Professional Documents
Culture Documents
MDS Config PDF
MDS Config PDF
3
MDS I NSTALLATION AND C ONFIGURATION
...................................
.....
The MDS consists of multiple CMAs installed on a single machine. Each CMA
controls any number of VPN-1/FireWall-1 remote Enforcement Modules at a
single customer site.
Check Point Provider-1 NG with Application Intelligence includes MDS
Manager and MDS Container components to support a growing customer base.
The MDS Manager is the core component and is required for the first 200
customer CMAs. Additional MDS machines can be added, and up to 500
separate CMAs can be managed by each MDS in the Provider-1 NG
configuration.
O b je c ti v es
1 List the minimum system requirements for installing the MDS.
2 Demonstrate how to install an MDS Manager on a Sun Solaris
SPARC-based or RedHat Linux system.
3 Demonstrate how to configure an MDS Manager as the Primary MDS.
K e y T e rms
• mds_setup
• mdsconfig
• mdsenv
• mdsstart
• mdsstop
41
MDS INSTALLATION AND CONFIGURATION
3 Choosing the Type of MDS
The MDS shares the VPN-1/FireWall-1 management functions. In this way, the
CMA data is separated, but shares the same soft linked Management Server
functions such as binary executables and INSPECT files.
Every Provider-1 configuration must include an MDS Manager. The GUI
connects to the MDS Manager to access the CMAs. Additional MDS machines
can be added to the configuration as needed. There are two different types of
Multi Domain Servers:
• MDS Container
• MDS Manager
The MDS Container can maintain up to 500 separate CMAs and perform
Security Policy management functions. The MDS Manager can perform tasks
such as file synchronization for backup capabilities and acts as the Certificate
Authority for the Provider-1 system at the NOC. The scalable architecture of
Provider-1 allows MSPs to accommodate a growing customer base. In every
scenario, both an MDS Manager and MDS Container are necessary. These two
components can be on the same machine.
42
.....
MDS INSTALLATION AND CONFIGURATION
Choosing the Type of MDS
Mu l ti D o ma in S er v e r - Ma n ag e r
The MDS Manager is the central point of entry for the CMAs. The MDG can
only access the MDS Manager. The Manager is a Certificate Authority for the
Provider-1 NG configuration and, if multiple MDS Managers exist, establishes
High Availability between them. High Availability (HA) is possible even if the
additional Manager machine is located at a remote location.
No CMAs are loaded on the MDS Manager. Only the MDS Container can
maintain the CMAs. If the MDS Manager is installed as the only MDS in the
configuration, both the Manager and Container functions can be installed and
run on one machine.
Mu l ti D o ma in S er v e r - C o nt a in e r
The less-expensive MDS Container maintains the customer CMAs. Capable of
maintaining up to 500 CMAs, the Container machine is an alternative for
Administrators who want to increase their Provider-1 capabilities without
dramatically increasing cost. The Container machine cannot function as a
Certificate Authority for Provider-1 components or establish High Availability
for CMAs. The Container machine can be used as an additional MDS to
increase customer capacity and for backup capabilities.
M u l ti D o m a in S er v e r a s M u lt i D o m a in L o g M od u l e
The MDS can also be licensed to function as a Multi Domain Log Module
(MLM). The MLM separates the logs of each CMA into different databases.
The MLM is configured with a CLM for each Customer CMA. Unlike the
CMAs loaded on an MDS, CLMs configured on the MLM do not require a
separate license. No more than 200 CLMs can be loaded on one MDS MLM.
43
MDS INSTALLATION AND CONFIGURATION
3 Choosing the Type of MDS
L ic e n si n g t he M u lt i D om ai n S e r ve r
The MDS can be licensed in a number of different ways, depending on the
MSP’s Provider-1 configuration. The MDS can be licensed as either a Manager,
a Container, or both.
44
.....
MDS INSTALLATION AND CONFIGURATION
Provider-1 NG with Application Intelligence MDS Minimum Requirements
60 MB swap
Memory MDS functionality:
100 MB
45
MDS INSTALLATION AND CONFIGURATION
3 Provider-1 NG with Application Intelligence MDS Minimum Requirements
46
.....
Lab 1: Installing and Configuring the Primary MDS Station
Objectives: In this lab, you will install the MDS as a Manager and Container.
You will then configure the station to function as the Primary MDS in your
NOC environment.
Topics: The following topics are covered in this lab:
• MDS installation on a LINUX or a Solaris system
• MDS configuration
• Configuring a Provider Superuser
• Configuring a GUI client
47
3 Lab 1: Installing and Configuring the Primary MDS Station
1 Verify that gzip and gunzip are installed on the Sun Solaris or Linux machine
before attempting to install the MDS.
