This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ken_networks
Participant
‎2019-10-30 06:23 AM

SmartConsole opens in standby (read-only mode) when gateway fails over to backup

Jump to solution

Standalone Full HA deployment currently running 80.10.  Firewalls are not in Production yet.

After simulating a failure to the active firewall and then opening SmartConsole, it opens up in Read-Only mode and I'm unable to make any policy changes whilst the standby firewall is running as the active firewall.

Why is this and how can it be resolved?

0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor
‎2019-10-30 06:39 AM

Jump to solution

Am also from this believing that you point your SmartConsole at the CLUSTER IP rather then individual member that is active.

 

What you MUST remember here is that in a Full HA solution then you have running

Mgmt HA and Gateway HA.

 

Just because the Gateway has failed over does not mean that the Management has.

 

This can ( and seen people do this all too easily ) is that they break the Management Synch as fail the Cluster over (ie the Gateway ) then use the Cluster IP to login to the SmartConsole, promote the Standby Management to Active which makes that Active but doesn't make the Other Management part into Standby

 

The way to stop this is to actually login to SmartConsole using the Member IP of the Firewall.

So you have your Cluster

Member 1 is Active for Gateway and Management

Member 2 is Standby for Gateway and Management

 

You run clusterXL_admin down on Member 1 which fails the Gateway over to Member 2 but will NOT fail the Management over.

So you now point the SmartConsole IP at Member 1 and login and will be Active and can make policy changes.

Point the SmartConsole IP at Member 2 and login will be Standby or Read-Only mode.

View solution in original post

0 Kudos
4 Replies
mdjmcnally
Advisor
‎2019-10-30 06:39 AM

Jump to solution

Am also from this believing that you point your SmartConsole at the CLUSTER IP rather then individual member that is active.

 

What you MUST remember here is that in a Full HA solution then you have running

Mgmt HA and Gateway HA.

 

Just because the Gateway has failed over does not mean that the Management has.

 

This can ( and seen people do this all too easily ) is that they break the Management Synch as fail the Cluster over (ie the Gateway ) then use the Cluster IP to login to the SmartConsole, promote the Standby Management to Active which makes that Active but doesn't make the Other Management part into Standby

 

The way to stop this is to actually login to SmartConsole using the Member IP of the Firewall.

So you have your Cluster

Member 1 is Active for Gateway and Management

Member 2 is Standby for Gateway and Management

 

You run clusterXL_admin down on Member 1 which fails the Gateway over to Member 2 but will NOT fail the Management over.

So you now point the SmartConsole IP at Member 1 and login and will be Active and can make policy changes.

Point the SmartConsole IP at Member 2 and login will be Standby or Read-Only mode.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-10-30 07:00 AM

Jump to solution

Fool HA deployment is a kind of last available resort if all money has run out.... I would not suggest that to anyone.

CCSE CCTE SMB Specialist
0 Kudos
ken_networks
Participant
‎2019-10-30 08:52 AM
In response to G_W_Albrecht

Jump to solution

If it's provides HA management and HA gateway, why is this deployment not recommended?

0 Kudos
mdjmcnally
Advisor
‎2019-10-30 09:08 AM
In response to ken_networks

Jump to solution

Because the Appliances are not really that good for Management purposes.

So you are taking away Gateway Performance by having the Gateway and Management on 1 box.  You are buying bigger gateways then you need to allow for the Gateway and Management performance to be acceptable.

You also get people that don't realize that the Management and Gateway HA is seperate so point at the Cluster IP and then complain when the Mgmt Server synch is broken.   ( had quite a few support calls with that )

If you MUST run with Full HA like this then would suggest that run

Gateway HA - Member 1 Active, Member 2 Standby

Mgmt HA - Member 1 Standby, Member 2 Active

point your SmartConsole at Member 2 IP address NOT the Cluster address.

and remember that Mgmt and Gateway HA may not move together but are separate despite being installed on the same box

 

I feel that they allowed this simply so those 1 to 2 page summary reviews shows that don't need a seperate management server.

Have seen some reviews criticize as not a WebUI driven product but have to install the SmartConsole as well.

About a good idea as the Windows 7 Management Server idea that they went with.   Thankfully didn't move with Windows 8 and 10 for that.

0 Kudos