addingrsync

rsync  时间:2021-01-12  阅读:()
SecureWebGatewayVersion11.
8HighAvailabilitySecureWebGateway11.
8HighAvailabilityiiCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
LegalNoticeCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
Thisdocumentisprotectedbycopyrightandanydistribution,reproduction,copying,ordecompilationisstrictlyprohibitedwithoutthepriorwrittenconsentofTrustwave.
NopartofthisdocumentmaybereproducedinanyformorbyanymeanswithoutthepriorwrittenauthorizationofTrustwave.
Whileeveryprecautionhasbeentakeninthepreparationofthisdocument,Trustwaveassumesnoresponsibilityforerrorsoromissions.
Thispublicationandfeaturesdescribedhereinaresubjecttochangewithoutnotice.
Whiletheauthorshaveusedtheirbesteffortsinpreparingthisdocument,theymakenorepresentationorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisdocumentandspecificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.
Nowarrantymaybecreatedorextendedbysalesrepresentativesorwrittensalesmaterials.
Theadviceandstrategiescontainedhereinmaynotbesuitableforyoursituation.
Youshouldconsultwithaprofessionalwhereappropriate.
NeithertheauthornorTrustwaveshallbeliableforanylossofprofitoranycommercialdamages,includingbutnotlimitedtodirect,indirect,special,incidental,consequential,orotherdamages.
Themostcurrentversionofthisdocumentmaybeobtainedbycontacting:TrustwaveTechnicalSupport:Phone:+1.
800.
363.
1621Email:support@trustwave.
comTrademarksTrustwaveandtheTrustwavelogoaretrademarksofTrustwave.
Suchtrademarksshallnotbeused,copied,ordisseminatedinanymannerwithoutthepriorwrittenpermissionofTrustwave.
RevisionHistoryVersionDateChanges11.
0July2013Firstrelease11.
5December2013Minorrevisions11.
6December2014Versionupdate11.
7March2015Versionupdate11.
8August2016VersionupdateSecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
iiiFormattingConventionsThismanualusesthefollowingformattingconventionstodenotespecificinformation.
FormatsandSymbolsMeaningBlueBluetextindicatesaWebsiteore-mailaddress.
BoldBoldtextdenotesUIcontrolandnamessuchascommands,menuitems,tabandfieldnames,buttonandcheckboxnames,windowanddialogboxnames,andareasofwindowsordialogboxes.
CodeTextinCourierNew9ptinblueindicatescomputercodeorinformationatacommandline.
ItalicsItalicsdenotesthenameofapublishedwork,thecurrentdocument,nameofanotherdocument,textemphasis,tointroduceanewterm,andpathnames.
[Squarebrackets]Squarebracketsindicateaplaceholderforvaluesandexpressions.
Notes,Tips,andCautionsNote:Thissymbolindicatesinformationthatappliestothetaskathand.
Tip:Thissymboldenotesasuggestionforabetterormoreproductivewaytousetheproduct.
Caution:Thissymbolhighlightsawarningagainstusingthesoftwareinanunintendedmanner.
Question:Thissymbolindicatesaquestionthatthereadershouldconsider.
SecureWebGateway11.
8HighAvailabilityivCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
TableofContentsLegalNoticeiiTrademarks.
iiRevisionHistoryiiFormattingConventionsiiiNotes,Tips,andCautionsiii1Overview51.
1Requirements52HowitWorks62.
1ha_manager72.
1.
1SystemLogs92.
2Heartbeat92.
2.
1ConfiguringHeartbeat.
92.
2.
2HAScript112.
3Notifier.
112.
4ReplicatingData.
112.
4.
1PostgreSQL(Postgres)122.
5Versioninstallationfromscratch132.
6SystemUpdates132.
6.
1VersionUpgrades132.
6.
2SecurityUpdates132.
6.
3Hotfix/MaintenanceReleases.
133GUI143.
1StatusTabFieldsintheHighAvailabilityDeviceIPWindow143.
2ImplementingHighAvailabilityinSWG.
154OtherConsiderations165Scenarios175.
1ActivePolicyServercrashes175.
1.
1PassivePolicyServer.
