Sometimes there are requirements regarding redundancy and high availability. In most cases, firewalls are configured to act as a cluster. So if one cluster member fails, packets are still possible to pass the firewall. In this case, the firewall cluster has a virtual IP address that is addressed by the packets.
Check Point Management HA
Check Point offers not only firewall clusters but also redundant management. In this case, there are two management servers running as active and standby, respectively. The administrator connects to the active management server and makes changes to the firewall configuration. These changes are synchronized to the standby management server. If the active management server fails, the administrator can connect to the other management server to continue the work and install the policy on the firewalls. Regarding this situation, there are two different IP addresses the administrator connects to; no virtual cluster IP address is in use.
Management HA and SecureTrack
Tufin has supported Check Point Management HA for many years. After the first server is defined in Tufin SecureTrack, the second server is imported using the WebUI via "/tools". This is described in the Tufin Portal. Everything works as expected if only rule changes are tracked.
Restrictions of SecureTrack regarding rule metadata
Today's SecureTrack works with metadata for each rule. These metadata include further information about the rule, e.g. "last hit", "last modification date", "rule owner", etc. Many companies need information stored in the metadata, e.g. reference to a "ticket number" in SecureChange that is related to this rule or a "rule recertification date". This date can be set with e.g. the Rule Lifecycle Management (RLM) tool. Recertification is often required esp. for companies working in the finance sector.
When metadata are created or modified, they are written to the corresponding rule on the active Check Point Management server - and these data are not synchronized (by design). So if e.g. rule 2 has been certified until 2024, this information is stored on the active server only. After a failover the other management server becomes active - and rule 2 is not certified here. The same situation occurs if a rule is modified: Ticket information is stored on the active server only, and is not synchronized to the standby server.
Lesson Learned
Tufin SecureTrack doesn't support "modern features" like rule recertification or ticket information per rule if Check Point Management HA is deployed.
Update 26.11.2023:
AERAsec has developed a procedure to circumvent the restrictions of SecureTrack regarding rule metadata when using Check Point Management HA.
