P. 1
CP R71 Provider-1 Admin Guide

CP R71 Provider-1 Admin Guide

|Views: 1,057|Likes:
Published by Jef Peeters

More info:

Published by: Jef Peeters on Sep 14, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less






  • Introduction
  • The Need for Provider-1
  • Management Service Providers (MSP)
  • Data Centers
  • Large Enterprises
  • The Check Point Solution
  • Basic Elements
  • Point of Presence (POP) Network Environment
  • Managers and Containers
  • Log Managers
  • The Management Model
  • Introduction to the Management Model
  • Administrators
  • Management Tools
  • The Provider-1 Trust Model
  • Introduction to the Trust Model
  • Secure Internal Communication (SIC)
  • Trust Between a CMA and its Customer Network
  • Trust Between a CLM and its Customer Network
  • MDS Communication with CMAs
  • Trust Between MDS to MDS
  • Authenticating the Administrator
  • Authenticating via External Authentication Servers
  • Setting up External Authentication
  • To set up External Authentication:
  • Re-authenticating when using SmartConsole Clients
  • CPMI Protocol
  • Planning the Provider-1 Environment
  • Asking yourself the right questions
  • Safety comes first
  • Consider the Following Scenario
  • Protecting Provider-1 Networks
  • MDS Managers and Containers
  • MDS Managers
  • MDS Containers
  • Choosing your deployment for MDS Managers and Containers
  • MDS Clock Synchronization
  • Setting up the Provider-1 Environment
  • A Typical Scenario
  • A Standalone Provider-1 Network
  • A Distributed Provider-1 Network
  • Provider-1 Network with Point of Presence (POP) Center
  • Hardware Requirements and Recommendations
  • Hardware Requirements and Recommendations
  • Provider-1 Order of Installation
  • Licensing and Deployment
  • The Trial Period
  • Considerations
  • Further Licensing Detail
  • Miscellaneous Issues
  • IP Allocation & Routing
  • Network Address Translation (NAT)
  • Enabling OPSEC
  • Provisioning Provider-1
  • Overview
  • Provisioning Process Overview
  • Setting Up Your Network Topology
  • Creating a Primary MDS Manager
  • Using the MDG for the First Time
  • Launching the MDG
  • Adding Licenses using the MDG
  • Multiple MDS Deployments
  • Synchronizing Clocks
  • Adding a New MDS or MLM
  • Modifying an Existing MDS
  • Deleting an MDS
  • Protecting the Provider-1 Environment
  • Standalone Gateway/Security Management
  • Provider-1 CMA and MDG Management
  • Defining a Security Policy for the Gateway
  • Enabling Connections Between Different Components of the System
  • Customer Management
  • Creating Customers: A Sample Deployment
  • Introduction to Creating Customers: A Sample Deployment
  • Setup Considerations
  • IP Allocation for CMAs
  • Assigning Groups
  • Management Plug-ins
  • Introducing Management Plug-ins
  • Installing Plug-ins
  • Activating Plug-ins
  • Plug-in Status
  • High Availability Mode
  • Plug-in Mismatches
  • Configuration
  • Configuring a New Customer
  • Creating Administrator and Customer Groups
  • Changing Administrators
  • Modifying a Customer's Configuration
  • Changing GUI Clients
  • Deleting a Customer
  • Configuring a CMA
  • Starting or Stopping a CMA
  • Checking CMA Status
  • Deleting a CMA
  • Global Policy Management
  • Security Policies in Provider-1
  • Introduction to Security Policies in Provider-1
  • The Need for Global Policies
  • The Global Policy as a Template
  • Global Policies and the Global Rule Base
  • Global SmartDashboard
  • Introduction to Global SmartDashboard
  • Global Services
  • Dynamic Objects and Dynamic Global Objects
  • Applying Global Rules to Gateways by Function
  • Synchronizing the Global Policy Database
  • Creating a Global Policy through Global SmartDashboard
  • Creating a Global Policy through Global SmartDashboard
  • Global IPS
  • Introduction to Global IPS
  • IPS in Global SmartDashboard
  • IPS Profiles
  • Subscribing Customers to IPS Service
  • Managing IPS from a CMA
  • Assigning Global Policy
  • Assigning Global Policy for the First Time
  • To assign Global Policy for the first time:
  • Assigning Global Policies to VPN Communities
  • To assign global policies to VPN Communities:
  • Re-assigning Global Policies
  • Viewing the Status of Global Policy Assignments
  • Global Policy History File
  • Assigning or Installing a Global Policy
  • Reassigning/Installing a Global Policy on Customers
  • Reinstalling a Customer Policy on Customer Gateways
  • To Reinstall a Customer Policy on Customer gateways:
  • Remove a Global Policy from Multiple Customers
  • Remove a Global Policy from a Single Customer
  • To remove a Global Policy from only single Customer:
  • Viewing the Customer's Global Policy History File
  • Global Policies Tab
  • Global Names Format
  • Working in the Customer's Network
  • Customer Management Add-on (CMA)
  • Installing and Configuring Security Gateways
  • SmartConsole Client Applications
  • Installing and Configuring Security Gateways
  • Managing Customer Policies
  • UTM-1 Edge Appliances
  • Creating Customer Policies
  • Revision Control
  • Working with CMAs and CLMs in the MDG
  • VPN in Provider-1
  • Access Control at the Network Boundary
  • Authentication Between Gateways
  • How VPN Works
  • VPN Connectivity in Provider-1
  • Connections to a Customer Network
  • Global VPN Communities
  • Gateway Global Names
  • VPN Domains in Global VPN
  • Joining a Gateway to a Global VPN Community
  • Configuring Global VPN Communities
  • Enabling a Customer Gateway to Join a Global VPN Community
  • High Availability
  • CMA High Availability
  • Active Versus Standby
  • Setting up a Mirror CMA
  • CMA Backup using Security Management Server
  • MDS High Availability
  • MDS Mirror Site
  • Setting up a New MDS and Initiating Synchronization
  • MDS: Active or Standby
  • The MDS Manager's Databases
  • The MDS Container's Databases
  • How Synchronization Works
  • Setting up Synchronization
  • Footnotes:
  • Adding another MDS
  • Creating a Mirror of an Existing MDS
  • Initializing Synchronization between MDSs
  • Subsequent Synchronization for MDSs
  • Selecting a Different MDS to be the Active MDS
  • Automatic Synchronization for Global Policies Databases
  • Add a Secondary CMA
  • To add a secondary CMA:
  • Mirroring CMAs with mdscmd
  • Automatic CMA Synchronization
  • Synchronize ClusterXL Gateways
  • Failure Recovery in High Availability Deployments
  • Recovery with a Functioning Manager MDS
  • Recovery from Failure of the Only Manager MDS
  • Logging in Provider-1
  • Logging Customer Activity
  • Exporting Logs
  • Log Export to Text
  • Manual Log Export to Oracle Database
  • Automatic Log Export to Oracle Database
  • Log Forwarding
  • Cross Domain Logging
  • Logging Configuration
  • Setting Up Logging
  • Working with CLMs
  • Setting up Customer Gateway to Send Logs to the CLM
  • To set up customer gateways to send logs to the CLM:
  • Synchronizing the CLM Database with the CMA Database
  • Configuring an MDS to Enable Log Export
  • To configure an MDS to Enable Log Export:
  • Configuring Log Export Profiles
  • To configure Log Export profiles:
  • Choosing Log Export Fields
  • Log Export Troubleshooting
  • Using SmartReporter
  • Monitoring in Provider-1
  • Monitoring Components in the Provider-1 System
  • Monitoring Components in the Provider-1 System
  • Exporting the List Pane's Information to an External File
  • Working with the List Pane
  • Checking the Status of Components in the System
  • Viewing Status Details
  • Locating Components with Problems
  • Monitoring Issues for Different Components and Features
  • Global Policies
  • Customer Policies
  • Gateway Policies
  • GUI Clients
  • Using SmartConsole to Monitor Provider-1 Components
  • Log Tracking
  • Tracking Logs using SmartView Tracker
  • Real-Time Network Monitoring with SmartView Monitor
  • SmartReporter Reports
  • Architecture and Processes
  • Packages in MDS Installation
  • MDS File System
  • MDS Directories on /opt and /var File Systems
  • Structure of CMA Directory Trees
  • Check Point Registry
  • Automatic Start of MDS Processes, Files in /etc/rc3.d, /etc/init.d
  • Processes
  • Environment Variables
  • MDS Level Processes
  • CMA Level Processes
  • MDS Configuration Databases
  • Global Policy Database
  • MDS Database
  • CMA Database
  • Connectivity Between Different Processes
  • MDS Connection to CMAs
  • Status Collection
  • Collection of Changes in Objects
  • Connection Between MDSs
  • Large Scale Management Processes
  • UTM-1 Edge Processes
  • Reporting Server Processes
  • Issues Relating to Different Platforms
  • High Availability Scenarios
  • Migration Between Platforms
  • Commands and Utilities
  • Cross-CMA Search
  • Performing a Search
  • Copying Search Results
  • Performing a Search in CLI
  • P1Shell
  • Starting P1Shell
  • File Constraints for P1Shell Commands
  • P1Shell Commands
  • Audit Logging
  • Command Line Reference
  • cma_migrate
  • CPperfmon - Solaris only
  • CPperfmon hw - Solaris only
  • cpmiquerybin
  • dbedit
  • export_database
  • mcd bin | scripts | conf
  • mds_backup
  • mds_restore
  • mds_user_expdate
  • mdscmd
  • mdsenv
  • mdsquerydb
  • mdsstart
  • mdsstat
  • mdsstop
  • merge_plug-in_tables
  • migrate_assist
  • migrate_global_policies
  • Index

The following scenario outlines a typical example of the basic components and features that can be
implemented that need to be taken into consideration when planning.

Environment: Distributed with High Availability

Protecting Provider-1 Networks

Planning the Provider-1 Environment Page 34

Consider the following: a medical supplies firm has several branch locations, and requires failover
capabilities. MDSs are installed in three branches: Kansas, Osaka, and Montenegro. Each MDS has a mix
of primary and secondary CMAs.

Security: Security Gateway

Critical to comprehensive security, each MDS is protected by a Security Gateway. This gateway should be
managed by a CMA or by a standalone Security Management server.

The gateway must have a security policy that adequately protects the network and which allows secure
communication between Provider-1 components and external customer networks.

The gateway must have security rules that allow CMAs to communicate with customer gateways, and that
allow external customer administrators to access CMAs.

Figure 2-22

CMA High Availability in an Enterprise Network

Requirement: Logging and Tracking

Most enterprise systems and MSPs require event logging and tracking. Accountability requirements can
lead to sizable log maintenance. By default, logs will be stored on the Customer's CMA that manages the
gateway which is generating the logs in the Provider-1 management network. For most systems, in terms of
licensing, it is more cost-effective to dedicate an MLM server to store logs rather than purchase extra
Managers for this purpose. It is recommended that you implement one or more dedicated log servers
(MLMs), depending on the activity tracking load in the system Provider-1 manages.

For more information about logging, see Logging in Provider-1 (on page 119).

Requirement: GUI Clients & their Platforms

Finally, consider the platforms that will be used to run the GUI tools used to manage the Provider-1 and
Customer environments. The Provider-1 system is monitored using the MDG and SmartConsole Client
applications. GUI Clients should be deployed either inside or outside of the Provider-1 network to enable
administrators to access the Provider-1 system. The MDG runs only on Windows platforms but supports
MDS's and their CMAs on any supported platform.

Requirement: Routing & Communication

If GUI Clients are located outside of the Provider-1 network, communication between these computers and
the MDS Manager(s) must be allowed. If MDSs are in different remote locations, and there is more than one
Provider-1 network, communication between the remote MDSs and the local MDSs must be allowed. Also
ensure appropriate routing to support communication between computers and servers.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->