175.
1.
2ActivePolicyServer175.
2PassivePolicyServerCrashes.
175.
2.
1PassivePolicyServer.
175.
2.
2ActivePolicyServer17AboutTrustwave18Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
51OverviewToensurecontinuousoperationincaseofapolicyserverfailure,SWGsupportsHighAvailability,whichisimplementedbyaddingasecondaryPassivePolicyServerdevicetothesystem.
Specificdataisautomaticallyreplicated,updatedandsynchronizedbetweentheservers.
IntheeventoffailureoftheActivePolicyServer,SWGautomaticallyfailsovertothePassivePolicyServer,makingittheprimaryActivePolicyServer.
Whenthefailedservercanagainbeused,SWGdesignatesitasthePassivePolicyServer.
Note:ToswitchaPassivepolicyservertoActive,youmustmanuallyperformthechangeontheactivedeviceusingthefailoverLimitedShellcommand.
FormoreinformationonLimitedShellcommands,seetheSWGManagementConsoleReferenceGuide.
Thehighavailabilityprocessincludes:Decidingwhichdeviceisactiveandwhichispassive.
Switchingautomaticallybetweenactiveandpassivedeviceswhentheactivedeviceisnotfunctioning.
SettingavirtualIPontheactivedevicesothattheusercanviewtheactiveGUIwithoutknowingtheactivedeviceIP.
1.
1RequirementsOnlyoneActivePolicyServerisdefinedandonlyonePassivePolicyServerisusedforfailover.
TheprimaryActiveandsecondaryPassivePolicyServersareonseparatedevices,notonanAll-In-Onedevice.
ThedevicethathousesthesecondaryPassivePolicyServerisaccessibleanditsIPaddressisknown.
Bothpolicyserversareonthesamenetwork.
BothpolicyserversarerunningthesameSWGversion.
Linux-haisinstalledoneachpolicyserver.
AvirtualIPgiventothehighavailabilitysystem(thesetofactiveandpassivedevices).
AccesstotheGUIisrecommendedviathevirtualIP.
Inaddition,thescannerswillsendtrapstothepolicyserverviathisvirtualIP.
Linux-haisresponsibleforshiftingthevirtualIPtotheactivedevice.
Topreventasplitbrainsituation,theactiveandpassivepolicyserversmustbeconnectedbytwoswitches.
Thispreventsasituationwherebothpolicyserverscancommunicatewiththescannersbutnottoeachother,thusthinkingtheyarebothactive.
SecureWebGateway11.
8HighAvailability6Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
2HowitWorksTheManagerrunsseveralrolesonthepassivePolicyServer.
Theserolesarewritteninthe/etc/Manager/commander_passive_module.
xmlfile:TheHAroleaddedtomanager.
conf.
xmlholdstwoprocesses:ha_managerandheartbeat.
ha_manager–Theprocessthatmanagesthehighavailabilitysystem.
heartbeat–AnopensourceLinux-haprocesswhosemaincomponentimplementsaHeartbeatprotocol.
FormoreinformationaboutLinux-HA,seehttp://www.
linux-ha.
orglogrelay–TheprocessthatenablestheActiveServertoretrievesystemlogs.
TheManagertreatstheactivePolicyServerinthesamewayasaregularpolicyserver.
TheroleHAshouldbeenabledintheCommander/module.
xmlfile.
TheManagerlistenstotheNotifierrunningontheactivePolicyServer.
ItstopslisteningtothelocalNotifierwhentheNotifierontheactivedevicesendstheisPassive=1flagwithinthestatuscommand.
RunningtheManager-ctlreload[passive]commandinManager-ctltellstheManagertostopallrolesandstartonlyroleslistedasenabledincommander_passive_module.
xmlorCommander/module.
xml.
WhentheManagerrunsinpassivemode,itcreatesthe/etc/Manager/passive_devicefile.
WhentheManagerstarts,itchecksfortheexistenceofthefile,andifitexists,itloadstheconfigurationfromcommander_passive_module.
xml.
WhentheManagerrunsinanactivemode,itdeletestheManager_passivefileifitexists.
SecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
7ThePolicyServersavesitsconfigurationinthedatabaseaccordingtoitsdeviceID.
Whenrunningfull_replicate,theconfigurationsinthedatabasearecopiedtofileslocatedat/var/policyserver/configuration/base/[global|deviceId].
InorderfortheactivepolicyserverconfigurationtobereplicatedtothepassivePolicyServerdevice,thedeviceIDinthepolicyserverdatabaseischangedtosuitthepassivedeviceID.
Thisisdoneonfailover,whenpassivebecomesactive,bycallingactive_request_cli.
(Theha_managerisresponsibleforthis.
)Inorderfortheconfigurationlocatedin/var/policyserver/configuration/base/[passive_device_id]tomatchtheactivepolicyserverconfiguration,onfailoverafterrunningactive_request_cli,theha_managerwillcallfull_replicate.
2.
1ha_managerha_manageristheprocessdesignedforHighAvailability.
Itsmaintaskisto:Start,stopandmonitorthePostgreSQL(Postgres)replication.
CopyadditionalfilestothepassivePolicyServerondemand.
Performfailoverwhenrequired.
ha_managersupportsthefollowingsignals:1.
SIGHUP–reloadsconfiguration.
2.
SIGUSR1–performsafailover(byrestartingHeartbeat)TheManagerstarts,stopsandmonitorstheha_managerprocessonbothactiveandpassivepolicyservers.
Itdoesnotrunonscanners.
ha_managerwillkeeprunninguntilstoppedbytheManager.
PostgresReplication:SecureWebGateway11.
8HighAvailability8Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
Theha_managerchecksthestatusofHeartbeateveryxinterval(asdefinedinHA/module.
xml)byrunningtheLinux-haclicommandcl_statusnodestatus.
Accordingtothestatus,itdecidesifthedeviceisactiveorpassive.
Thecl_statuscanbeoneofthefollowing:1.
All:Thisistheactivedevice2.
None:Thisisthepassivedevice3.
Local:a.
Ifthedeviceisthedefaultactive(theHAwasconfiguredonthisdevice)thenthisistheActivedevice.
b.
Ifthedeviceisthedefaultpassive(thisdevicewasfirstattachedtotheActivedevice):ThisdevicewillbepassiveifitwaspassivebeforeoriftheotherdeviceisActive.
Thisdevicewillbeactiveonlyifitwasactivealreadyandtheotherdeviceispassive.
Thiscanhappenonlyifthedevicewasactivebefore,andtheheartbeatwaskilledandrestartedbeforethedeadtimetimeout.
Ifthedeviceisactive,theha_managerwill:1.
Createafile/etc/ha_manager/activeindicatingthisdeviceistheActivedevice.
2.
Checkifafailoveroccurred(Ifthedevicewaspassivebefore).
Ifso,itwill:a.
Copy/var/wasp/conf_readyto/var/policyserver/configuration/baseb.
Runmanager-ctlreload,whichwilltelltheManagertostartallrolesdefinedinCommander/module.
xml.
c.
Movewatchedfilesfrom/opt/finjan/configuration/hatotheiroriginallocation.
d.
CreateaPostgrestriggerfiletellingitthatitshouldruninActivemode.
e.
StartthePolicyServerandrunactive_request_cliwhichtellsthepolicyserverthatthisistheActivedevice.
f.
Runfull_replicate.
3.
CheckthePostgresstatusoftheactiveandpassivedevice.
IfPostgresisnotrunninginreplicationmodeonbothdevices,theha_managerwillcopythePostgresdatadirectorytothepassivedeviceasdescribedabove.
4.
CopyfilesdefinedinHA/module.
xmltothepassivedevicedirectory/opt/finjan/configuration/.
Ifthedeviceispassive,theha_managerwill:1.
Createafile/etc/ha_manager/passiveindicatingthisdeviceisthepassivedevice.
2.
Runmanager-ctlreloadpassivewhichwilltelltheManagertorunonlyrolesdefinedincommander_passive_module.
xml.
3.
StopthePolicyServer.
4.
Listentocommandsfromha_managerattheactivedevice.
SecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
9SystemLogsTheha_managerwillsendsystemlogswhenit:1.
