This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gemechisd
Contributor
‎2022-11-10 09:17 AM
Jump to solution

Synchronization of gateways

We have 2 checkpoint 7000 series appliances. We have configured them as a cluster. Last time the standby server hardware unable to reboot and now we are pushing policies on 1 gateway only. 

  • I want to know what happens when the 2nd gateway gets fixed. Does the policies that are installed on the active gateway synchronized with the standby one?
0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-10 10:53 AM
Jump to solution

When a gateway boots up, it will try to load one of the following policies in order:

  1. Gateway will fetch last compiled and installed policy from management
  2. If the gateway cannot reach the management, the gateway will use a locally cached copy of the last policy installed
  3. If no policy was installed, the policy is corrupt/compiled for the wrong version, or there is an issue with the firewall license, the gateway will load DefaultFilter, which blocks all traffic.

The much shorter answer is yes, but it pulls the current policy from management, not the other gateway.

View solution in original post

PhoneBoy
Admin
Admin
‎2022-12-05 04:52 PM
In response to gemechisd
Jump to solution

Configure the OS settings the same as the one you're replacing it with.
You will need to reset SIC with the device and push policy.

View solution in original post

0 Kudos
(1)
8 Replies
PhoneBoy
Admin
Admin
‎2022-11-10 10:53 AM
Jump to solution

When a gateway boots up, it will try to load one of the following policies in order:

  1. Gateway will fetch last compiled and installed policy from management
  2. If the gateway cannot reach the management, the gateway will use a locally cached copy of the last policy installed
  3. If no policy was installed, the policy is corrupt/compiled for the wrong version, or there is an issue with the firewall license, the gateway will load DefaultFilter, which blocks all traffic.

The much shorter answer is yes, but it pulls the current policy from management, not the other gateway.

gemechisd
Contributor
‎2022-11-10 09:18 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy Thank You for the immediate response. 

Which means when we start configuring the second gateway as a cluster with the one currently working it will push the gateway from SMS?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-11 08:14 AM
In response to gemechisd
Jump to solution

If you restore from a system backup onto identical hardware, you shouldn't need to do anything special.
If you rebuild the cluster member from scratch, it's possible you may need to push policy from management, which you should probably do anyway just to confirm proper operation.

gemechisd
Contributor
‎2022-12-05 07:15 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy 

Is there any steps to be followed during the process? 

 

We have bought a new 7000 series device. Now we want to configure the new gateway (the standby cluster before), to the existing cluster. 

 

So, how could we do that? If there is any steps to be followed?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-05 04:52 PM
In response to gemechisd
Jump to solution

Configure the OS settings the same as the one you're replacing it with.
You will need to reset SIC with the device and push policy.

0 Kudos
(1)
gemechisd
Contributor
‎2022-12-05 09:11 PM
In response to PhoneBoy
Jump to solution

So that it will get all the policies installed on the active gateway including static routes on GAIA, Right?

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-05 09:57 PM
In response to gemechisd
Jump to solution

Nope - Configuration persisting to device itself wont be recovered from policy push like @PhoneBoy mentioned. Those settings either has to be restored from backup or manually from other service from clish with > show configuration and then picking up specific commands like changing the IP addresses of interfaces. You will get the routes though and other settings which can be stay common on both the devices.

Like routes/snmp/users etc.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 12:09 PM
Jump to solution

To add to this, I also find that most of the time, for step 2 phoneboy mentioned, IF gateway cant "talk" to the management, it will usually load initial policy (though this usually may happen after major upgrade, which requires a reboot), which pretty much block everything, but unlike default filter, it would let you ssh and web UI, but only on default port 443, nothing else.

Andy

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events