IBM Security Guardium

Hi Everyone,

Is it possible to promote Backup CM as a Primary CM for failover testing and again shall we revert it?
Here are some doubts about above question:

1. Is it possible without making down Primary CM to promote Backup as Primary one?
2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?
3. If we need to revert again to original state, how can it happen?

Thanks,
Panendar Rao.C

------------------------------
PHANENDRA RAO CHAVANA
------------------------------

------------------------------
Leila Johannesen
------------------------------

Original Message:
Sent: Wed February 10, 2021 07:07 AM
From: PHANENDRA RAO CHAVANA
Subject: Guardium Failover test with Backup CM

Hi Everyone,

Is it possible to promote Backup CM as a Primary CM for failover testing and again shall we revert it?
Here are some doubts about above question:

1. Is it possible without making down Primary CM to promote Backup as Primary one?
2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?
3. If we need to revert again to original state, how can it happen?

Thanks,
Panendar Rao.C

------------------------------
PHANENDRA RAO CHAVANA
------------------------------

Hi,

Switching to Backup CM works smoothly for small test environment - the test in lab is not this same as execution this procedure on production env.

I strongly suggest do not do that for large production environment. In this case the process can take hours or more.

Even IBM support suggests to restore the failed primary CM using backup than simple switch to the Backup CM.

Backup CM should be promoted to primary role if there is no possibility to restore original primary CM in the reasonable time.

Be aware that temporary unavailability of primary CM does not interrupt events gathering.

------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Międzyrzecz
------------------------------

Original Message:
Sent: Wed February 10, 2021 07:07 AM
From: PHANENDRA RAO CHAVANA
Subject: Guardium Failover test with Backup CM

Hi Everyone,

Is it possible to promote Backup CM as a Primary CM for failover testing and again shall we revert it?
Here are some doubts about above question:

1. Is it possible without making down Primary CM to promote Backup as Primary one?
2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?
3. If we need to revert again to original state, how can it happen?

Thanks,
Panendar Rao.C

------------------------------
PHANENDRA RAO CHAVANA
------------------------------

Hi Zibi.
We need to migrate our current Guardium infrastructure (about 50 virtual appliances, 11.4) to new virtual infrastructure and core network (IP addresses of appliances will change). Our initial plan is to deploy backup CM to new infrastructure and promote it. Then move other managed units over to new infrastructure, by changing IP address. Of cause this is very simplified description. But main focus for the discussion is use of backup CM. 
Now reading your recommendation I started to doubt if use of CM HA configuration would be good idea for such transition. Any comments?

------------------------------
Taavi Kainel
------------------------------

Original Message:
Sent: Thu February 11, 2021 04:29 AM
From: Zbigniew (Zibi) Szmigiero
Subject: Guardium Failover test with Backup CM

Hi,

Switching to Backup CM works smoothly for small test environment - the test in lab is not this same as execution this procedure on production env.

I strongly suggest do not do that for large production environment. In this case the process can take hours or more.

Even IBM support suggests to restore the failed primary CM using backup than simple switch to the Backup CM.

Backup CM should be promoted to primary role if there is no possibility to restore original primary CM in the reasonable time.

Be aware that temporary unavailability of primary CM does not interrupt events gathering.

------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Międzyrzecz

Original Message:
Sent: Wed February 10, 2021 07:07 AM
From: PHANENDRA RAO CHAVANA
Subject: Guardium Failover test with Backup CM

Hi Everyone,

Is it possible to promote Backup CM as a Primary CM for failover testing and again shall we revert it?
Here are some doubts about above question:

1. Is it possible without making down Primary CM to promote Backup as Primary one?
2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?
3. If we need to revert again to original state, how can it happen?

Thanks,
Panendar Rao.C

------------------------------
PHANENDRA RAO CHAVANA
------------------------------

Hi Taavi,
Your migration procedure makes sense. I stressed in my article to do not use CM backup for short time switch in case on primary CM unavailability and large envuronments.

------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Międzyrzecz
------------------------------

Original Message:
Sent: Tue January 03, 2023 04:44 AM
From: Taavi Kainel
Subject: Guardium Failover test with Backup CM

Hi Zibi.
We need to migrate our current Guardium infrastructure (about 50 virtual appliances, 11.4) to new virtual infrastructure and core network (IP addresses of appliances will change). Our initial plan is to deploy backup CM to new infrastructure and promote it. Then move other managed units over to new infrastructure, by changing IP address. Of cause this is very simplified description. But main focus for the discussion is use of backup CM. 
Now reading your recommendation I started to doubt if use of CM HA configuration would be good idea for such transition. Any comments?

------------------------------
Taavi Kainel

Original Message:
Sent: Thu February 11, 2021 04:29 AM
From: Zbigniew (Zibi) Szmigiero
Subject: Guardium Failover test with Backup CM

Hi,

Switching to Backup CM works smoothly for small test environment - the test in lab is not this same as execution this procedure on production env.

I strongly suggest do not do that for large production environment. In this case the process can take hours or more.

Even IBM support suggests to restore the failed primary CM using backup than simple switch to the Backup CM.

Backup CM should be promoted to primary role if there is no possibility to restore original primary CM in the reasonable time.

Be aware that temporary unavailability of primary CM does not interrupt events gathering.

------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Międzyrzecz

Original Message:
Sent: Wed February 10, 2021 07:07 AM
From: PHANENDRA RAO CHAVANA
Subject: Guardium Failover test with Backup CM

Hi Everyone,

Is it possible to promote Backup CM as a Primary CM for failover testing and again shall we revert it?
Here are some doubts about above question:

1. Is it possible without making down Primary CM to promote Backup as Primary one?
2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?
3. If we need to revert again to original state, how can it happen?

Thanks,
Panendar Rao.C

------------------------------
PHANENDRA RAO CHAVANA
------------------------------

In addition to my previous message:

1. Is it possible without making down Primary CM to promote Backup as Primary one?

No, if Primary CM is operational during this procedure, it will be removed from current GDP configuration

2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?

No, you need clean up it to standard aggregator using "store unit type standalone"

3. If we need to revert again to original state, how can it happen?

a) you need add old CM working as standalone to existing GDP infra

b) promote it as backup CM

c) promote it again as primary one

here my article about this:

https://guardiumnotes.wordpress.com/2016/05/22/central-manager-in-ha-configuration/

------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Międzyrzecz
------------------------------

Original Message:
Sent: Wed February 10, 2021 07:07 AM
From: PHANENDRA RAO CHAVANA
Subject: Guardium Failover test with Backup CM

Hi Everyone,

Is it possible to promote Backup CM as a Primary CM for failover testing and again shall we revert it?
Here are some doubts about above question:

1. Is it possible without making down Primary CM to promote Backup as Primary one?
2. If at all Backup CM is promoted as Primary without making Primary CM down, does Primary CM becomes Backup CM temporarily?
3. If we need to revert again to original state, how can it happen?

Thanks,
Panendar Rao.C

------------------------------
PHANENDRA RAO CHAVANA
------------------------------