FindsoutfromtheHeartbeatthatthestatusofthedevicewaschangedtoactiveorpassive.
2.
StartsPostgresreplication.
3.
FinishestheinitializationofthePostgresreplication.
4.
Failstoconnecttotheha_managerrunningonthepassivePolicyServer.
2.
2HeartbeatTheHeartbeatprocessrunsonbothactiveandpassivepolicyservers(notonscanners).
TheManagerwillstart,stopandmonitortheHeartbeatprocess.
Inthisprocess,intervalmessagesaresentbetweendevices.
Ifamessageisnotreceivedfromadevicethenthedeviceisassumedtohavefailed.
Incasethefaileddeviceistheactivedevice,Heartbeatperformsafailoverandthepassivedevicebecomestheactivedevice.
WhenrunningapropershutdownoftheHeartbeatusingthe/etc/init.
d/heartbeatstopcommand,itwillcauseafailover.
Toavoidafailovereveryshutdown,SWGkillstheheartbeatwhenrestarting(usingkillall-9heartbeat).
ConfiguringHeartbeatTheHAconfigurationissavedinthefile/var/wasp/conf/ha/current/module.
xmllikeanyotherprocessinthesystem.
Themodule.
xmlfileholdsthefollowingparameters:ha_enabled-IfHAisenabled,itwillholdthevalue1.
Otherwise0.
virtual_ip-ThevirtualIPoftheHAsystem.
CanbeemptyifnovirtualIPisdefined.
default_active-TheIPandthename(asitappearsintheuname–ncommand)ofthedefaultactivePolicyServer.
default_passive-TheIPandthename(asitappearsintheuname–ncommand)ofthedefaultpassivePolicyServer.
device_unameportandtimeout-Thedevice_unameisanApachehandlerwhichreturnsthedeviceuname.
(UsedforconfiguringHeartbeat).
ha_managerconfiguration-suchasha_managerportandtimeout.
AlistoffilesthatarenotlocatedunderthebasedirectoryandarerequiredtobecopiedtothepassivePolicyServer.
(Thiswillbediscussedlaterinthisdocument.
)Foreachfile,wecanconfigurewhetheritwillbecopiedtothepassivedeviceassoonasitismodifiedusingtheinotifyutility(inotify=1),orwillbecopiedeveryXinterval(inotify=0).
SecureWebGateway11.
8HighAvailability10Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
Forexample:TheHeartbeatconfigurationfilesarelocatedat/etc/heartbeat/.
Twofilesshouldbeconfigured:1.
Ha.
cf–holdsthefollowing:Theactiveandpassivenames.
Heartbeatdebugfileanddebuglevel.
AllkindsofHeartbeatconfigurations(forexampleautofailback).
PortthroughwhichbothHeartbeatscommunicate.
2.
haresources–holdsthevirtualIPoftheHAsystem.
Thefileisintheformat:[defaultactivedevicename][virtualip]Forexample:vs-166192.
168.
120.
185SecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
11HAScriptThe/usr/bin/hascriptperformsthefollowing:1.
start-ConfiguresHeartbeatandPostgres,andstartstheHeartbeatprocess.
2.
stop-ConfiguresPostgresandstopstheHeartbeatprocess.
3.
restart-RestartstheHeartbeatprocess.
(performsstopandstart)4.
status-Returns1ifHeartbeatisrunning,0otherwise.
5.
amIactive-Returns1ifthedeviceisactive,0otherwise.
6.
Failover-Performsafailover.
2.
3NotifierThepassivedeviceislistedinthedevices.
xmlfilewithdevice_typeequaltoManagementServer.
TheNotifiertreatsthepassivedeviceinthesamewayasittreatsallotherscanners,withafewexceptions:1.
TheNotifiersendsanewflaginthestatuscommandtellingthepassiveManageritisapassivedevice(isPassive=1).
2.
TheNotifiergivesallpolicyserversahigherpriorityonscannersintheorderofapplyingtheconfiguration.
3.
Whenthereisasecurityupdateormaintenancerelease,theNotifierdoesnotcopytheps_debpackagesdirectorytoscanners,thoughitshouldbecopiedtoallpolicyservers.
