This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ari_who
Explorer
Sunday
Jump to solution

Using HA MGMT in a virtual environment

Hi all,

 

OS: Gaia R81.20

Environment: Maestro + VSX 

 

We have two management servers running as an active-passive HA, and both are VMs, running on a vCenter.

The vCenter servers are in two physically separate locations, one is a DataCenter, and one, a DR.

In case of failover to the DR, the entire vCenter will be available there including the Checkpoint Management server, 

as it's being replicated all the time in a hot backup.

Since there's plenty redundancy through the vCenter, Is there any point in having also a secondary Management server in this case?

Or did I miss something...

 

Thanks in advance!

0 Kudos
4 Solutions

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Monday
Jump to solution

It entirely depends on the types of failures that you are attempting to guard against and what interdependencies / risks you choose to accept.

  • With VSX there is greater importance on the Management than other deployment scenarios.
  • VMotion is not supported by the Check Point Management platform.
  • Would different/additional teams be involved in any recovery efforts?
  • Are the machines currently in different IP subnets from a routing perspective?   

 

 

 

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
the_rock
MVP Gold
MVP Gold
Monday
Jump to solution

To me personally, but again its just my honest opinion, I would never bother with mgmt HA in such scenario, because if there is constant replication on vCentre side, you dont really have a need for another server.

Just my 2 cents.

Andy

View solution in original post

0 Kudos
Vincent_Bacher
Advisor
Advisor
Monday
Jump to solution

If I understand the question correctly, are you asking whether a second management server is required for each data center?
Then my answer is: No.
We also only have one MDS per data center.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

Lesley
MVP Gold
MVP Gold
Monday
Jump to solution

One thing to keep in mind is the CRL check. Default is 24 hours. This is for VPN tunnels only from Check Point towards other CP's on the same mgmt! If mgmt is down to long firewalls cannot do CRL check. (CRL check can be disabled, not secure). 

HA mgmt could be handy, if you have frequent changes on the system. If system is allowed to be down couple hours I would not invest in HA mgmt. 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

0 Kudos
6 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Monday
Jump to solution

It entirely depends on the types of failures that you are attempting to guard against and what interdependencies / risks you choose to accept.

  • With VSX there is greater importance on the Management than other deployment scenarios.
  • VMotion is not supported by the Check Point Management platform.
  • Would different/additional teams be involved in any recovery efforts?
  • Are the machines currently in different IP subnets from a routing perspective?   

 

 

 

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
Monday
Jump to solution

To me personally, but again its just my honest opinion, I would never bother with mgmt HA in such scenario, because if there is constant replication on vCentre side, you dont really have a need for another server.

Just my 2 cents.

Andy

0 Kudos
Vincent_Bacher
Advisor
Advisor
Monday
In response to the_rock
Jump to solution

Out of curiosity: What is MVP ?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Gold
MVP Gold
Monday
In response to Vincent_Bacher
Jump to solution

I know in sports it stands for most valuable player, but I believe in community context it means most valuable professional...I THINK : - )

Andy

0 Kudos
Vincent_Bacher
Advisor
Advisor
Monday
Jump to solution

If I understand the question correctly, are you asking whether a second management server is required for each data center?
Then my answer is: No.
We also only have one MDS per data center.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Lesley
MVP Gold
MVP Gold
Monday
Jump to solution

One thing to keep in mind is the CRL check. Default is 24 hours. This is for VPN tunnels only from Check Point towards other CP's on the same mgmt! If mgmt is down to long firewalls cannot do CRL check. (CRL check can be disabled, not secure). 

HA mgmt could be handy, if you have frequent changes on the system. If system is allowed to be down couple hours I would not invest in HA mgmt. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events