P. 1
CP R71 Provider-1 Admin Guide

CP R71 Provider-1 Admin Guide

|Views: 1,057|Likes:
Published by Jef Peeters

More info:

Published by: Jef Peeters on Sep 14, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less






  • Introduction
  • The Need for Provider-1
  • Management Service Providers (MSP)
  • Data Centers
  • Large Enterprises
  • The Check Point Solution
  • Basic Elements
  • Point of Presence (POP) Network Environment
  • Managers and Containers
  • Log Managers
  • The Management Model
  • Introduction to the Management Model
  • Administrators
  • Management Tools
  • The Provider-1 Trust Model
  • Introduction to the Trust Model
  • Secure Internal Communication (SIC)
  • Trust Between a CMA and its Customer Network
  • Trust Between a CLM and its Customer Network
  • MDS Communication with CMAs
  • Trust Between MDS to MDS
  • Authenticating the Administrator
  • Authenticating via External Authentication Servers
  • Setting up External Authentication
  • To set up External Authentication:
  • Re-authenticating when using SmartConsole Clients
  • CPMI Protocol
  • Planning the Provider-1 Environment
  • Asking yourself the right questions
  • Safety comes first
  • Consider the Following Scenario
  • Protecting Provider-1 Networks
  • MDS Managers and Containers
  • MDS Managers
  • MDS Containers
  • Choosing your deployment for MDS Managers and Containers
  • MDS Clock Synchronization
  • Setting up the Provider-1 Environment
  • A Typical Scenario
  • A Standalone Provider-1 Network
  • A Distributed Provider-1 Network
  • Provider-1 Network with Point of Presence (POP) Center
  • Hardware Requirements and Recommendations
  • Hardware Requirements and Recommendations
  • Provider-1 Order of Installation
  • Licensing and Deployment
  • The Trial Period
  • Considerations
  • Further Licensing Detail
  • Miscellaneous Issues
  • IP Allocation & Routing
  • Network Address Translation (NAT)
  • Enabling OPSEC
  • Provisioning Provider-1
  • Overview
  • Provisioning Process Overview
  • Setting Up Your Network Topology
  • Creating a Primary MDS Manager
  • Using the MDG for the First Time
  • Launching the MDG
  • Adding Licenses using the MDG
  • Multiple MDS Deployments
  • Synchronizing Clocks
  • Adding a New MDS or MLM
  • Modifying an Existing MDS
  • Deleting an MDS
  • Protecting the Provider-1 Environment
  • Standalone Gateway/Security Management
  • Provider-1 CMA and MDG Management
  • Defining a Security Policy for the Gateway
  • Enabling Connections Between Different Components of the System
  • Customer Management
  • Creating Customers: A Sample Deployment
  • Introduction to Creating Customers: A Sample Deployment
  • Setup Considerations
  • IP Allocation for CMAs
  • Assigning Groups
  • Management Plug-ins
  • Introducing Management Plug-ins
  • Installing Plug-ins
  • Activating Plug-ins
  • Plug-in Status
  • High Availability Mode
  • Plug-in Mismatches
  • Configuration
  • Configuring a New Customer
  • Creating Administrator and Customer Groups
  • Changing Administrators
  • Modifying a Customer's Configuration
  • Changing GUI Clients
  • Deleting a Customer
  • Configuring a CMA
  • Starting or Stopping a CMA
  • Checking CMA Status
  • Deleting a CMA
  • Global Policy Management
  • Security Policies in Provider-1
  • Introduction to Security Policies in Provider-1
  • The Need for Global Policies
  • The Global Policy as a Template
  • Global Policies and the Global Rule Base
  • Global SmartDashboard
  • Introduction to Global SmartDashboard
  • Global Services
  • Dynamic Objects and Dynamic Global Objects
  • Applying Global Rules to Gateways by Function
  • Synchronizing the Global Policy Database
  • Creating a Global Policy through Global SmartDashboard
  • Creating a Global Policy through Global SmartDashboard
  • Global IPS
  • Introduction to Global IPS
  • IPS in Global SmartDashboard
  • IPS Profiles
  • Subscribing Customers to IPS Service
  • Managing IPS from a CMA
  • Assigning Global Policy
  • Assigning Global Policy for the First Time
  • To assign Global Policy for the first time:
  • Assigning Global Policies to VPN Communities
  • To assign global policies to VPN Communities:
  • Re-assigning Global Policies
  • Viewing the Status of Global Policy Assignments
  • Global Policy History File
  • Assigning or Installing a Global Policy
  • Reassigning/Installing a Global Policy on Customers
  • Reinstalling a Customer Policy on Customer Gateways
  • To Reinstall a Customer Policy on Customer gateways:
  • Remove a Global Policy from Multiple Customers
  • Remove a Global Policy from a Single Customer
  • To remove a Global Policy from only single Customer:
  • Viewing the Customer's Global Policy History File
  • Global Policies Tab
  • Global Names Format
  • Working in the Customer's Network
  • Customer Management Add-on (CMA)
  • Installing and Configuring Security Gateways
  • SmartConsole Client Applications
  • Installing and Configuring Security Gateways
  • Managing Customer Policies
  • UTM-1 Edge Appliances
  • Creating Customer Policies
  • Revision Control
  • Working with CMAs and CLMs in the MDG
  • VPN in Provider-1
  • Access Control at the Network Boundary
  • Authentication Between Gateways
  • How VPN Works
  • VPN Connectivity in Provider-1
  • Connections to a Customer Network
  • Global VPN Communities
  • Gateway Global Names
  • VPN Domains in Global VPN
  • Joining a Gateway to a Global VPN Community
  • Configuring Global VPN Communities
  • Enabling a Customer Gateway to Join a Global VPN Community
  • High Availability
  • CMA High Availability
  • Active Versus Standby
  • Setting up a Mirror CMA
  • CMA Backup using Security Management Server
  • MDS High Availability
  • MDS Mirror Site
  • Setting up a New MDS and Initiating Synchronization
  • MDS: Active or Standby
  • The MDS Manager's Databases
  • The MDS Container's Databases
  • How Synchronization Works
  • Setting up Synchronization
  • Footnotes:
  • Adding another MDS
  • Creating a Mirror of an Existing MDS
  • Initializing Synchronization between MDSs
  • Subsequent Synchronization for MDSs
  • Selecting a Different MDS to be the Active MDS
  • Automatic Synchronization for Global Policies Databases
  • Add a Secondary CMA
  • To add a secondary CMA:
  • Mirroring CMAs with mdscmd
  • Automatic CMA Synchronization
  • Synchronize ClusterXL Gateways
  • Failure Recovery in High Availability Deployments
  • Recovery with a Functioning Manager MDS
  • Recovery from Failure of the Only Manager MDS
  • Logging in Provider-1
  • Logging Customer Activity
  • Exporting Logs
  • Log Export to Text
  • Manual Log Export to Oracle Database
  • Automatic Log Export to Oracle Database
  • Log Forwarding
  • Cross Domain Logging
  • Logging Configuration
  • Setting Up Logging
  • Working with CLMs
  • Setting up Customer Gateway to Send Logs to the CLM
  • To set up customer gateways to send logs to the CLM:
  • Synchronizing the CLM Database with the CMA Database
  • Configuring an MDS to Enable Log Export
  • To configure an MDS to Enable Log Export:
  • Configuring Log Export Profiles
  • To configure Log Export profiles:
  • Choosing Log Export Fields
  • Log Export Troubleshooting
  • Using SmartReporter
  • Monitoring in Provider-1
  • Monitoring Components in the Provider-1 System
  • Monitoring Components in the Provider-1 System
  • Exporting the List Pane's Information to an External File
  • Working with the List Pane
  • Checking the Status of Components in the System
  • Viewing Status Details
  • Locating Components with Problems
  • Monitoring Issues for Different Components and Features
  • Global Policies
  • Customer Policies
  • Gateway Policies
  • GUI Clients
  • Using SmartConsole to Monitor Provider-1 Components
  • Log Tracking
  • Tracking Logs using SmartView Tracker
  • Real-Time Network Monitoring with SmartView Monitor
  • SmartReporter Reports
  • Architecture and Processes
  • Packages in MDS Installation
  • MDS File System
  • MDS Directories on /opt and /var File Systems
  • Structure of CMA Directory Trees
  • Check Point Registry
  • Automatic Start of MDS Processes, Files in /etc/rc3.d, /etc/init.d
  • Processes
  • Environment Variables
  • MDS Level Processes
  • CMA Level Processes
  • MDS Configuration Databases
  • Global Policy Database
  • MDS Database
  • CMA Database
  • Connectivity Between Different Processes
  • MDS Connection to CMAs
  • Status Collection
  • Collection of Changes in Objects
  • Connection Between MDSs
  • Large Scale Management Processes
  • UTM-1 Edge Processes
  • Reporting Server Processes
  • Issues Relating to Different Platforms
  • High Availability Scenarios
  • Migration Between Platforms
  • Commands and Utilities
  • Cross-CMA Search
  • Performing a Search
  • Copying Search Results
  • Performing a Search in CLI
  • P1Shell
  • Starting P1Shell
  • File Constraints for P1Shell Commands
  • P1Shell Commands
  • Audit Logging
  • Command Line Reference
  • cma_migrate
  • CPperfmon - Solaris only
  • CPperfmon hw - Solaris only
  • cpmiquerybin
  • dbedit
  • export_database
  • mcd bin | scripts | conf
  • mds_backup
  • mds_restore
  • mds_user_expdate
  • mdscmd
  • mdsenv
  • mdsquerydb
  • mdsstart
  • mdsstat
  • mdsstop
  • merge_plug-in_tables
  • migrate_assist
  • migrate_global_policies
  • Index

One Customer's gateways are not "known" to CMAs of other customers. (This ensures privacy, and the
integrity of each customer's security.) In order for CMAs to "recognize" another Customer's gateway, the
gateway must first be enabled for global use, which "promotes" the gateway object from the customer level
to the Provider-1 level.

In order to establish cross-customer VPN, "global gateway objects" are created in the global policy
database. A global gateway object is also known as a Neighbor VPN Object. A Customer's gateway is
"promoted" to be a Neighbor VPN Object. It can then participate in a Global VPN Community.

Different customers may coincidentally name their gateways with the same name (i.e. ftp_gateway).
Since each global gateway object must have its own unique Global Name, the Provider-1 uses a Global
Names Template
, which automatically suggests a unique name. The default format includes the customer
name using the format: g_of_.

For example, the BigBank enterprise has a London branch, whose Security Gateway is named
"London_gw." Its Customer is named BigBankUK. Martin, the Provider-1 Superuser administrator, wants
to change the default template to add UK (country) at the end.

In MDG, via Manage > Provider-1 Properties, in the Global Names Format tab, Martin specifies that the
template should use the gateway and customer name and country name, as follows:
g_of_. When Martin goes through the process of enabling the gateway for global
use, the template automatically names the gateway gLondon_gw_of_BigBankUK.

Once a gateway is enabled for global VPN and given a unique name, it appears in the Global Policy.

The templates for global names of gateways and global names of VPN Domain objects can be defined in
MDG, via Manage > Provider-1 Properties.

Global or Neighbor VPN Gateway

For Global VPN Communities, VPN tunnels are created between Neighbor VPN gateways. (In a Security
Management deployment, this is known as an externally managed gateway, or a gateway managed by a
different Security Management server.

The neighboring gateway supports certificates issued by the other Customer's CA. Both gateways need to
trust the other's CA.

Global VPN Communities

VPN in Provider-1 Page 101

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->