This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dick_Summers
Contributor
‎2019-11-03 12:49 PM

790 appliance High Availability Configuration

790 WiFi appliance is in production with two Internet connections, and multiple defined objects and rules, local switch is defined and two WiFi segments, one guest and one with access to LAN.

I was advised to: 1) backup the existing 790 2) confirm both units have same firmware 3) flatten existing unit retaining existing firmware version 4) setup first unit as Primary HA 5) setup second unit as HA, 6) restore backup to newly created cluster to retain objects and rules.

When I restored the backup to the cluster, it brought back the objects and rules, but overwrote the cluster configuration and would not operate normally until the second unit was taken off line.

Question: Can I configure cluster from the existing device (with its rules and objects in place) by simply adding the second unit, or must I flatten the existing unit, create the cluster with both "bare" units, then recreate the objects and rules?

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2019-11-05 11:30 PM

I don't know for sure, but it seems reasonable to try it after taking a fresh backup first.
Once the cluster is established, the configuration should synchronize from primary to secondary.
HristoGrigorov
Mentor
Mentor
‎2019-11-06 05:33 AM
In response to PhoneBoy

No need to reset configuration on primary unit. You only need to complete First Time Configuration Wizard on secondary one (disable switch on LAN ports btw). Then connect sync cable. Proceed with configuring cluster on primary and then on secondary unit.

Make sure both units run the same firmware version. 

Dick_Summers
Contributor
‎2019-11-06 04:02 PM
In response to HristoGrigorov

Thanks for your input. I’ll give it a go this weekend.
0 Kudos
Dick_Summers
Contributor
‎2019-11-06 04:03 PM
In response to PhoneBoy

Thanks for your input, I’ll give it a go this weekdend.
0 Kudos
Dick_Summers
Contributor
‎2019-11-13 09:11 AM
In response to Dick_Summers

Thanks for your input.  When choosing "Configure Cluster" from High Availability, the device would not respond. After an hour with TAC and no solution, I'll start from scratch configuring the new 790 as primary, install Internet connections, objects, and rules, then configure it as the primary cluster member.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-11-13 09:23 AM
In response to Dick_Summers

That's unfortunate to hear. There must be something really wrong to behave like that. Let us know what the outcome is.

0 Kudos
Dick_Summers
Contributor
‎2019-11-17 03:00 PM
In response to HristoGrigorov

I created the Primary member while off line, configured its objects, groups and rules, and brought it on line this morning as planned. I then reset the existing device to default settings with the same firmware, and ran the basic configuration. The cluster process worked as shown in the admin guide, without issues. After the cluster was created, I was able to create a WiFi for the LAN as well as a guest WiFi. Tests of the HA and ISP redundancy were successful. Thanks for the input.
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-11-17 08:22 PM
In response to Dick_Summers

Happy to hear it. Although it could have been nice to find what the problem is. May be something in the local database was not right. 

0 Kudos
Dick_Summers
Contributor
‎2019-11-18 12:35 PM
In response to HristoGrigorov

Interestingly, this morning the client called and reported Internet access was (mostly) down as well as email flow to and from their internally hosted mail server.  The Sand Blast Threat Emulation. which would not activate yesterday,  was now active, and apparently was causing problems, as traffic returned to normal when the Threat Emulation was turned off.

In addition, the WiFi configurations had changed; the Guest WiFi that was configured yesterday was inactive, its access policy had changed to allow access to the local network, its interface configuration had changed, and the additional (Standard) WiFi that was created for LAN users access yesterday, was nowhere to be found.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-11-18 07:54 PM
In response to Dick_Summers

I would start with checking /var/log/messages and /var/log/log/sfwd.elg. Also it is worth checking 'dmesg'. And look for possible *core* and *panic* files in /logs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top