You are on page 1of 26

Chapter 3

3
MDS I NSTALLATION AND C ONFIGURATION
...................................
The MDS consists of multiple CMAs installed on a single machine. Each CMA controls any number of VPN-1/FireWall-1 remote Enforcement Modules at a single customer site. Check Point Provider-1 NG with Application Intelligence includes MDS Manager and MDS Container components to support a growing customer base. The MDS Manager is the core component and is required for the first 200 customer CMAs. Additional MDS machines can be added, and up to 500 separate CMAs can be managed by each MDS in the Provider-1 NG configuration.

.....

O b je c ti v es
1 List the minimum system requirements for installing the MDS. 2 Demonstrate how to install an MDS Manager on a Sun Solaris SPARC-based or RedHat Linux system. 3 Demonstrate how to configure an MDS Manager as the Primary MDS.

K e y T e rms
• mds_setup • mdsconfig • mdsenv • mdsstart • mdsstop

41

3

MDS INSTALLATION AND CONFIGURATION

Choosing the Type of MDS

CHOOSING THE TYPE OF MDS

..................................................
The Multi Domain Server (MDS) contains separate file structures for each CMA. Customer specific information is kept separated in independent CMA databases to offer greater security and data integrity. Each CMA’s rules, objects, and users reside in the CMA database and are not shared. The following directories remain private and separated by CMA:

• conf • database • state
The MDS shares the VPN-1/FireWall-1 management functions. In this way, the CMA data is separated, but shares the same soft linked Management Server functions such as binary executables and INSPECT files. Every Provider-1 configuration must include an MDS Manager. The GUI connects to the MDS Manager to access the CMAs. Additional MDS machines can be added to the configuration as needed. There are two different types of Multi Domain Servers: • MDS Container • MDS Manager The MDS Container can maintain up to 500 separate CMAs and perform Security Policy management functions. The MDS Manager can perform tasks such as file synchronization for backup capabilities and acts as the Certificate Authority for the Provider-1 system at the NOC. The scalable architecture of Provider-1 allows MSPs to accommodate a growing customer base. In every scenario, both an MDS Manager and MDS Container are necessary. These two components can be on the same machine.

42

MDS INSTALLATION AND CONFIGURATION

Choosing the Type of MDS

Mu l ti D o ma in S er v e r - Ma n ag e r
The MDS Manager is the central point of entry for the CMAs. The MDG can only access the MDS Manager. The Manager is a Certificate Authority for the Provider-1 NG configuration and, if multiple MDS Managers exist, establishes High Availability between them. High Availability (HA) is possible even if the additional Manager machine is located at a remote location. No CMAs are loaded on the MDS Manager. Only the MDS Container can maintain the CMAs. If the MDS Manager is installed as the only MDS in the configuration, both the Manager and Container functions can be installed and run on one machine.

Mu l ti D o ma in S er v e r - C o nt a in e r
The less-expensive MDS Container maintains the customer CMAs. Capable of maintaining up to 500 CMAs, the Container machine is an alternative for Administrators who want to increase their Provider-1 capabilities without dramatically increasing cost. The Container machine cannot function as a Certificate Authority for Provider-1 components or establish High Availability for CMAs. The Container machine can be used as an additional MDS to increase customer capacity and for backup capabilities.

M u l ti D o m a in S er v e r a s M u lt i D o m a in L o g M od u l e
The MDS can also be licensed to function as a Multi Domain Log Module (MLM). The MLM separates the logs of each CMA into different databases. The MLM is configured with a CLM for each Customer CMA. Unlike the CMAs loaded on an MDS, CLMs configured on the MLM do not require a separate license. No more than 200 CLMs can be loaded on one MDS MLM.