2 Verify that your machine meets the minimum requirement for MDS installation,
including patch level.
Begin from a Terminal or Console window on the machine that will function as
your configuration’s Primary MDS.
1 Enter the root password for your machine.
2 Create a temporary directory for the MDS, for example:
/Provider_NG
3 Using the cd command, navigate to the MDS file on the Provider-1 CD.
4 Select the package appropriate for the system on which you
wish to install.
5 Copy the tgzipped file to /Provider_NG.
6 Change directory to /Provider_NG.
7 Decompress the *.tgz file and untar it.
Solaris example:
gzip -d Provider-1_R55_MDS_pr22_solaris.tgz
tar -xvf Provider-1_R55_MDS_pr22_solaris.tar
Linux example:
gzip -d mds_release_ng_r54_linux_pr4.tgz
tar -xvf mds_release_ng_r54_linux_pr4.tar
48
.....
Lab 1: Installing and Configuring the Primary MDS Station
P E R F O R M MDS INSTALLATION
Install and configure the MDS software on the machine functioning as the
Primary MDS in your MSP configuration.
The steps in this lab pertain to both Sun Solaris and Linux
environments. Although you may notice slight variations in the
language, all differences are cosmetic, unless otherwise stated
in the lab.
******************************************************
******************************************************
49
3 Lab 1: Installing and Configuring the Primary MDS Station
3 Type y, and press Enter. Various Check Point modules are installed and the
system displays the following output:
4 Type 3, to select the Provider-1 MDS Manager + Container station option, and
press Enter. The system displays the following output:
5 Type y, and press Enter. The system displays the following output:
6 Type y, to start the MDS automatically after reboot, and press Enter. The system
displays the following output:
50
.....
Lab 1: Installing and Configuring the Primary MDS Station
7 Type y, and press Enter. The directory is created and the system displays the
following output:
9 Read the License Agreement. Pressing the Space Bar to page down. The system
displays the following output:
51
3 Lab 1: Installing and Configuring the Primary MDS Station
10 Type y, and press Enter. The system displays the following output:
52
.....
Lab 1: Installing and Configuring the Primary MDS Station
Configuring Licenses...
=======================
The following licenses are installed on this host:
12 Type n, and press Enter. The system displays the following output:
Please keep typing until you hear the beep and the bar
is full.
[ ]
53
3 Lab 1: Installing and Configuring the Primary MDS Station
13 Type a string of random keys. Stop when you hear a beep and the bar displayed
on the screen is full.
Try not to type the same letter twice. Type slowly when
configuring the random key! Typing too fast and ignoring the
beep could cause the machine to freeze, requiring you to reboot
and restart the installation.
14 Once the random string has been completed, the system displays the following
output:
Thank you.
Configuring Groups...
=====================
MDS access and execution permissions
-------------------------------------------
Usually, a MDS module is given group permission
for access and execution. You may now name such a group
or instruct the installation procedure to give no group
permissions to the MDS module. In the latter case, only
the Super-User will be able to access and execute the
MDS module.
54
.....
Lab 1: Installing and Configuring the Primary MDS Station
55
3 Lab 1: Installing and Configuring the Primary MDS Station
18 Type n, and press Enter. The system displays the following output:
Configuring Administrators...
=============================
19 Type y, and press Enter. The system displays the following output:
20 Type the name of the administrator (admin), and press Enter. The system displays
the following output:
21 Enter the password of the Provider-1 NG administrator (abc123), and press Enter.
The system displays the following output:
Verify Password:
22 Confirm the password, and press Enter. The system displays the following output:
56
.....
Lab 1: Installing and Configuring the Primary MDS Station
23 Type 1 to give the administrator Provider Superuser rights, and press Enter. The
system displays the following output:
24 Type n, and press Enter. The system displays the following output:
25 Type y, and press Enter. The system displays the following output:
26 Type 1, and press Enter. The system displays the following output:
57
3 Lab 1: Installing and Configuring the Primary MDS Station
27 Type the IP address of the MDG, and press Enter. The system displays the
following output:
28 Type MDG for the hostname of the GUI client, and press Enter. The system
displays the following output:
29 Type n, and press Enter. The system displays the following output:
CPD stopped
MDS stopped
58
.....
Lab 1: Installing and Configuring the Primary MDS Station
30 Type y, and press Enter. The system displays the following output:
******************************************************
******************************************************
End of lab.
59
3 Lab 1: Installing and Configuring the Primary MDS Station
60
.....
CMA Management
CMA MANAGEMENT
..................................................
