This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_Williams
Contributor
‎2024-12-10 08:54 AM
Jump to solution

Installing Policies on an HA cluster one member at a time

We have some soon-to-be-replaced 23000 gateways running r80.40 take 211 in a cluster. In the last few months it has become increasingly difficult to install policy updates on the firewalls with typically the active member of the cluster failing to install the policy and therefore the whole installation fails. I have tried failing over onto the standby and pushing policy and again it will still fail on the new active firewall.

Is a temporary tactic to uncheck the box 'For gateway clusters, if installation on a cluster member fails, do not install on that cluster' and have the install succeed on the standby member, then failover to the standby member, then push the policy again and this time it should then succeed on the new standby firewall? Thereby the new policy is installed on both firewalls.

We have the new firewalls in place and are being built by Checkpoint PS, but with the Christmas change freeze about to start we are not in a position to start using the new firewalls before Jan but we need to make minor changes to the policy.

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-12-10 12:49 PM
Jump to solution

I believe you can do this, yes.
Note this is something that ElasticXL "fixes" insofar as policy installation happens to the SMO only, which is responsible for copying the policy to the other members.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2024-12-10 12:49 PM
Jump to solution

I believe you can do this, yes.
Note this is something that ElasticXL "fixes" insofar as policy installation happens to the SMO only, which is responsible for copying the policy to the other members.

0 Kudos
P_Williams
Contributor
‎2024-12-12 01:19 AM
In response to PhoneBoy
Jump to solution

Accepting this as it was the first response. I have now tried the method and it worked. I think the two firewalls had different policies for less than 10 minutes.

I will look into the other methods listed here as well. I think though as it is an old setup about to be pulled out I dont really want to start trying out something new, but something to look into for the new environment should there be similar issues.

Thank you all for your help.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-12-10 04:01 PM
Jump to solution

This is indeed a workaround for this issue

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
kamilazat
Advisor
‎2024-12-11 10:34 PM
Jump to solution

What about doing fw fetch -m individually on cluster members? If I recall correctly, it pulls the policy from the server that is defined in masters file and writes it to kernel individually. But I'm not sure about the sync between members after that point. Maybe someone can add to it.

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-12-11 10:44 PM
In response to kamilazat
Jump to solution

Indeed fw fetch <Security Management Server name> will also work: 

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_CLI_ReferenceGuide/Content/Topics-... 

 

Seems the -c flag also allows to fetch policy from a Cluster member

0 Kudos
kamilazat
Advisor
‎2024-12-11 10:57 PM
In response to Tal_Paz-Fridman
Jump to solution

Hypothetically, let's say that I did it with -m flag and forgot to do the same on the other member. Will the policies ever get synced between members, or do I need to come back and do a -c anyway?

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-12-12 12:03 AM
In response to kamilazat
Jump to solution

Not sure you even need the -m flag

But yes, you can either fetch the policy (on the other cluster member) directly from the Security Management Server or from the other cluster using -c 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events