.....
43

3

MDS INSTALLATION AND CONFIGURATION

Choosing the Type of MDS

L ic e n si n g t he M u lt i D om ai n S e r ve r
The MDS can be licensed in a number of different ways, depending on the MSP’s Provider-1 configuration. The MDS can be licensed as either a Manager, a Container, or both.
Feature String
CPPR-MDS-M-NG CPPR-MDS-C10-NG CPPR-MDS-C25-NG CPPR-MDS-C50-NG CPPR-MDS-C100-NG CPPR-MDS-C200-NG CPPR-MDS-MC10-NG CPPR-MDS-MC25-NG CPPR-MDS-MC50-NG CPPR-MDS-MC100-NG CPPR-MDS-MC200-NG

Description
MDS Manager component without Container MDS Container component for hosting up to 10 CMAs MDS Container component for hosting up to 25 CMAs MDS Container component for hosting up to 50 CMAs MDS Container component for hosting up to 100 CMAs MDS Container component for hosting up to 200 CMAs Combined MDS Manager and Container for hosting up to 10 CMAs Combined MDS Manager and Container for hosting up to 25 CMAs Combined MDS Manager and Container for hosting up to 50 CMAs Combined MDS Manager and Container for hosting up to 100 CMAs Combined MDS Manager and Container for hosting up to 200 CMAs

Provider-1 NG licenses are additive. If an Administrator has a 50 CMA license and adds a 25 CMA license, that Administrator would be licensed to manage up to 75 CMAs.

44

MDS INSTALLATION AND CONFIGURATION

Provider-1 NG with Application Intelligence MDS Minimum Requirements

PROVIDER-1 NG WITH APPLICATION INTELLIGENCE MDS MINIMUM REQUIREMENTS

..................................................
The table below lists the minimum hardware and operating system requirements for installing the specified MDS components.
Platform Operating Systems Sun Ultra SPARC-based systems Intel-based systems Solaris 2.8 32 bit, 2.8 64 bit Solaris 2.9 64 bit RedHat Linux 7.2 RedHat Linux 7.3 SecurePlatform NG with Application Intelligence (R55) Solaris 2.8 32 bit - patch number 109147-18 Solaris 2.8 64 bit - patch number 109147-18 Solaris 2.8 - 109326-07 Solaris 2.8 - 109147-18 Solaris 2.9 - 112902-07 OS Patch level of at least 6 RedHat Linux 7.2 (Kernel 2.4.9-31) RedHat Linux 7.3 (Kernel 2.4.18-5) VpnStrong (3DES) Basic MDS installation (mostly under /opt): 150 MB Disk space for each CMA (under /var/opt): 10 MB per CMA 60 MB swap Memory MDS functionality: 100 MB Memory allocated per CMA: 10-20 MB Network Interface All interfaces supported by the operating system

Required Patches

Edition Disk Space

The Linux kernel required to install the MDS on RedHat is available from the Check Point download center at: www.checkpoint.com/support/downloads

.....
45

3

MDS INSTALLATION AND CONFIGURATION

Provider-1 NG with Application Intelligence MDS Minimum Requirements

46

Lab 1: Installing and Configuring the Primary MDS Station

LAB 1: INSTALLING AND CONFIGURING THE PRIMARY MDS STATION

..................................................
Scenario: You have just been hired to deploy Provider-1 NG at an MSP that wants to offer security services to its customers. You must now deploy a Primary MDS at your new company’s NOC.

Objectives: In this lab, you will install the MDS as a Manager and Container. You will then configure the station to function as the Primary MDS in your NOC environment. Topics: The following topics are covered in this lab: • MDS installation on a LINUX or a Solaris system • MDS configuration • Configuring a Provider Superuser • Configuring a GUI client

.....
47

3

Lab 1: Installing and Configuring the Primary MDS Station 

VE R I F Y

MDS MACHINE CONFIGURATION

1 Verify that gzip and gunzip are installed on the Sun Solaris or Linux machine before attempting to install the MDS. 2 Verify that your machine meets the minimum requirement for MDS installation, including patch level.

A specific kernel must be running on the Linux machine before you can install the Provider-1 MDS. If the system does not boot up on this kernel, the MDS installation will fail.
3 Insert the Provider-1 NG CD into the CD-ROM drive. 

