Monitoring Check Point Devices Configured for High Availability

Add a Device

1. Add the active member of the HA configuration.

2. Get the server DN of the secondary HA member.

   1. Login to SmartCenter.
   2. Locate the management object (SmartCenter or CMA).
   3. Right-click the object and click View.
   4. In the General Properties tab of the object, click Test SIC status.

      The DN appears.

3. Go to https://<SecureTrack_IP>/tools, select Add Standby Check Point Management Server , and enter the configuration information:

   1. Primary management server ID - Enter the first HA member management_id from SecureTrack.
   2. Standby Management Server Details – information for the secondary HA member from step 2 above.
   3. Show result in html format – Select the checkbox to display the result in a browser (optional).
   4. Click submit.

   After completing these steps, SecureTrack should start connecting to the secondary server as well, and after that both members should be "Connected" (green icon).

   For more information on this SecureTrack tool, see Monitoring a Standby Check Point Management Server.

The primary server will receive all LEA/syslog change messages (Install\Save\Automatic) and the secondary member will get automatic revisions only.

Managing Failover

On failover (from inside the Check Point Policy > Management High Availability Server):

* For this example, server 1 is the primary server, server 2 is the standby, and we are now committing failover from server 1 to server 2.

1. Edit server 1 (Primary) , and clear these options topology option:

   • Collect traffic logs for rule usage analysis
   • Collect traffic logs for object usage analysis
   • Enable Topology
2. Edit server 2 (Secondary) and select the options that you cleared for server 1.
3. Install a new revision on the server 2 from the Check Point dashboard, and wait for SecureTrack to receive this change as "Install".

   Do not change the LEA/syslog configurations. They are configured automatically.