This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MrSaintz
Contributor
‎2018-05-15 06:02 AM
Jump to solution

Management HA

Hey there everyone!

With regards to Management HA, as anyone managed to find out where can we now check sync configuration settings, I can't find it in the Global Properties as before, so I wonder if anyone has seen this elsewhere.

Also, what is the best CLI command to check HA Sync status, cpmistat provides this, but shows a lot more information unrelated to this, and I think there must be something close to this in CLI, no?

Cheers to you all, congrats for the CheckMates 1st Anniversary,

Carlos Santos

Carlos Santos
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2018-05-17 01:49 AM
In response to G_W_Albrecht
Jump to solution

R&D responded:

For R80.x, refer to: For single domain: "Management High Availability" section in the Check Point Security Management R80 Administration Guide For multi domain: "Working with High Availability" section in the Multi-Domain Security Management R80 Administration Guide. sk was modified accordingly.

Here we read:

Management High Availability uses the built-in revisions technology and allows the High Availability procedure to synchronize only the changes done since the last synchronization. This provides:
• Real-time updates between management peers
• Minimal effect on the management server resources.

Synchronizing Active and Standby Servers
At intervals, the Active server synchronizes with the standby server or servers, and when you publish the session. Sessions that are not published are not synchronized.

So we can assume that:

- Sync will occur with every published session, reminding of the "sync with policy install" option

- Real-time updates between management peers will occur, but no sync interval can be configured

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

11 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-05-15 06:58 AM
Jump to solution

On R80.10 Dashboard, you can find the Management High Availability... in the Menu (Top left). For CLi i know of no command.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
XBensemhoun
Employee
Employee
‎2018-05-15 07:13 AM
Jump to solution

Hi Carlos Santos , when you say "can't find it in the Global Properties as before": does that mean you are now in R80 or R80.10?

CLI command: cpstat mg should be enough.

You'll have all information needed in the Management High Availability section of the Check Point Security Management Administration Guide R80.10 (or the one for R77.30).

Information Security enthusiast, CISSP, CCSP
Vladimir
Champion
Champion
‎2018-05-15 07:30 AM
Jump to solution

[Expert@SMS8010:0]# cpprod_util FwIsActiveManagement

0 - means Standby. 
1 - means Active.

and

cpstat mg on both management servers:

SMS8010> cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 991140016
Is started: 1
Active status: active
Status: OK


Connected clients
-------------------------------------------------------
|Client type |Administrator|Host |Database lock|
-------------------------------------------------------
|SmartConsole|admin |yvlprecision|false |
-------------------------------------------------------


SMS8010>

8888888888888888888888888888888888888888888

SMS8010b> cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 991140016
Is started: 1
Active status: standby
Status: OK


Connected clients
----------------------------------------------
|Client type|Administrator|Host|Database lock|
----------------------------------------------
----------------------------------------------


SMS8010b>

0 Kudos
MrSaintz
Contributor
‎2018-05-15 07:46 AM
Jump to solution

Hi guys, thank you for the reply, sorry for any miss understanding.

My concern is not about state as for Active/Standby but about the Sync status(Syncronized/Lagging/Whatever), through the CLI, I mean.

About the GUI: I mean global properties where we could setup sync schedule policy:

Cheers,

Carlos

Carlos Santos
Vladimir
Champion
Champion
‎2018-05-15 08:49 AM
In response to MrSaintz
Jump to solution

OK, I see what you mean.

I suspect that management ha has changed with R80.10 and that each time we publish, the changes are pushed to both/all members.

Would be nice to get a confirmation of this as well as figure out if there is a notification mechanism to alert us if standby is out of sync without looking into "Management HA" properties manually.

XBensemhoun
Employee
Employee
‎2018-05-15 11:31 AM
In response to Vladimir
Jump to solution

We can find in the sk54160‌ How to Configure Management HA , 'Synchronization Modes' chapter:

Important: This Synchronization Modes  section is relevant only to pre-R80 releases.

In R80.x, there is a full sync option that user can initiate from SmartCenter, or automatic sync that runs in the background, and user cannot control its intervals, or stop it.

Maybe that's a part of the explanation.

Information Security enthusiast, CISSP, CCSP
MrSaintz
Contributor
‎2018-05-16 12:36 AM
In response to XBensemhoun
Jump to solution

Thank you, anyway, is there any idea about the intervals between each sync? I don't see that in the SK. It's not at publish for sure, because checking it's status right after I get Lagging, the base of this is to setup monitoring of the sync status and minimize errors due to sync schedule.

Carlos Santos
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-05-16 02:47 AM
In response to MrSaintz
Jump to solution

I have added the question as feedback to sk54160 How to Configure Management HA.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend
‎2018-05-17 01:49 AM
In response to G_W_Albrecht
Jump to solution

R&D responded:

For R80.x, refer to: For single domain: "Management High Availability" section in the Check Point Security Management R80 Administration Guide For multi domain: "Working with High Availability" section in the Multi-Domain Security Management R80 Administration Guide. sk was modified accordingly.

Here we read:

Management High Availability uses the built-in revisions technology and allows the High Availability procedure to synchronize only the changes done since the last synchronization. This provides:
• Real-time updates between management peers
• Minimal effect on the management server resources.

Synchronizing Active and Standby Servers
At intervals, the Active server synchronizes with the standby server or servers, and when you publish the session. Sessions that are not published are not synchronized.

So we can assume that:

- Sync will occur with every published session, reminding of the "sync with policy install" option

- Real-time updates between management peers will occur, but no sync interval can be configured

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
ETEK_Internatio
Explorer
‎2020-06-08 04:23 PM
In response to G_W_Albrecht
Jump to solution

Hello;

I have a problem with a client, where audit logs are appearing with localuser and an administration user who no longer works in the company, indicating that it synchronizes successfully with the active peer, validates users, and is no longer within the configuration , Is it possible to have a scheduled task or at the time of configuring the MGMT HA the user was involved in any update

 

Thanks.

 
 
 

 

 

 

Preview file
199 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-06-09 03:30 AM
In response to ETEK_Internatio
Jump to solution

I would suggest to contact TAC for this !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events