T R A N S F E R

PROVIDER-1 NG FILES TO SOLARIS MACHINE

Begin from a Terminal or Console window on the machine that will function as your configuration’s Primary MDS.
1 Enter the root password for your machine. 2 Create a temporary directory for the MDS, for example:

/Provider_NG

The temporary directory from which the installation is performed is not automatically erased upon installation of the Provider-1 NG MDS. It can be used later for a reinstallation.
3 Using the cd command, navigate to the MDS file on the Provider-1 CD. 4 Select the package appropriate for the system on which you wish to install. 5 Copy the tgzipped file to /Provider_NG. 6 Change directory to /Provider_NG. 7 Decompress the *.tgz file and untar it. Solaris example:

gzip -d Provider-1_R55_MDS_pr22_solaris.tgz tar -xvf Provider-1_R55_MDS_pr22_solaris.tar
Linux example:

gzip -d mds_release_ng_r54_linux_pr4.tgz tar -xvf mds_release_ng_r54_linux_pr4.tar
48

Lab 1: Installing and Configuring the Primary MDS Station 

P E R F O R M

MDS INSTALLATION

Install and configure the MDS software on the machine functioning as the Primary MDS in your MSP configuration. The steps in this lab pertain to both Sun Solaris and Linux environments. Although you may notice slight variations in the language, all differences are cosmetic, unless otherwise stated in the lab.
1 From the Provider_NG directory, locate the mds_setup program. 2 Run the following script:

./mds_setup
The system displays the following output:

****************************************************** Welcome to the Check Point setup center for Provider-1/SiteManager-1. This utility will guide you through the installation or upgrade process. Version: NG with Application Intelligence (R55) ****************************************************** Checking for installed components. This may take a few seconds. Please wait... No previous Provider-1 installation was detected on this machine. *** Do you want to proceed with fresh installation [yes/no]?

.....
49

3

Lab 1: Installing and Configuring the Primary MDS Station

3 Type y, and press Enter. Various Check Point modules are installed and the system displays the following output:

Which type of installation would you like to install? (1) Provider-1 MDS Manager station. (2) Provider-1 MDS Container station. (3) Provider-1 MDS Manager + Container station. (4) Provider-1 MLM station.

Enter your selection [1,2,3,4,?,q]

4 Type 3, to select the Provider-1 MDS Manager + Container station option, and press Enter. The system displays the following output:

Are you installing the Primary MDS Manager [y,n,?,q]

5 Type y, and press Enter. The system displays the following output:

Do you want the MDS station to start automatically with each reboot of the machine i.e. from rc3.d boot level [y,n,?,q]

6 Type y, to start the MDS automatically after reboot, and press Enter. The system displays the following output:

## Executing checkinstall script. The selected base directory </opt/CPmds-R55> must exist before installation is attempted. Do you want this directory created now [y,n,?,q]

This step does not appear in a Linux distribution. The system creates the directory automatically, without interaction from the user.

50

Lab 1: Installing and Configuring the Primary MDS Station

7 Type y, and press Enter. The directory is created and the system displays the following output:

Installation of <CPmds-R55> was successful. copying system files to MDSDIR Please read the following license agreement. Hit ’ENTER’ to continue...

8 Press Enter. The system displays the License Agreement:

This End-user License Agreement (the "Agreement") is an agreement between you (both the individual installing the Product and any legal entity on whose behalf such individual is acting) (hereinafter "You" or " Your") and Check Point Software Technologies Ltd. (hereina fter "Check Point"). TAKING ANY STEP TO SET-UP OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT. WRITTEN APPROVAL IS NOT A PREREQUISITE TO THE VALIDITY OR ENFORCEABILITY OF THIS AGREEMENT AND NO SOLICITATION OF ANY SUCH WRITTEN APPROVAL BY OR ON BEHALF OF YOU SHALL BE CONSTRUED AS AN INFERENCE TO THE CONTRARY. IF YOU HAVE ORDERED THIS PRODUCT AND SUCH ORDER IS CONSIDER ED AN OFFER BY YOU, CHECK POINT’S ACCEPTANCE OF YOUR OFFER IS EXPRESSLY CONDITIONAL ON YOUR ASSENT TO THE TERMS OF THIS AGREEMENT, TO THE EXCLUSION OF ALL OTHER TERMS. IF THESE TERMS ARE CONSIDERED AN OFFER BY CHECK POINT, YOUR ACCEPTANCE IS EXPRESSLY LIMITED TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, YOU MUST RETURN THIS PRODUCT WITH THE ORIGINAL PACKAGE AND THE PROOF OF PAYMENT TO THE PLACE YOU OBTAINED IT FOR A FULL REFUND.

9 Read the License Agreement. Pressing the Space Bar to page down. The system displays the following output:

Do you accept all the terms of this license agreement (y/n) ?

.....
51

3

Lab 1: Installing and Configuring the Primary MDS Station

10 Type y, and press Enter. The system displays the following output:

Welcome to MDS Configuration Program ======================================== This program will guide you through several steps where you will define your MDS configuration. At any later time, you can reconfigure these parameters by running mdsconfig

Configuring Leading VIP Interfaces... ===================================== The Leading VIP Interfaces are real interfaces connected to an external network. These interfaces are used when setting CMA virtual IP addresses. Each leading interface can host up to 250 virtual IP addresses (250 CMAs). The following real interfaces are defined on this machine: hme0

Typically, the leading interface on a Solaris machine is hme0. On an intel-based machine, the leading interface is usually eth0.

If only one interface is active, the system will automatically configure it as the leading interface. If more than one interface is active, the system will ask you to specify which is the leading interface.

52

Lab 1: Installing and Configuring the Primary MDS Station

11 The system displays the following output:

External interface has been added. Configuring Licenses... ======================= The following licenses are installed on this host: Host Eval Expiration Features 4Feb2004 CPMP-PNP-1-NG

Do you want to add licenses (y/n) [n] ?

Check Point provides a full-featured 15-day evaluation license with the software. For real-world deployments, the system must be licensed before the end of the 15-day evaluation period.
12 Type n, and press Enter. The system displays the following output:

Configuring Random Pool... ========================== You are now asked to perform a short random keystroke session. The random data collected in this session will be used in various cryptographic operations. Please enter random text containing at least six different characters. You will see the ’*’ symbol after keystrokes that are too fast or too similar to preceding keystrokes. These keystrokes will be ignored. Please keep typing until you hear the beep and the bar is full. [ ]

.....
53

3

Lab 1: Installing and Configuring the Primary MDS Station

13 Type a string of random keys. Stop when you hear a beep and the bar displayed on the screen is full.

Try not to type the same letter twice. Type slowly when configuring the random key! Typing too fast and ignoring the beep could cause the machine to freeze, requiring you to reboot and restart the installation.
14 Once the random string has been completed, the system displays the following output:

Thank you. Configuring Groups... ===================== MDS access and execution permissions ------------------------------------------Usually, a MDS module is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to the MDS module. In the latter case, only the Super-User will be able to access and execute the MDS module. Please specify group name [<RET> for no group permissions]:

15 Press Enter, and the system displays the following output:

No group permissions will be granted. Is this ok (y/n) [y] ?

54

Lab 1: Installing and Configuring the Primary MDS Station

16 Press Enter, and the system displays the following output:

Setting Group Permissions... Configuring Certificate Authority... ==================================== The Provider-1/SiteManager-1 system uses an internal Certificate Authority to provide Secured Internal Communication (SIC) Certificates for the components in this system. Note that your components won’t be able to communicate with each other until the CA is initialized and they have their SIC certificate. Press ’Enter’ to initialize the Certificate Authority...

17 Press Enter, and the system displays the following output:

Internal Certificate Authority created successfully Certificate was created successfully Setting FQDN to: 10.1.1.1 Executing "$CPDIR/bin/cp_conf ca fqdn 10.1.1.1" in order to set FQDN Trying to contact Certificate Authority. It might take a while... 10.1.1.1 was successfully set to the Internal CA Executing "$CPDIR/bin/cp_conf ca fqdn 10.1.1.1" in order to set FQDN - Done Certificate Authority initialization ended successfully

Configuring Certificate’s Fingerprint... ======================================== The following text is the fingerprint of this MDS machine: MILK HUFF SANE IRA MAT DOLT MUD BUSS NUDE TRAY ILL AWK Do you want to save it to a file? (y/n) [n] ?

.....
55

3

Lab 1: Installing and Configuring the Primary MDS Station

18 Type n, and press Enter. The system displays the following output:

Configuring Administrators... ============================= Do you want to add administrators (y/n) [y] ?

19 Type y, and press Enter. The system displays the following output:

Enter the administrator name:

20 Type the name of the administrator (admin), and press Enter. The system displays the following output:

Enter the password for the administrator:

21 Enter the password of the Provider-1 NG administrator (abc123), and press Enter. The system displays the following output:

Verify Password:

22 Confirm the password, and press Enter. The system displays the following output:

Please choose the administrator type you wish to define: 1) Provider Superuser 2) Customer Superuser 3) Customer Manager 4) Regular administrator (None) 5) Don’t add administrator now. Enter your choice (1-5):

56

Lab 1: Installing and Configuring the Primary MDS Station

23 Type 1 to give the administrator Provider Superuser rights, and press Enter. The system displays the following output:

Updating administrator admin to the database... This operation requires the Multi Domain Server to be running. Please wait... Starting MDS server... ... admin updated successfully. Do you want to add administrators (y/n) [n] ?

24 Type n, and press Enter. The system displays the following output:

Configuring GUI clients... ========================== Do you want to add Provider-1 GUI clients (y/n) [y] ?

25 Type y, and press Enter. The system displays the following output:

Please choose the Provider-1 GUI client type you wish to define: 1) MDS GUI clients by IP. 2) MDS GUI clients by name. 3) AnyHost GUI client. 4) Don’t add GUI clients now. Enter your choice (1-4):

26 Type 1, and press Enter. The system displays the following output:

Enter the GUI client IP:

.....
57

3

Lab 1: Installing and Configuring the Primary MDS Station

27 Type the IP address of the MDG, and press Enter. The system displays the following output:

Enter the GUI client host name:

28 Type MDG for the hostname of the GUI client, and press Enter. The system displays the following output:

Updating GUI client MDG to the database... MDG updated successfully. Do you want to add Provider-1 GUI clients (y/n) [n] ?

29 Type n, and press Enter. The system displays the following output:

Stopping MDS only CPD stopped MDS stopped Do you want to start MDS now [yes/no]?

58

Lab 1: Installing and Configuring the Primary MDS Station

30 Type y, and press Enter. The system displays the following output:

Adding Virtual IPs MDS: Starting MDS Server [1] 1908 [2] 1909 [3] 1910 MDS Server Started ****************************************************** The installation of Provider-1/SiteManager-1 NG with Application Intelligence (R55) has completed successfully. Please logout from this shell, and login again to activate the enviromnent settings of the new version. ****************************************************** A log file was created: /opt/CPInstLog/mds_setup.log01_20_13_02 31 Type the following command, and press Enter:

eject CDROM
32 Remove the CD from the CD-ROM drive. 33 Type the following command, and press Enter:

init 6

End of lab.

.....
59

3

Lab 1: Installing and Configuring the Primary MDS Station

60

CMA Management

CMA MANAGEMENT

..................................................
Each Customer Management Add-on is loaded on the MDS and functions as a Check Point Management Server. Each CMA manages a single customer’s network and requires a dedicated CMA license. CMAs can be licensed as a single server or as a mirror server for HA configurations.

L ic e n s in g t h e C u s to m e r M a n a g em en t A d d -o n s
The CMAs can be licensed in a number of different ways, depending on the MSP’s Provider-1 configuration.
Feature String
CPPR-CMA-1-NG CPPR-CMA-2-NG CPPR-CMA-4-NG CPPR-CMA-U-NG CPPR-CMA-1-HA-NG CPPR-CMA-2-HA-NG CPPR-CMA-4-HA-NG CPPR-CMA-U-HA-NG

Description
First Customer CMA that manages one module First Customer CMA that manages up to two modules First Customer CMA that manages up to four modules First Customer CMA that manages an unlimited number of modules Mirror CMA that manages one module Mirror CMA that manages up to two modules Mirror CMA that manages up to four modules Mirror CMA that manages an unlimited number of modules

.....
61

3

MDS and CMA Command Line Options

MDS AND CMA COMMAND LINE OPTIONS

..................................................
This section provides basic command line options for administering the MDS and CMAs. All command line options must be performed in the C shell and in the directory specified in the description.

md s co n f ig U t il it y
The mdsconfig utility executes automatically during the initial installation of any MDS. This utility is used to setup the MDS parameters and assign basic configuration details, such as GUI Clients, Administrator rights, etc. If reconfiguration is necessary, the mdsconfig utility can be run from the MDS environment.