Oncommit,theNotifiercopiesthebasedirectorytothestabledirectory,andthestabledirectorytotheconf_readydirectorylocatedateachdevice.
Thesamehappenswiththepassivedevice.
Onfailover,whenthepassivebecomesactive,thepassivewillcopytheconf_readydirectorytothebasedirectorysothattheNotifierwillbeabletosynctheconfigurationtothescanners.
TheNotifierwillgetthepassivepolicyserverstatusinthesamewayasitgetsthestatusofallscanners.
2.
4ReplicatingDataThetaskofreplicatingdataisdividedbetweenthreeutilities.
PostgreSQL9:Replicatesthedatabasesnotifier-Manager:Replicatesthefileslocatedunder/var/policyserver/configuration/baseha_Manager:CopiesallotherfilesAllfilesarecopiedusingrsynctodirectorieslocatedunder/opt/finjan/configuration.
Thisisbecausersynchaspermissionstowriteonlytothatdirectoryonaremotedevice.
ForthisreasonthePostgresdatadirectoryandtheconf_readydirectoryarelocatedat/opt/finjan/configuration.
Filessuchas/etc/logserver/status.
confarecopiedtotheiroriginallocationonlyonfailover.
SecureWebGateway11.
8HighAvailability12Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
Thedatathatisreplicatedfromtheactivetothepassivepolicyservercontainsthefollowing:1.
Databases-policy_server,logs,reports,system_logs2.
Allthemoduleconfigurationsanddatfilesthatarelocatedat/var/policyserver/configuration/base.
Thisdirectoryalsoincludesthedebpackagesincaseofmaintenancereleasesandhotfixes.
3.
Licensesfile-/etc/policyserver/.
license-ThisfiledefinestheSWGlicenseandisreplicatedwhenthefileismodified.
4.
Shadowfile-holdsencryptedpasswordssuchasrootandadministratorpasswords.
Isreplicatedwhenthefileismodified.
5.
Archivedirectory-/var/logserver/archive.
IsreplicatedeveryXinterval(definedinHA/module.
xml).
6.
LogServerstatusfile-/etc/logserver/status.
conf.
IsreplicatedeveryXinterval.
PostgreSQL(Postgres)PostgreSQLisanobject-relationaldatabasesystemwithabuilt-inreplicationfeaturethatreplicatesalldatabasesinthedevice.
Note:Tousethebuilt-inreplicationinPostgres,itmustbeupgradedfromPostgreSQL8.
4toPostgreSQL9.
Replicationisasynchronousbutoccursautomatically(notondemand),andveryclosetothetimeofthechangesintheactivedevice.
AccordingtothePostgresmanual:"Streamingreplicationisasynchronous,sothereisstillasmalldelaybetweencommittingatransactionintheprimaryandforthechangestobecomevisibleinthestandby.
Thedelayishowevermuchsmallerthanwithfile-basedlogshipping,typicallyunderonesecondassumingthestandbyispowerfulenoughtokeepupwiththeload.
"Theactivedatabasesremainread-write,whilethepassivedatabasesareread-only.
BeforePostgresstartsreplicatingthedatabases,youmustcopyallfilesinthePostgresdatadirectory(/opt/finjan/configuration/data/postgresql/main)fromtheactivedevicetothepassivedevice.
Notethatthissynccantakealongtime(dependingonthesizeofthedatabase),butPostgresrequiresthisbeforestartingcontinuousreplication.
(Forexample,copyinga1.
5Gdatabasefromonedevicetoanotherusingrsynctakes1m24s.
)FormoreinformationaboutPostgreSQLreplication,seehttp://wiki.
postgresql.
org/wiki/Binary_Replication_TutorialSecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
132.
5VersioninstallationfromscratchWheninstallinganewversion,onemustfirstdisabletheHA,theninstallthenewversiononbothpolicyservers.
HAcanbere-enabledonlyafterbothpolicyservershavethesameversioninstalled.
2.
6SystemUpdatesNormally,whenyouconfigureautomaticupdateofScanningServerswiththelatestSWGupdates,allScanningServersareupdatedatonce.
