WWW.CHECKPOINT.

COM BIENVENIDO: MARIO SANZ |  SALIR

TRY OUR PRODUCTS QUOTING TOOLS ASSETS / INFO SUPPORT / SERVICES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

How to rebuild a Full HA cluster after primary member fails and backup is not available
Rate This My Favorites Email Print

Solution ID sk61580
Product ClusterXL, Security Management, Power-1, UTM-1, Security Gateway, Enterprise Appliances, Data Center Security Appliances
Version All
OS SecurePlatform, SecurePlatform 2.6, Gaia
Platform / Model Power-1, UTM-1, 2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000
Date Created 29-mar-2011
Last Modified 07-sep-2017

Solution
Procedure:

1. Restore the failed cluster member to Factory Defaults. This can be performed by accessing the Boot Menu from the console, or from the hardware buttons on the
front of the appliance.

2. Go through First Time Configuration Wizard in SecurePlatform WebUI / Gaia Portal. Be sure to choose the following:

A new and unique name to represent the rebuilt cluster member to avoid problems with the objects database and ICA
"Locally managed"
"Secondary Management"

You can refer to step-by-step instructions in How To Install UTM-1 Appliances with Full HA document.

3. Input the desired SIC key. This key will be used later in SmartDashboard when establishing SIC (communication will not be established until the rebuilt cluster
member is at the same version as its peer).

4. Complete all steps in First Time Configuration in SecurePlatform WebUI / Gaia Portal, and reboot the rebuilt cluster member.

5. Upgrade the rebuilt cluster member to the same version as its peer (this step can be omitted if both members are already at the same version.)

6. On the working cluster member (the one that did not fail), promote the Security Management Server from Secondary to Primary:

[Expert@Working_Secondary]# promote_util

7. Connect with SmartDashboard to the working cluster member (the one that did not fail - now the Primary Security Management Server) - go to 'Policy' menu - click
on 'Management High Availability' - check if the status has changed from Secondary to Primary.

If the status of this member has changed to 'Primary', then skip to Step 12 below.

Otherwise, continue to the next Step 8.

8. On the working cluster member (the one that did not fail), stop all Check Point services:

[Expert@Working_now_Primary]# cpstop

9. On the working cluster member (the one that did not fail), backup the current $FWDIR/conf/objects_5_0.C file:

[Expert@Working_now_Primary]# cp $FWDIR/conf/objects_5_0.C $FWDIR/conf/objects_5_0.C_BACKUP

10. On the working cluster member (the one that did not fail), manually edit the $FWDIR/conf/objects_5_0.C file in Vi editor as follows:

A. Change the attributes of the failed cluster member - former Primary Management Object:
(Note: Change all instances of the mentioned attributes)

i. from:

:Deleteable (false)

to:

:Deleteable (true)
 ii. from:

:primary_management (true)

to:

:primary_management (false)

Example of default configuration

for Primary Management Object
in $FWDIR/conf/objects_5_0.C:

.....................................
: (CLUSTER-MEMBER-PRI
:AdminInfo (
:chkpf_uid ("{...}")
:ClassName (utm_cluster_member)
:table (network_objects)
:LastModified (
:Time ("Wed Jan 18 17:05:05 2012")
:last_modified_utc (1326906305)
:By (admin)
:From (...)
)
:Deleteable (false)
:icon ("NetworkObjects/CheckPoint/Clusters/Cluster_member_mgmt")
:Wiznum (-1)
)
.....................................
:primary_management (true)
.....................................
)

B. Change the attributes of current Secondary Management Object (the working cluster member that did not fail):
(Note: Change all instances of the mentioned attributes)

i. from:

:Deleteable (true)

to:

:Deleteable (false)

Note: If this attribute does not exist, then add it.

ii. from:

:primary_management (false)

to:

:primary_management (true)

Example of default configuration

for Secondary Management Object
in $FWDIR/conf/objects_5_0.C:

.....................................
: (CLUSTER-MEMBER-SEC
:AdminInfo (
:chkpf_uid ("{...}")
:ClassName (utm_cluster_member)
:table (network_objects)
:LastModified (
:Time ("Wed Jan 18 17:05:05 2012")
:last_modified_utc (1326906305)
:By (admin)
:From (...)
)
:Deleteable (true)
:icon ("NetworkObjects/CheckPoint/Clusters/Cluster_member_mgmt")
:Wiznum (-1)
)
.....................................
:primary_management (false)
.....................................
)
 11. On the working cluster member (the one that did not fail), manually change the configuration of Security Management Server from Secondary to Primary by running
these commands in Expert mode (in the given order):

[Expert@Working_now_Primary]# cpprod_util FwSetPrimary 1

[Expert@Working_now_Primary]# cpprod_util CPPROD_SetValue SIC ICAState 4 3 1
[Expert@Working_now_Primary]# ckp_regedit -d //SOFTWARE//CheckPoint//SIC OTP
[Expert@Working_now_Primary]# ckp_regedit -d //SOFTWARE//CheckPoint//SIC ICAip

12. On the working cluster member (the one that did not fail), stop all Check Point services:

[Expert@Working_now_Primary]# cpstop

13. On the working cluster member (the one that did not fail), delete these files:

[Expert@Working_now_Primary]# rm $FWDIR/conf/mgha/*

Note: these files will be regenerated when the Management Synchronization reinitializes.

14. Make sure you have the correct licenses applied on both cluster members.

The recommended way to manage licenses is the SmartUpdate GUI connected to the Primary Security Management.

Additional way to manage licenses is the Command Line on each cluster member - using the 'cplic' command (for more details, refer to Rxx Command Line
Interface Reference Guide on Check Point web site).

15. On the working cluster member (the one that did not fail), start all Check Point services:

[Expert@Working_now_Primary]# cpstart

16. Connect with SmartDashboard to the working cluster member (the one that did not fail), which is now the new Primary Security Management.
Remove all references to the old failed Primary cluster member object from the Security rules and from the NAT rules.
Delete the object of the old failed Primary cluster member.

17. Open the cluster object - make sure that the correct version appears in the 'General Properties' pane.

18. In cluster object - go to 'Cluster Members' pane - add the new rebuilt cluster member (Add... - New Cluster Member...).

19. Establish SIC using the key that was defined in First Time Configuration Wizard, and test SIC communication.

20. Save all changes ('File' menu - Save).

21. Install policy onto this cluster object.

22. On each cluster member, check the member's cluster state (both member must agree on their states):

[Expert@HostName]# cphaprob state

23. Allow time for the initial Management Database synchronization to complete.

24. Connect with SmartDashboard to the rebuilt cluster member - go to 'Policy' menu - click 'Management High Availability', and manually synchronize the
machines - to transfer the configuration from the working cluster member (the one that did not fail) to the rebuilt cluster member.

25. If after a few minutes, it is still not possible to access the 'Management High Availability', then:

A. Perform manual cluster fail-over from the working cluster member (the one that did not fail) to the rebuilt cluster member (refer to sk55081):

[Expert@Working_now_Primary]# clusterXL_admin down

B. Reboot the working cluster member (the one that did not fail):

[Expert@Working_now_Primary]# reboot

After the rebooted working cluster member comes back on line, it should be possible to access the 'Management High Availability' and synchronize the
machines.

Note: The original Certificate Authority will be retained with this method. Consequently, SIC will not be broken with managed devices.

Applies To:
NGX R65 with Messaging Security, R70, and above
Give us Feedback Please rate this document [1=Worst,5=Best]

Enter your comment here

Comment  Submit

©1994-2018 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy