become the Primary-Active. And also safely shutdown and delete the server in the datacenter. So the goal is to only have the one in AWS eventually. 

Can I simply follow the steps in R81.10 Security Management Administration Guide, under title "Promoting a Secondary Management Server to Primary" ? The previous titles under this section are clearly for DR, which is not really our case here, so I won't be able to recover/reuse the current Primary management IP. Won't it be a problem for the CA or other roles ? 

Thanks for your advises.

Regards.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-02-01 10:38 PM

You manually have to promote the secondary node to primary for changes to take effect.
You can then promote the old primary back following the same procedure.

Ob1lan
Collaborator
‎2022-02-02 12:36 AM
In response to PhoneBoy

Thanks for your answer @PhoneBoy , but how to handle the CRL URL that will change ?

If I have the new management server in AWS to become the Primary, it becomes the ICA, right ?

Currently if I check the CRL DP set on the certificates, it has an http URL with an IP that won't be assigned to the new mgmt. It also has a CN=ICA_CRL... 

How can I handle that to avoid any issue with the IPSEC/S2S VPN we have, and possibly SIC issues ?

Thanks !

0 Kudos
PhoneBoy
Admin
Admin
‎2022-02-02 01:25 AM
In response to Ob1lan

Correct, the new primary becomes the ICA.
I believe you will set the main IP of the secondary management server to the relevant elastic IP assigned to the instance that is reachable from the Internet.
That should resolve the various issues with SIC and VPN.

Ob1lan
Collaborator
‎2022-02-02 01:48 AM
In response to PhoneBoy

Thanks again @PhoneBoy . But will I have to renew the certificates so it updates the CRL Distribution Points, or is that not needed ?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-02-02 02:00 AM
In response to Ob1lan

I believe a standard policy push will update everything properly.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events