However,theSystemUpdatesnodeletsyouchoosetoupdateselectedscanningserverswiththelatestOperatingSystemupdateinsteadofsendingtheupdatetoallthescanningserversatthesametime.
Thisensuresgreatersystemstabilityandprovidesyougreatercontrolovertheindividualscanningserversinyourconfiguration.
ThisfeatureisalsousefulwhenupdatingthepolicyserveroperatingsysteminaHighAvailabilityconfiguration.
Inthisscenario,somescanningserverscanbeleftuntouched,sothatiftheupdatefails,thePolicyServerwillstillbeabletocontroltheselectedscanningservers.
Note:ToupgradetoSWGVersion11.
0,11.
5,11.
6,11.
7or11.
8onaHighAvailabilitySetup,refertotheSWGUpgradeReleaseNotes.
VersionUpgradesVersionupgradesareperformedthesameasversionupdates.
Thepassivemustfirstbedisconnectedfromtheactivepolicyserver.
SecurityUpdatesSecurityupdatesworkthesameasconfigurationupdates.
ThenewfilesarecopiedtothepassivepolicyserverthesamewayastheyarecopiedandinstalledattheManagers.
Hotfix/MaintenanceReleasesHotfixandmaintenancereleaseswillbecopiedtothepassivepolicyserverthesamewayastheyarecopiedandinstalledattheManagers.
However,theNotifiercopiesthedirectoryps_debpackagestothepassivepolicyserveralthoughitisnotcopiedtothescanners.
SecureWebGateway11.
8HighAvailability14Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
3GUIThepassivepolicyserverisaddedasadeviceintheDevicesscreenoftheactivepolicyserver.
Itiswrittentothedevices.
xmlfilewiththesameManagementServerdevicetype.
TheGUIverifiesthatbothpolicyserversarerunningthesameSWGversion.
TheGUIshowsthestatusofthepassivepolicyserverwhichincludes:FieldDescriptionSyncStatuswhetherthepassivedeviceissyncedtobasedirectoryConnectionStatuswhethertheactiveisconnectedtothepassiveReplicationStatuswhetherthePostgresisrunninginreplicationmodeonbothdevices.
(Theha_managerwritesthisstatustothefile/etc/ha_manager/ha_manager_status)1.
TheGUIshouldenableconfigurationofthefollowingfields:PassiveIPVirtualIP2.
AmanualswapbetweenactiveandpassivecanbedoneonlybyusingtheLimitedshellontheactivedevicebycalling/usr/bin/hafailover.
3.
IftheuserentersthepassiveIPattheURLbrowser,theyshouldberedirectedtothevirtualIP.
3.
1StatusTabFieldsintheHighAvailabilityDeviceIPWindowThefollowingtabledescribesthefieldsintheStatustabintheDeviceIPwindowoftheHighAvailability(secondary)server.
FieldDescriptionSyncStatusIndicateswhethertheDeviceissynchronizedwiththePolicyServerConnectionStatusIndicatesifthedeviceisavailable(Active)CommittingStatusIndicateswhetherthedeviceisundergoingaPreparingtoCommitstatus,CommittingChangesstatus,orisStableReplicationStatusStatusofthereplicationLastConnectionTimeIndicatesthelasttimethisdevicewasconnectedtothePolicyServerSecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
153.
2ImplementingHighAvailabilityinSWGTocreateanHAsystem,theuseraddsapassivepolicyservertotheManagementDevicesGroup.
Note:TheManagementConsoleGUIisnotaccessiblefromthePassivePolicyServerdevice.
Whenthechangeiscommitted,thepolicyserver:1.
AddsthepassivepolicyserverIPtothedevices.
xmlfile.
2.
ConfiguresthefileHA/module.
xml.
3.
EnablestheroleHAintheCommander/module.
xmlfile.
Afterthechangesarecommitted,theNotifierontheactivedevicesendsagetstatuscommandtothepassivedevicetellingittostartlisteningtotheactiveNotifier.
ThistriggerstheNotifierontheactivedevicetosendtheconfigurationtothepassiveManagerwhichstartsHeartbeatandha_managerprocesses.
