This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2024-03-01 10:38 PM
Jump to solution

VSX boot and management server

Hi

We are going to move one vsx gateway from one datacenter to another with all the it infra.(the other vsx gw is on another site)..

The management server may be down when the Gateway will be powered on because on a vm that will also be moved with the vsx

I was wondering if at boot time the vsx Gateway needs the management server to retrieve its policies or if it will boot with no policy at all as it can not reach the management.

Thanks

 

Labels
0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2024-03-05 06:31 AM
In response to DR_74
Jump to solution

Alright. With a physical move of a set of servers, it's possible for drives to be damaged in transit, and it's possible for servers to not power back up after a while powered off (certain motherboard parts can fail progressively, so they may be fine continuing to run, but may not be able to handle the increased stress of booting from cold). As long as it powers on in the new location, and as long as the drives physically survived the trip, it will have all of its local files, including its local copy of all policies for all VSs. It can boot and run all policies without any connectivity to the management.

 

A lot of people also use the verb "move" to describe building a new VS on a completely different VSX cluster and deleting a corresponding VS on an old VSX cluster. I wanted to be absolutely sure that wasn't what you were planning. That's a dramatically more complicated process, and it absolutely requires the management server for the destination cluster to be up. If the destination cluster was managed by the management server VM you are moving to the new location, you wouldn't be able to build the new VSs until after the management was moved and working.

View solution in original post

0 Kudos
8 Replies
genisis__
Leader Leader
Leader
‎2024-03-02 07:35 AM
Jump to solution

It should attempt to connect to the manager, then use local policies.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-03-02 01:06 PM
Jump to solution

Did you take a look here? https://community.checkpoint.com/t5/General-Topics/How-a-recovered-VSX-cluster-member-obtains-the-Se...

0 Kudos
DR_74
Collaborator
‎2024-03-04 01:16 AM
In response to CheckPointerXL
Jump to solution

Hi

thanks for the link.

This means that the gateway will boot with its previous policies if the Managment server is not up when the vsx starts? correct?

 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-04 09:27 AM
Jump to solution

To confirm, what is this VSX gateway? A VM, a physical server, several VMs, several physical servers, or something else?

When you say you intend to move the VSX gateway, please describe that process in greater detail. Are we talking a forklift move where the existing VM(s) or physical server(s) will be shut down in one place, moved somewhere else, then powered on there?

"Moving" as in building new VSs on an existing VSX gateway at the new site and deleting them from the old site requires the management server be up.

0 Kudos
DR_74
Collaborator
‎2024-03-04 11:17 PM
In response to Bob_Zimmerman
Jump to solution

Hi Bob,

For me a VSX gateway is a Checkpoint hardware appliance on which we run Virstual System. In our case, we have 4 VS

So, we have 2 VSX gateways in a cluster xl with VSLS.

We need to stop one of the gateway and phisically move it to another datacenter. With this gateway we will also move all the IT infra (ESX, storage...) and the Checkpoint Management server (on a VM) will be moved as well.

What I am not sure at the moment, is if the ESX infra will be up when the VSX gateway will be powered on.

 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-05 06:31 AM
In response to DR_74
Jump to solution

Alright. With a physical move of a set of servers, it's possible for drives to be damaged in transit, and it's possible for servers to not power back up after a while powered off (certain motherboard parts can fail progressively, so they may be fine continuing to run, but may not be able to handle the increased stress of booting from cold). As long as it powers on in the new location, and as long as the drives physically survived the trip, it will have all of its local files, including its local copy of all policies for all VSs. It can boot and run all policies without any connectivity to the management.

 

A lot of people also use the verb "move" to describe building a new VS on a completely different VSX cluster and deleting a corresponding VS on an old VSX cluster. I wanted to be absolutely sure that wasn't what you were planning. That's a dramatically more complicated process, and it absolutely requires the management server for the destination cluster to be up. If the destination cluster was managed by the management server VM you are moving to the new location, you wouldn't be able to build the new VSs until after the management was moved and working.

0 Kudos
DR_74
Collaborator
‎2024-03-05 06:36 AM
In response to Bob_Zimmerman
Jump to solution

Hello Bob,

Thanks a lot for clarification. That really makes sense for me now. Thank you

0 Kudos
Lesley
Leader Leader
Leader
‎2024-03-05 08:06 AM
In response to DR_74
Jump to solution

Keep this one in mind if you think MGMT will stay longer offline then 24 hours:

https://support.checkpoint.com/results/sk/sk100731

CRL check will fail, that could impact tunnels. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events