Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor
Jump to solution

Management HA

Hi Teams,

While studying Management HA for the CCSE exam, I came across a concept where the distinction between Primary-Secondary and Active-Standby wasn't entirely clear. If Active-Standby exists, what is the benefit of using Primary-Secondary in Check Point Security Management Servers (SMS)?

Thanks

0 Kudos
3 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

The designations of primary and secondary do not usually change.  Your first SMS is always the primary and any that come after are secondaries.  Secondaries can be manually promoted to become a primary, but the only time you'd usually do that is if the Primary was destroyed and there are no good backups.

Active and standby are designations that can definitely change due to the actions of an administrator.  At most sites the Primary is active and the Secondary is standby.  Assuming the two SMSs can see each other and sync is working you should never get into an active-active state which is called a collision.  Interestingly, both SMSs can be in standby mode at the same time without causing a problem.

All active vs. standby means is which system you need to connect into with the SmartConsole GUI to have read/write access to the configuration and install policies.  Acceptance of logs, and gateways fetching policies & CRLs continue to be allowed even on an SMS in standby state.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

PhoneBoy
Admin
Admin

Management HA and Gateway HA are very different problems and are implemented differently as a result. 

Gateways are largely dealing with synchronizing transient information about active connections passing through.
As such, synchronization needs to happen quickly in case of failure.
Further, gateways can be "active active" in a cluster (with ClusterXL Load Sharing or the upcoming ElasticXL in R82).
Also, at least in ClusterXL, there is no real distinction between cluster members, so either one could be primary.
In any case, failover is "automatic."

Management is dealing with persistent data that must be kept in sync between members.
It's also the kind of data that can't be changed in multiple places at the same time without potentially creating an issue.
Which means only one management node can generally be "active" at any given time with data synchronized to the backup node.
Further, there is no automatic failover with Management HA unlike with ClusterXL/ElasticXL. 
See also: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 

Hopefully that makes sense.

View solution in original post

Amir_Senn
Employee
Employee

People have given here very good answers. I wanted do add a thing or two:

a. You can only have one primary SMS but you can have multiple secondary SMS if you wish.

b. Main idea for secondary SMS is primarily backup and higher availability (every time SMS needs to go down for anything) but it's not only a management but log server as well. Heavy logging could affect performance of the server so sending to the standby/distributing between server will results with better performance. 

Kind regards, Amir Senn

View solution in original post

8 Replies
the_rock
Legend
Legend

All you need to know is this...primary will ALWAYS be primary and secondary will ALWAYS be secondary, unless they are rebuilt. Either way can be active or standby...so say primary can be standby and secondary can be active

scenarios:

primary-active ... secondary-standby

primary-standby ... secondary-active

secondary-active... primary-standby

secondary-standby-primary-active

 

Technically thats really 2, not 4 scenarios lol

Makes sense?

What is the benefit? I would say thats mostly used for large companies managing lots of firewalls across multiple regions where having redundant mgmt server is super important, if its smaller company, I would not bother...just my personal opinion.

Andy

Ihenock1011
Advisor

@the_rock Thanks for your response, but why is the primary-secondary model used, other vendors offer active-active or active-standby configurations for high availability? What are the specific advantages of the primary-secondary model in Check Point Security Management Servers (SMS)?

0 Kudos
the_rock
Legend
Legend

I only heard of such models for the firewalls, not mgmt server. I believe Check Point always used it this way, primary and secondary and then either one can be active standby, as per your choice.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Comparatively only multi-domain offers load-sharing for active-active like management. 

Within this arrangement an individual management domain is only ever active in one place at a time however.

See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Multi-DomainSecurityManageme...

CCSM R77/R80/ELITE
Timothy_Hall
Legend Legend
Legend

The designations of primary and secondary do not usually change.  Your first SMS is always the primary and any that come after are secondaries.  Secondaries can be manually promoted to become a primary, but the only time you'd usually do that is if the Primary was destroyed and there are no good backups.

Active and standby are designations that can definitely change due to the actions of an administrator.  At most sites the Primary is active and the Secondary is standby.  Assuming the two SMSs can see each other and sync is working you should never get into an active-active state which is called a collision.  Interestingly, both SMSs can be in standby mode at the same time without causing a problem.

All active vs. standby means is which system you need to connect into with the SmartConsole GUI to have read/write access to the configuration and install policies.  Acceptance of logs, and gateways fetching policies & CRLs continue to be allowed even on an SMS in standby state.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
PhoneBoy
Admin
Admin

Management HA and Gateway HA are very different problems and are implemented differently as a result. 

Gateways are largely dealing with synchronizing transient information about active connections passing through.
As such, synchronization needs to happen quickly in case of failure.
Further, gateways can be "active active" in a cluster (with ClusterXL Load Sharing or the upcoming ElasticXL in R82).
Also, at least in ClusterXL, there is no real distinction between cluster members, so either one could be primary.
In any case, failover is "automatic."

Management is dealing with persistent data that must be kept in sync between members.
It's also the kind of data that can't be changed in multiple places at the same time without potentially creating an issue.
Which means only one management node can generally be "active" at any given time with data synchronized to the backup node.
Further, there is no automatic failover with Management HA unlike with ClusterXL/ElasticXL. 
See also: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 

Hopefully that makes sense.

Amir_Senn
Employee
Employee

People have given here very good answers. I wanted do add a thing or two:

a. You can only have one primary SMS but you can have multiple secondary SMS if you wish.

b. Main idea for secondary SMS is primarily backup and higher availability (every time SMS needs to go down for anything) but it's not only a management but log server as well. Heavy logging could affect performance of the server so sending to the standby/distributing between server will results with better performance. 

Kind regards, Amir Senn
the_rock
Legend
Legend

I learnt something new, never had clue you could have multiple backup SMS...thank you for that info.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events