15 December 2010 Administration Guide Multi-Domain Security Management R75 © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11683 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 8 December 2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Multi-Domain Security Management R75 Administration Guide). Contents Important Information 3 Multi-Domain Security Management Overview 9 Multi-Domain Security Management Glossary 9 Key Features 11 Basic Architecture 11 The Multi-Domain Server 13 Domain Management Servers 14 Log Servers 15 Multi-Domain Log Server 16 Domain Log Server 16 High Availability 16 Security Policies 17 Global Policies 17 The Management Model 17 Introduction to the Management Model 17 Administrators 17 Management Tools 19 Deployment Planning 20 Multi-Domain Security Management Components Installed at the NOC 20 Using Multiple Multi-Domain Servers 20 High Availability 20 Multi-Domain Server Synchronization 21 Clock Synchronization 21 Protecting Multi-Domain Security Management Networks 21 Logging & Tracking 21 Routing Issues in a Distributed Environment 21 Platform & Performance Issues 22 IP Allocation & Routing 22 Virtual IP Limitations and Multiple Interfaces on a Multi-Domain Server 22 Multiple Interfaces on a Multi-Domain Server 22 Enabling OPSEC 22 Provisioning Multi-Domain Security Management 24 Provisioning Process Overview 24 Setting Up Your Network Topology 24 The Multi-Domain Security Management Trust Model 25 Introduction to the Trust Model 25 Secure Internal Communication (SIC) 25 Trust Between a Domain Management Server and its Domain Network 25 Trust Between a Domain Log Server and its Domain Network 25 Multi-Domain Server Communication with Domain Management Servers 26 Trust Between Multi-Domain Server to Multi-Domain Server 26 Using External Authentication Servers 26 Re-authenticating when using SmartConsole Clients 27 CPMI Protocol 28 Creating a Primary Multi-Domain Server 28 Multiple Multi-Domain Server Deployments 28 Synchronizing Clocks 28 Adding a Secondary Multi-Domain Server or a Multi-Domain Log Server 28 Changing an Existing Multi-Domain Server 30 Deleting a Multi-Domain Server 31 Using SmartDomain Manager 31 Launching the SmartDomain Manager 31 Protecting the Multi-Domain Security Management Environment 32 Standalone Gateway/Security Management 32 Domain Management Server and SmartDomain Manager 32 Security Gateways Protecting a Multi-Domain Server 33 Making Connections Between Different Components of the System 34 Licensing 35 Licensing Overview 35 The Trial Period 35 License Types 35 Managing Licenses 36 Global Policy Management 40 Security Policies 40 The Need for Global Policies 40 The Global Policy as a Template 41 Global Policies and the Global Rule Base 41 Global SmartDashboard 42 Introduction to Global SmartDashboard 42 Global Services 42 Dynamic Objects and Dynamic Global Objects 42 Applying Global Rules to Gateways by Function 43 Synchronizing the Global Policy Database 44 Creating a Global Policy through Global SmartDashboard 44 Global IPS 45 Introduction to Global IPS 45 IPS in Global SmartDashboard 46 IPS Profiles 46 Subscribing Domains to IPS Service 47 Managing IPS from a Domain Management Server 48 Managing Global IPS Sensors 49 Assigning Global Policy 49 Assigning Global Policy for the First Time 49 Assigning Global Policies to VPN Communities 49 Re-assigning Global Policies 49 Viewing the Status of Global Policy Assignments 53 Global Policy History File 53 Configuration 53 Assigning or Installing a Global Policy 53 Reassigning/Installing a Global Policy on Domains 54 Reinstalling a Domain Policy on Domain Gateways 55 Remove a Global Policy from Multiple Domains 56 Remove a Global Policy from a Single Domain 56 Viewing the Domain Global Policy History File 56 Global Policies Tab 56 Global Names Format 57 Domain Management 58 Defining a New Domain 58 Running the Wizard 58 Name the Domain and Enable QoS 60 Domain Properties 60 Assigning a Global Policy 60 Assigning Administrators to the Domain 61 Assign GUI Clients 63 Configuring Domain Management Servers 63 Defining your First Domain Management Servers 64 Configuring Existing Domains 65 Configuring a Domain 65 Version and Blade Updates 71 Defining Administrators 72 Configuring Domain Management Servers 75 Defining GUI Clients 77 Defining Administrator and Domain Groups 78 Version & Blade Updates 79 Using SmartUpdate 82 Adding Domain Security Gateways 83 Starting or Stopping a Domain Management Server or Domain Log Server 83 VPN in Multi-Domain Security Management 84 Overview 84 Authentication Between Gateways 84 VPN Connectivity 84 Global VPN Communities 85 Gateway Global Names 85 VPN Domains in Global VPN 86 Access Control at the Network Boundary 86 Joining a Gateway to a Global VPN Community 87 Configuring Global VPN Communities 88 Enabling a Domain Gateway to Join a Global VPN Community 88 High Availability 90 Overview 90 Multi-Domain Server High Availability 90 Multiple Multi-Domain Server Deployments 90 Multi-Domain Server Status 91 Multi-Domain Server Clock Synchronization 92 The Multi-Domain Server Databases 92 How Synchronization Works 93 Configuring Synchronization 95 Domain Management Server High Availability 96 Active Versus Standby 97 Adding a Secondary Domain Management Server 97 Domain Management Server Backup Using a Security Management Server .97 Configuration 100 Adding another Multi-Domain Server 100 Creating a Mirror of an Existing Multi-Domain Server 100 First Multi-Domain Server Synchronization 101 Restarting Multi-Domain Server Synchronization 101 Selecting a Different Multi-Domain Server to be the Active Multi-Domain Server 101 Automatic Synchronization for Global Policies Databases 101 Add a Secondary Domain Management Server 102 Mirroring Domain Management Servers with mdscmd 102 Automatic Domain Management Server Synchronization 102 Synchronize ClusterXL Gateways 102 Failure Recovery 103 Recovery with a Functioning Multi-Domain Server 103 Recovery from Failure of the Only Multi-Domain Server 104 Logging in Multi-Domain Security Management 106 Logging Domain Activity 106 Exporting Logs 107 Log Export to Text 107 Manual Log Export to Oracle Database 108 Automatic Log Export to Oracle Database 108 Log Forwarding 108 Cross Domain Logging 108 Logging Configuration 109 Setting Up Logging 109 Working with Domain Log Servers 109 Setting up Domain Gateway to Send Logs to the Domain Log Server 110 Synchronizing the Domain Log Server Database with the Domain Management Server Database 110 Configuring a Multi-Domain Server to Enable Log Export 110 Configuring Log Export Profiles 110 Choosing Log Export Fields 111 Log Export Troubleshooting 111 Using SmartReporter 112 Monitoring 113 Overview 113 Monitoring Components in the Multi-Domain Security Management System 114 Exporting the List Pane's Information to an External File 114 Working with the List Pane 114 Verifying Component Status 115 Viewing Status Details 116 Locating Components with Problems 117 Monitoring Issues for Different Components and Features 117 Multi-Domain Server 118 Global Policies 118 Domain Policies 119 Gateway Policies 119 High Availability 119 Global VPN Communities 120 Administrators 121 GUI Clients 122 Using SmartConsole 123 Log Tracking 123 Tracking Logs using SmartView Tracker 123 Real-Time Network Monitoring with SmartView Monitor 123 SmartReporter Reports 125 Architecture and Processes 126 Packages in Multi-Domain Server Installation 126 Multi-Domain Server File System 126 Multi-Domain Server Directories on /opt and /var File Systems 126 Structure of Domain Management Server Directory Trees 127 Check Point Registry 128 Automatic Start of Multi-Domain Server Processes, Files in /etc/rc3.d, /etc/init.d 128 Processes 128 Environment Variables 128 Multi-Domain Server Level Processes 129 Domain Management Server Level Processes 129 Multi-Domain Server Configuration Databases 130 Global Policy Database 130 Multi-Domain Server Database 130 Domain Management Server Database 130 Connectivity Between Different Processes 131 Multi-Domain Server Connection to Domain Management Servers 131 Status Collection 131 Collection of Changes in Objects 132 Connection Between Multi-Domain Servers 132 Large Scale Management Processes 132 UTM-1 Edge Processes 132 Reporting Server Processes 132 Issues Relating to Different Platforms 132 High Availability Scenarios 132 Migration Between Platforms 133 Commands and Utilities 134 Cross-Domain Management Server Search 134 Overview 134 Searching 134 Copying Search Results 135 Performing a Search in CLI 135 P1Shell 136 Overview 136 Starting P1Shell 136 File Constraints for P1Shell Commands 137 Multi-Domain Security Management Shell Commands 137 Audit Logging 140 Command Line Reference 140 cma_migrate 140 CPperfmon - Solaris only 141 cpmiquerybin 146 dbedit 146 export_database 148 mcd bin | scripts | conf 149 mds_backup 149 mds_restore 150 mds_user_expdate 150 mdscmd 150 mdsenv 158 mdsquerydb 158 mdstart 159 mdstat 160 mdstop 160 merge_plug-in_tables 160 migrate_assist 161 migrate_global_policies 161 Index 163 Page 9 Chapter 1 Multi-Domain Security Management Overview Multi-Domain Security Management is a centralized management solution for large-scale, distributed environments with many different network Domains. This best-of-breed solution is ideal for enterprises with many subsidiaries, branches, partners and networks. Multi-Domain Security Management is also an ideal solution for managed service providers, cloud computing providers, and data centers. Centralized management gives administrators the flexibility to manage polices for many diverse entities. Security policies should be applicable to the requirements of different departments, business units, branches and partners, balanced with enterprise-wide requirements. In This Chapter Multi-Domain Security Management Glossary 9 Key Features 11 Basic Architecture 11 The Multi-Domain Server 13 Domain Management Servers 14 Log Servers 15 High Availability 16 Security Policies 17 The Management Model 17 Multi-Domain Security Management Glossary This glossary includes product-specific terms used in this guide. Administrator Security administrator with permissions to manage elements of a Multi-Domain Security Management deployment. Global Policy Policies that are assigned to all Domains, or to specified groups of Domains. Global Objects Network objects used in global policy rules. Examples of global objects include hosts, global Domain Management Servers, and global VPN communities. Internal Certificate Authority (ICA) Check Point component that authenticates administrators and users. The ICA also manages certificates for Secure Internal Communication (SIC) between Security Gateways and Multi- Domain Security Management components. Multi-Domain Security Management Check Point centralized management solution for large-scale, distributed environments with many different network Domains. Multi-Domain Security Management Glossary Multi-Domain Security Management Overview Page 10 Domain A network or group of networks belonging to a specified entity, such as a company, business unit or organization. Multi-Domain Server Multi-Domain Security Management server that contains all system information as well as the security policy databases for individual Domains. Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain. Multi-Domain Log Server Physical log server that hosts the log database for all Domains. Domain Log Server Virtual log server for a specified Domain. Primary Multi-Domain Server The first Multi-Domain Server that you define and log into in a High Availability deployment. Secondary Multi-Domain Server Any subsequent Multi-Domain Server that you define in a High Availability deployment. Active Multi-Domain Server The only Multi-Domain Server in a High Availability deployment from which you can add, change or delete global objects and global policies. By default, this is the primary Multi-Domain Server. You can change the active Multi-Domain Server. Standby Multi-Domain Server All other Multi-Domain Servers in a High Availability deployment, which cannot manage global policies and objects. Standby Multi- Domain Servers are synchronized with the active Multi-Domain Server. Active Domain Management Server In a High Availability deployment, the only Domain Management Server that can manage a specific Domain. Standby Domain Management Server In a High Availability deployment, any Domain Management Server for a specified Domain that is not designated as the active Domain Management Server. [...]... Management permissions Provisioning Multi-Domain Security Management Page 31 Protecting the Multi-Domain Security Management Environment Protecting the Multi-Domain Security Management Environment You should always deploy a Check Point Security Gateway to protect your Multi-Domain Security Management network, including your Multi-Domain Server, Multi-Domain Log Server and management platforms This section... Point Security Gateways to protect your Multi-Domain Security Management network You can manage your Security Gateway using either a Security Management Server (configured as a standalone gateway /Security Management combination) or a Domain Management Server and the SmartDomain Manager Standalone Gateway /Security Management In this scenario the Security Gateway that protects your Multi-Domain Security Management. .. Multi-Domain Security Management Networks The Multi-Domain Security Management network and Network Operation Center (NOC) must be protected by a Security Gateway You can manage this gateway using a Domain Management Server or a Security Management Server This Security Gateway must have a security policy that adequately protects the NOC and allows secure communication between Multi-Domain Security Management. .. install a Security Policy for the gateway Provisioning Multi-Domain Security Management Page 32 Protecting the Multi-Domain Security Management Environment Security Gateways Protecting a Multi-Domain Server A Security Gateway that protects a Multi-Domain Server must have an installed security policy that allows connections between:  The Active and Standby Domain Management Servers and their Domain Security. .. implementing Multi-Domain Security Management This chapter examines different aspects of deployment preparation Included are several issues that you should take into consideration when planning a new Multi-Domain Security Management deployment In This Chapter Multi-Domain Security Management Components Installed at the NOC Using Multiple Multi-Domain Servers Protecting Multi-Domain Security Management. .. Domain Management Server is a virtual Security Management Server that manages security policies and Security Gateways for a specified Domain  The Multi-Domain Server is a physical server that hosts the Domain Management Server databases and Multi-Domain Security Management system databases  The SmartDomain Manager is a management client that administrators use to manage domain security and the Multi-Domain. .. multiple Multi-Domain Servers Domain Management Servers A Domain Management Server is the Multi-Domain Security Management functional equivalent of a Security Management Server Administrators use Domain Management Servers to define, change and install Domain security policies to Domain Security Gateways A Domain can have multiple Domain Management Servers in a high availability deployment One Domain Management. .. 1 Security Gateway 2 Network Operation Center 3 Headquarters Domain Management Server 4A USA Development Domain Management Server 4B Headquarters Domain Management Server 4C UK Development Domain Management Server After you define a Domain Management Server, you define Security Gateways, network objects, and security policies using the basic procedures in the R75 Security Management Administration Guide. .. Logging in Multi-Domain Security Management (on page 106), and High Availability (on page 90) Log Servers This section shows how log servers operate in a Multi-Domain Security Management deployment Multi-Domain Security Management Overview Page 15 High Availability List of Callouts Callout Description A Domain A B Domain B 1 Security Gateway 2 Multi-Domain Server 3 Multi-Domain Log Server 4 Domain Management. .. UK Development Domain 1 Security Gateway 2 Network Operation Center 3 Multi-Domain Server 4A USA Development Domain Management Server 4B Headquarters Domain Management Server 4C UK Development Domain Management Server Multi-Domain Security Management Overview Page 12 The Multi-Domain Server The Multi-Domain Server The Multi-Domain Server is a physical computer that hosts Domain Management Servers, system . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Multi-Domain Security Management R75 Administration Guide) . Contents Important Information 3 Multi-Domain Security Management Overview 9 Multi-Domain Security Management. can use multiple Multi-Domain Servers. Domain Management Servers A Domain Management Server is the Multi-Domain Security Management functional equivalent of a Security Management Server and security policies using the basic procedures in the R75 Security Management Administration Guide. (http://supportcontent.checkpoint.com/documentation_download?ID=11667) You manage Security