TheHeartbeatprocesssetswhichpolicyserverisactiveandwhichispassive.
Theha_managerontheactive:4.
Tellsthepassiveha_managertocommandtheManagertoreloaditsconfigurationwiththeCommander/module.
xml.
passivefile.
Thisstopsallrolesandstartsonlytherolesneededforapassivedevice.
5.
StartsPostgresreplication.
ToimplementHighAvailability:1.
SelectAdministration|SystemSettings|SWGDevices.
2.
IntheDevicestree,right-clicktheManagementDevicesGroupnodeandchooseAddHADevice.
3.
Inthemainwindow,enterthemandatoryDeviceIP,andoptionallyenteradescription.
NotethatthedevicetypeisautomaticallysettoPassivePolicyServer.
4.
ClickSave.
5.
Optionally,specifyavirtualdeviceIP,whichwillautomaticallyroutetowhicheverpolicyserverisactiveatanygiventime,asfollows:a.
Inthetreepane,selectManagementDevicesGroup.
TheManagementDevicesGroupwindowcontainsonlyoneeditablefield:VirtualIP:EnablesyoutospecifyaVirtualIPthatwillautomaticallyresolvetoyourcurrentlyactivepolicyserverdevice.
IfyoudefineavirtualIPvalue,youcanusethisvalueforaccessregardlessofwhetherSWGhasfailedovertothepreviouslypassivepolicyserverdevice.
b.
SpecifyavirtualDeviceIPandclickSave.
6.
TocompleteimplementationofHighAvailability,includingsynchronizationofthedatabaseandconfigurationfiles,clickCommit.
SecureWebGateway11.
8HighAvailability16Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
4OtherConsiderationsIfHighAvailabilityisenabled,youmustdisabletheHighAvailabilityPolicyServerfeaturebeforeperformingarestore.
BothactiveandpassivepolicyserversmustbesyncedwiththesameNTPserver.
PingNode—Pingnodedetectsasituationinwhichthereisanetworkcommunicationbetweenactiveandpassivepolicyservers,butnonetworktoscanners.
Ifnopingbetweentheactivepolicyserverandthepingnodeexists,thesystemwillfailoverandthepassivepolicyserverwillbecomeactive.
ItisrecommendedthattheIPofthepingnodebethedefaultgateway.
TheManagementConsoleGUIisnotaccessibleonthePassivePolicyServerdevice.
Warning:WhendisablingHA,ensurethatthePassivePolicyServerisconnectedtotheActivePolicyServer.
SecureWebGateway11.
8HighAvailabilityCopyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
175Scenarios5.
1ActivePolicyServercrashesPassivePolicyServerTheHeartbeatprocess:1.
Setsthedevicetoactive.
2.
StartsthevirtualIP.
Theha_managerprocess:3.
Changesitsstatustoactive.
4.
Runsthemanager-ctlreloadcommand,whichtellstheManagertostopallrolesandstartthemaccordingtotheCommander/module.
xmlfile.
5.
Copiesthedirectory/var/wasp/conf_readyto/var/policyserver/configuration/base6.
Ifthereisaconnectiontothepassivepolicyserver,configuresandstartsPostgresreplication.
Ifthereisnoconnectiontothepassivepolicyserver,steps3-4occurwhentheconnectionisresumed(theha_managercheckseveryXsecondsiftheconnectionisresumed).
ActivePolicyServerThefollowingoccurswhentheconnectionbetweenthetwopolicyserversisresumed:TheHeartbeatprocess:1.
Setsthedevicetopassive.
2.
StopsthevirtualIP.
Theha_managerprocesswaitsforcommandsfromthenewactiveha_managerprocess.
5.
2PassivePolicyServerCrashesPassivePolicyServerWhenapassivepolicyservercomesbackupagain:1.
TheManagercomesupwiththepassiveCommander/module.
xml.
passiveconfiguration(becausethemanager_passivefileexists)andlistenstotheNotifierattheactive(asitdidbeforethecrash).
2.
TheHeartbeatprocesssetsthedevicetopassive.
3.
