Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gemechisd
Contributor
Jump to solution

Synchronization of gateways

We have 2 checkpoint 7000 series appliances. We have configured them as a cluster. Last time the standby server hardware unable to reboot and now we are pushing policies on 1 gateway only. 

  • I want to know what happens when the 2nd gateway gets fixed. Does the policies that are installed on the active gateway synchronized with the standby one?
0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

When a gateway boots up, it will try to load one of the following policies in order:

  1. Gateway will fetch last compiled and installed policy from management
  2. If the gateway cannot reach the management, the gateway will use a locally cached copy of the last policy installed
  3. If no policy was installed, the policy is corrupt/compiled for the wrong version, or there is an issue with the firewall license, the gateway will load DefaultFilter, which blocks all traffic.

The much shorter answer is yes, but it pulls the current policy from management, not the other gateway.

View solution in original post

PhoneBoy
Admin
Admin

Configure the OS settings the same as the one you're replacing it with.
You will need to reset SIC with the device and push policy.

View solution in original post

0 Kudos
(1)
8 Replies
PhoneBoy
Admin
Admin

When a gateway boots up, it will try to load one of the following policies in order:

  1. Gateway will fetch last compiled and installed policy from management
  2. If the gateway cannot reach the management, the gateway will use a locally cached copy of the last policy installed
  3. If no policy was installed, the policy is corrupt/compiled for the wrong version, or there is an issue with the firewall license, the gateway will load DefaultFilter, which blocks all traffic.

The much shorter answer is yes, but it pulls the current policy from management, not the other gateway.

gemechisd
Contributor

@PhoneBoy Thank You for the immediate response. 

Which means when we start configuring the second gateway as a cluster with the one currently working it will push the gateway from SMS?

0 Kudos
PhoneBoy
Admin
Admin

If you restore from a system backup onto identical hardware, you shouldn't need to do anything special.
If you rebuild the cluster member from scratch, it's possible you may need to push policy from management, which you should probably do anyway just to confirm proper operation.

gemechisd
Contributor

@PhoneBoy 

Is there any steps to be followed during the process? 

 

We have bought a new 7000 series device. Now we want to configure the new gateway (the standby cluster before), to the existing cluster. 

 

So, how could we do that? If there is any steps to be followed?

0 Kudos
PhoneBoy
Admin
Admin

Configure the OS settings the same as the one you're replacing it with.
You will need to reset SIC with the device and push policy.

0 Kudos
(1)
gemechisd
Contributor

So that it will get all the policies installed on the active gateway including static routes on GAIA, Right?

0 Kudos
Blason_R
Leader
Leader

Nope - Configuration persisting to device itself wont be recovered from policy push like @PhoneBoy mentioned. Those settings either has to be restored from backup or manually from other service from clish with > show configuration and then picking up specific commands like changing the IP addresses of interfaces. You will get the routes though and other settings which can be stay common on both the devices.

Like routes/snmp/users etc.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

To add to this, I also find that most of the time, for step 2 phoneboy mentioned, IF gateway cant "talk" to the management, it will usually load initial policy (though this usually may happen after major upgrade, which requires a reboot), which pretty much block everything, but unlike default filter, it would let you ssh and web UI, but only on default port 443, nothing else.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events