Each Customer Management Add-on is loaded on the MDS and functions as a
Check Point Management Server. Each CMA manages a single customer’s
network and requires a dedicated CMA license. CMAs can be licensed as a
single server or as a mirror server for HA configurations.
L ic e n s in g t h e C u s to m e r M a n a g em en t A d d -o n s
The CMAs can be licensed in a number of different ways, depending on the
MSP’s Provider-1 configuration.
61
3 MDS and CMA Command Line Options
md s co n f ig U t il it y
The mdsconfig utility executes automatically during the initial installation of
any MDS. This utility is used to setup the MDS parameters and assign basic
configuration details, such as GUI Clients, Administrator rights, etc. If
reconfiguration is necessary, the mdsconfig utility can be run from the MDS
environment.
MDS Commands
— mdsenv
The mdsenv command sets the environment variable for the MDS. Once the
MDS environment is set, all MDS specific commands can be executed.
— mdsstart [-m]
The mdsstart command starts the MDS and all CMAs loaded on the MDS. If
the command is run with the -m qualifier, the MDS is started but the CMAs are
not.
— mdsstop [-m]
The mdsstop command stops the MDS and all CMAs loaded on the MDS. If
the command is run with the -m qualifier, the MDS is stopped but the CMAs are
not.
— mdscmd
The mdscmd is a CPMI client that allows an Administrator to add or remove a
customer or to use the mirror option to back up MDS information. This utility
walks the administrator through the addition or removal of customers from the
MDS and all mdscmd commands are logged and synchronized with other MDS
machines.
— mdsstat
The mdsstat command utility displays detailed information on the process
status of both the MDS and CMAs.
62
.....
MDS and CMA Command Line Options
— cplic printlic
The cplic printlic command displays all MDS licenses.
— cplic putlic
The cplic putlic command allows Administrators to add licenses to the MDS.
— fw mds ver
The fw mds ver command displays the version information of the MDS DLL.
— MSP_RETRY_INTERVAL [Number of seconds]
The MSP_RETRY_INTERVAL command changes the MDS setting that
regulates how often it looks to see if a GUI client is connected to a CMA.
— MSP_RETRY_INIT_INTERVAL [Number of seconds]
The MSP_RETRY_INIT_INTERVAL command changes the MDS setting
that regulates how often it requests that the CMAs send status information to
the MDS.
— MSP_SPACING_REG_CMAS_FOR_STATUSES
The MSP_SPACING_REG_CMAS_FOR_STATUSES command
initiates the MDS to contact the CMAs with a request to start collecting status
information. If there is no MDG connection to the MDS, it will not initiate a
status collection request to the CMAs. The above command forces the request
to each CMA in one-second intervals.
C u s to m e r M a n a g em en t A d d -o n C om ma nd s
— mdsenv [CMA name]
The mdsenv command sets the environment variable for the specified CMA.
Once the CMA environment is set, all CMA specific commands can be
executed. This command must be repeated, referencing the appropriate CMA,
if the user intends to execute commands for a different CMA. All CMA specific
commands can only take place once the correct environment variable has
been set.
— fw ver
The fw ver command displays the VPN-1/FireWall-1 version information for
the CMA for which the environment is set.
63
3 MDS and CMA Command Line Options
— cplic printlic
The cplic printlic command displays all licenses assigned to the CMA for
which the environment is set.
— cplic putlic
The cplic putlic command adds licenses to the CMA for which the
environment is set.
64
.....
Review
REVIEW
..................................................
Summa r y
• The MDS consists of multiple CMAs installed on a single machine.
• Each CMA controls any number of VPN-1/FireWall-1 remote Enforcement
Modules at a single Customer site.
• Check Point Provider-1 NG with Application Intelligence includes Primary
MDS and additional MDS components to support a growing customer base.
• The Primary MDS is the core component of a Provider-1 NG with
Application Intelligence system.
• An additional MDS is required for any system with more than 500
Customers, and can manage up to 500 additional Customers.
R e v ie w Q ue s t io n s
1 What are the main differences between MDS Manager and MDS
Container machines?
2 How many MDS Manager machines are required for each Provider-1
configuration?
65
3 Review
R e vi e w Q u e s ti o ns a nd A n swe r s
1 What are the main differences between MDS Manager and MDS Container
machines?
- The MDG can only connect to the MDS Manager machine.
- The MDS Manager machine acts as the Certificate Authority for the
Provider-1 configuration.
- The MDS Container machine maintains all CMA data.
2 How many MDS Manager machines are required for each Provider-1
configuration?
One MDS Manager machine is necessary for standard operations, two for
MDS - level High Availability functions.
66