Theha_managerprocesswaitsforcommandsfromtheactiveha_managerprocess.
ActivePolicyServerTheha_managerattheactivepolicyserverchecksthestatusofthepassiveeveryXseconds.
Whenitdiscoverstheconnectiontothepassiveisresumed,itconfiguresandstartsPostgresreplication.
Copyright2016TrustwaveHoldings,Inc.
Allrightsreserved.
18AboutTrustwaveTrustwavehelpsbusinessesfightcybercrime,protectdataandreducesecurityrisk.
Withcloudandmanagedsecurityservices,integratedtechnologiesandateamofsecurityexperts,ethicalhackersandresearchers,Trustwaveenablesbusinessestotransformthewaytheymanagetheirinformationsecurityandcomplianceprograms.
Morethan2.
7millionbusinessesareenrolledintheTrustwaveTrustKeepercloudplatform,throughwhichTrustwavedeliversautomated,efficientandcost-effectivethreat,vulnerabilityandcompliancemanagement.
Trustwaveisaprivatelyheldcompany,headquarteredinChicago,withcustomersin96countries.
Formoreinformation,visithttps://www.
trustwave.
com.

HostKvm四月优惠:VPS主机全场八折,香港/美国洛杉矶机房$5.2/月起

HostKvm是一家成立于2013年的国外主机服务商,主要提供基于KVM架构的VPS主机,可选数据中心包括日本、新加坡、韩国、美国、中国香港等多个地区机房,均为国内直连或优化线路,延迟较低,适合建站或者远程办公等。本月商家针对全场VPS主机提供8折优惠码,优惠后美国洛杉矶VPS月付5.2美元起。下面列出几款不同机房VPS主机产品配置信息。套餐:美国US-Plan0CPU:1cores内存:1GB硬...

美得云(20元)香港特价将军澳CTG+CN2云服务器

美得云成立于2021年,是一家云产品管理服务商(cloud)专业提供云计算服务、DDOS防护、网络安全服务、国内海外数据中心托管租用等业务、20000+用户的选择,43800+小时稳定运行香港特价将军澳CTG+CN2云服务器、采用高端CPU 优质CN2路线 SDD硬盘。香港CTG+CN22核2G3M20G数据盘25元点击购买香港CTG+CN2​2核2G5M30G数据盘39元点击购买香港CTG+CN...

tmhhost:全场VPS低至6.4折,香港BGP200M日本软银美国cn2 gia 200G高防美国三网cn2 gia韩国CN2

tmhhost放出了2021年的端午佳节+618年中大促的优惠活动:日本软银、洛杉矶200G高防cn2 gia、洛杉矶三网cn2 gia、香港200M直连BGP、韩国cn2,全都是高端优化线路,所有这些VPS直接8折,部分已经做了季付8折然后再在此基础上继续8折(也就是6.4折)。 官方网站:https://www.tmhhost.com 香港BGP线路VPS ,200M带宽 200M带...

rsync为你推荐
linux主机【windows主机换Linux主机该怎么弄啊?需要注意些什么呢?】域名备案查询如何查看网站备案已经成功ip代理地址使用IP代理会有什么坏处吗?韩国虚拟主机韩国虚拟主机好还是香港的好虚拟主机控制面板我想问下虚拟主机的控制面板有哪些还不错的品牌呢?价格不能太高最好是性价比比较高一点就行了1g虚拟主机想买个1G虚拟主机,不限流量的,但不知道哪个建站网站靠谱,求推荐!上海虚拟主机谁能告诉我杭州哪个公司的虚拟主机最好,机房最好是上海或浙江的.apache虚拟主机用的apache配置的虚拟主机,只有第一个能打开,别的是一直等待到超时,但是在服务器能正常打开。域名解析域名解析是什么意思为什么要域名解析?域名交易域名如何买卖??
域名投资 cloudstack 商家促销 ibrs 免费个人空间 hinet 如何建立邮箱 香港亚马逊 免费邮件服务器 shuang12 百度云空间 wordpress中文主题 114dns 群英网络 域名和主机 中美互联网论坛 美国西雅图独立 压力测试工具 vi命令 文件传输 更多