Solved: Management HA

MrSaintz · ‎2018-05-15

Hey there everyone!

With regards to Management HA, as anyone managed to find out where can we now check sync configuration settings, I can't find it in the Global Properties as before, so I wonder if anyone has seen this elsewhere.

Also, what is the best CLI command to check HA Sync status, cpmistat provides this, but shows a lot more information unrelated to this, and I think there must be something close to this in CLI, no?

Cheers to you all, congrats for the CheckMates 1st Anniversary,

Carlos Santos

G_W_Albrecht · ‎2018-05-17

R&D responded:

For R80.x, refer to: For single domain: "Management High Availability" section in the Check Point Security Management R80 Administration Guide For multi domain: "Working with High Availability" section in the Multi-Domain Security Management R80 Administration Guide. sk was modified accordingly.

Here we read:

Management High Availability uses the built-in revisions technology and allows the High Availability procedure to synchronize only the changes done since the last synchronization. This provides:
• Real-time updates between management peers
• Minimal effect on the management server resources.

Synchronizing Active and Standby Servers
At intervals, the Active server synchronizes with the standby server or servers, and when you publish the session. Sessions that are not published are not synchronized.

So we can assume that:

- Sync will occur with every published session, reminding of the "sync with policy install" option

- Real-time updates between management peers will occur, but no sync interval can be configured

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

G_W_Albrecht · ‎2018-05-15

On R80.10 Dashboard, you can find the Management High Availability... in the Menu (Top left). For CLi i know of no command.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

XavierBens · ‎2018-05-15

Hi Carlos Santos , when you say "can't find it in the Global Properties as before": does that mean you are now in R80 or R80.10?

CLI command: cpstat mg should be enough.

You'll have all information needed in the Management High Availability section of the Check Point Security Management Administration Guide R80.10 (or the one for R77.30).

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite

Vladimir · ‎2018-05-15

[Expert@SMS8010:0]# cpprod_util FwIsActiveManagement

0 - means Standby.
1 - means Active.

and

cpstat mg on both management servers:

SMS8010> cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 991140016
Is started: 1
Active status: active
Status: OK

SMS8010>

8888888888888888888888888888888888888888888

SMS8010b> cpstat mg

Product Name: Check Point Security Management Server
Major version: 6
Minor version: 0
Build number: 991140016
Is started: 1
Active status: standby
Status: OK

SMS8010b>

MrSaintz · ‎2018-05-15

Hi guys, thank you for the reply, sorry for any miss understanding.

My concern is not about state as for Active/Standby but about the Sync status(Syncronized/Lagging/Whatever), through the CLI, I mean.

About the GUI: I mean global properties where we could setup sync schedule policy:

Cheers,

Carlos

Carlos Santos

Vladimir · ‎2018-05-15

OK, I see what you mean.

I suspect that management ha has changed with R80.10 and that each time we publish, the changes are pushed to both/all members.

Would be nice to get a confirmation of this as well as figure out if there is a notification mechanism to alert us if standby is out of sync without looking into "Management HA" properties manually.

XavierBens · ‎2018-05-15

We can find in the sk54160‌ How to Configure Management HA , 'Synchronization Modes' chapter:

Important: This Synchronization Modes section is relevant only to pre-R80 releases.
In R80.x, there is a full sync option that user can initiate from SmartCenter, or automatic sync that runs in the background, and user cannot control its intervals, or stop it.

Maybe that's a part of the explanation.

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite

MrSaintz · ‎2018-05-16

Thank you, anyway, is there any idea about the intervals between each sync? I don't see that in the SK. It's not at publish for sure, because checking it's status right after I get Lagging, the base of this is to setup monitoring of the sync status and minimize errors due to sync schedule.

Carlos Santos

G_W_Albrecht · ‎2018-05-16

I have added the question as feedback to sk54160 How to Configure Management HA.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2018-05-17

R&D responded:

For R80.x, refer to: For single domain: "Management High Availability" section in the Check Point Security Management R80 Administration Guide For multi domain: "Working with High Availability" section in the Multi-Domain Security Management R80 Administration Guide. sk was modified accordingly.

Here we read:

Management High Availability uses the built-in revisions technology and allows the High Availability procedure to synchronize only the changes done since the last synchronization. This provides:
• Real-time updates between management peers
• Minimal effect on the management server resources.

Synchronizing Active and Standby Servers
At intervals, the Active server synchronizes with the standby server or servers, and when you publish the session. Sessions that are not published are not synchronized.

So we can assume that:

- Sync will occur with every published session, reminding of the "sync with policy install" option

- Real-time updates between management peers will occur, but no sync interval can be configured

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

ETEK_Internatio · ‎2020-06-08

Hello;

I have a problem with a client, where audit logs are appearing with localuser and an administration user who no longer works in the company, indicating that it synchronizes successfully with the active peer, validates users, and is no longer within the configuration , Is it possible to have a scheduled task or at the time of configuring the MGMT HA the user was involved in any update

Thanks.

G_W_Albrecht · ‎2020-06-09

I would suggest to contact TAC for this !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Management HA