MDS Commands
— mdsenv
The mdsenv command sets the environment variable for the MDS. Once the MDS environment is set, all MDS specific commands can be executed.

— mdsstart [-m]
The mdsstart command starts the MDS and all CMAs loaded on the MDS. If the command is run with the -m qualifier, the MDS is started but the CMAs are not.

— mdsstop [-m]
The mdsstop command stops the MDS and all CMAs loaded on the MDS. If the command is run with the -m qualifier, the MDS is stopped but the CMAs are not.

— mdscmd
The mdscmd is a CPMI client that allows an Administrator to add or remove a customer or to use the mirror option to back up MDS information. This utility walks the administrator through the addition or removal of customers from the MDS and all mdscmd commands are logged and synchronized with other MDS machines.

— mdsstat
The mdsstat command utility displays detailed information on the process status of both the MDS and CMAs.

62

MDS and CMA Command Line Options

— cplic printlic
The cplic printlic command displays all MDS licenses.

— cplic putlic
The cplic putlic command allows Administrators to add licenses to the MDS.

— fw mds ver
The fw mds ver command displays the version information of the MDS DLL.

— MSP_RETRY_INTERVAL [Number of seconds]
The MSP_RETRY_INTERVAL command changes the MDS setting that regulates how often it looks to see if a GUI client is connected to a CMA.

— MSP_RETRY_INIT_INTERVAL [Number of seconds]
The MSP_RETRY_INIT_INTERVAL command changes the MDS setting that regulates how often it requests that the CMAs send status information to the MDS.

— MSP_SPACING_REG_CMAS_FOR_STATUSES
The MSP_SPACING_REG_CMAS_FOR_STATUSES command initiates the MDS to contact the CMAs with a request to start collecting status information. If there is no MDG connection to the MDS, it will not initiate a status collection request to the CMAs. The above command forces the request to each CMA in one-second intervals.

C u s to m e r M a n a g em en t A d d -o n C om ma nd s
— mdsenv [CMA name]
The mdsenv command sets the environment variable for the specified CMA. Once the CMA environment is set, all CMA specific commands can be executed. This command must be repeated, referencing the appropriate CMA, if the user intends to execute commands for a different CMA. All CMA specific commands can only take place once the correct environment variable has been set.

— fw ver
The fw ver command displays the VPN-1/FireWall-1 version information for the CMA for which the environment is set.

.....
63

3

MDS and CMA Command Line Options

— cplic printlic
The cplic printlic command displays all licenses assigned to the CMA for which the environment is set.

— cplic putlic
The cplic putlic command adds licenses to the CMA for which the environment is set.

64

Review

REVIEW
Summa r y

..................................................
• The MDS consists of multiple CMAs installed on a single machine. • Each CMA controls any number of VPN-1/FireWall-1 remote Enforcement Modules at a single Customer site. • Check Point Provider-1 NG with Application Intelligence includes Primary MDS and additional MDS components to support a growing customer base. • The Primary MDS is the core component of a Provider-1 NG with Application Intelligence system. • An additional MDS is required for any system with more than 500 Customers, and can manage up to 500 additional Customers.

R e v ie w Q ue s t io n s
1 What are the main differences between MDS Manager and MDS Container machines?

2 How many MDS Manager machines are required for each Provider-1 configuration?

.....
65

3

Review

R e vi e w Q u e s ti o ns a nd A n swe r s
1 What are the main differences between MDS Manager and MDS Container machines?

- The MDG can only connect to the MDS Manager machine. - The MDS Manager machine acts as the Certificate Authority for the Provider-1 configuration. - The MDS Container machine maintains all CMA data.

2 How many MDS Manager machines are required for each Provider-1 configuration?

One MDS Manager machine is necessary for standard operations, two for MDS - level High Availability functions.

66