21 March 2012 Administration Guide Multi-Domain Security Management R75.40 Classification: [Protected] © 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13950 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date Description 21-Mar-2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Multi-Domain Security Management R75.40 Administration Guide). Contents Important Information 3 Multi-Domain Security Management Overview 9 Glossary 9 Key Features 11 Basic Architecture 11 The Multi-Domain Server 13 Domain Management Servers 14 Log Servers 15 Multi-Domain Log Server 16 Domain Log Server 16 High Availability 16 Security Policies 17 Global Policies 17 The Management Model 17 Introduction to the Management Model 17 Management Tools 18 Deployment Planning 20 Multi-Domain Security Management Components Installed at the NOC 20 Using Multiple Multi-Domain Servers 20 High Availability 20 Multi-Domain Server Synchronization 21 Clock Synchronization 21 Protecting Multi-Domain Security Management Networks 21 Logging & Tracking 21 Routing Issues in a Distributed Environment 21 Platform & Performance Issues 21 Enabling OPSEC 22 IP Allocation & Routing 22 Virtual IP Limitations and Multiple Interfaces on a Multi-Domain Server 22 Multiple Interfaces on a Multi-Domain Server 22 Provisioning Multi-Domain Security Management 23 Provisioning Process Overview 23 Setting Up Your Network Topology 23 The Multi-Domain Security Management Trust Model 24 Introduction to the Trust Model 24 Secure Internal Communication (SIC) 24 Trust Between a Domain Management Server and its Domain Network 24 Trust Between a Domain Log Server and its Domain Network 24 Multi-Domain Server Communication with Domain Management Servers 25 Trust Between Multi-Domain Server to Multi-Domain Server 25 Using External Authentication Servers 25 Re-authenticating when using SmartConsole Clients 26 CPMI Protocol 27 Creating a Primary Multi-Domain Server 27 Multiple Multi-Domain Server Deployments 27 Synchronizing Clocks 27 Adding a Secondary Multi-Domain Server or a Multi-Domain Log Server 27 Changing an Existing Multi-Domain Server 29 Deleting a Multi-Domain Server 29 Using SmartDomain Manager 30 Launching the SmartDomain Manager 30 Protecting the Multi-Domain Security Management Environment 30 Standalone Gateway/Security Management 31 Domain Management Server and SmartDomain Manager 31 Security Gateways Protecting a Multi-Domain Server 31 Making Connections Between Different Components of the System 32 Licensing 34 Licensing Overview 34 The Trial Period 34 License Types 34 Managing Licenses 35 Administrators Management 37 Creating or Changing an Administrator Account 38 Administrator - General Properties 38 Configuring Authentication 40 Configuring Certificates 40 Entering Administrator Properties 41 Deleting an Administrator 41 Defining Administrator Properties 41 Defining Administrator Groups 41 Creating a New Group 42 Changing or Deleting a Group 42 Managing Administrator Account Expiration 43 Working with Expiration Warnings 43 Configuring Default Expiration Settings 45 Working with Permission Profiles 46 Permission Profiles and Domains 47 Configuring Permissions 47 Managing Permission Profiles 50 Showing Connected Administrators 51 Global Policy Management 53 Security Policies 53 The Need for Global Policies 53 The Global Policy as a Template 54 Global Policies and the Global Rule Base 54 Global SmartDashboard 55 Introduction to Global SmartDashboard 55 Global Services 55 Dynamic Objects and Dynamic Global Objects 56 Applying Global Rules to Gateways by Function 56 Synchronizing the Global Policy Database 57 Creating a Global Policy Using Global SmartDashboard 57 Global IPS 58 Introduction to Global IPS 58 IPS in Global SmartDashboard 59 IPS Profiles 59 Subscribing Domains to IPS Service 60 Managing IPS from a Domain Management Server 61 Managing Global IPS Sensors 62 Assigning Global Policy 62 Assigning the First Global Policy 62 Assigning Global Policies to VPN Communities 62 Re-assigning Global Policies 63 Viewing the Status of Global Policy Assignments 66 Global Policy History File 67 Configuration 67 Assigning or Installing a Global Policy 67 Reassigning/Installing a Global Policy on Domains 68 Reinstalling a Domain Policy on Domain Gateways 68 Remove a Global Policy from Multiple Domains 69 Remove a Global Policy from a Single Domain 69 Viewing the Domain Global Policy History File 69 Setting Policy Management Options 69 Global Names Format 70 Domain Management 71 Defining a New Domain 71 Running the Wizard 71 Configuring General Properties 73 Domain Properties 73 Assigning a Global Policy 73 Assigning Administrators 74 Assign GUI Clients 76 Version and Blade Updates 76 Defining your First Domain Management Servers 77 Configuring Domain Management Servers 78 Configuring Existing Domains 79 Defining General Properties 79 Defining Domain Properties 79 Assign Global Policy Tab 79 Assigning Administrators 80 Defining GUI Clients 82 Version & Blade Updates 83 Configuring Domain Selection Groups 84 VPN in Multi-Domain Security Management 85 Overview 85 Authentication Between Gateways 85 VPN Connectivity 85 Global VPN Communities 86 Gateway Global Names 86 VPN Domains in Global VPN 87 Access Control at the Network Boundary 87 Joining a Gateway to a Global VPN Community 88 Configuring Global VPN Communities 89 Enabling a Domain Gateway to Join a Global VPN Community 89 High Availability 91 Overview 91 Multi-Domain Server High Availability 91 Multiple Multi-Domain Server Deployments 91 Multi-Domain Server Status 92 Multi-Domain Server Clock Synchronization 93 The Multi-Domain Server Databases 93 How Synchronization Works 94 Configuring Synchronization 96 Domain Management Server High Availability 97 Active Versus Standby 98 Adding a Secondary Domain Management Server 98 Domain Management Server Backup Using a Security Management Server .98 Configuration 101 Adding another Multi-Domain Server 101 Creating a Mirror of an Existing Multi-Domain Server 101 First Multi-Domain Server Synchronization 102 Restarting Multi-Domain Server Synchronization 102 Selecting a Different Multi-Domain Server to be the Active Multi-Domain Server 102 Automatic Synchronization for Global Policies Databases 102 Add a Secondary Domain Management Server 103 Mirroring Domain Management Servers with mdscmd 103 Automatic Domain Management Server Synchronization 103 Synchronize ClusterXL Gateways 103 Failure Recovery 103 Recovery with a Functioning Multi-Domain Server 104 Recovery from Failure of the Only Multi-Domain Server 105 Logging in Multi-Domain Security Management 107 Logging Domain Activity 107 Exporting Logs 108 Log Export to Text 108 Manual Log Export to Oracle Database 109 Automatic Log Export to Oracle Database 109 Log Forwarding 109 Cross Domain Logging 109 Logging Configuration 110 Setting Up Logging 110 Working with Domain Log Servers 110 Setting up Domain Gateway to Send Logs to the Domain Log Server 111 Synchronizing the Domain Log Server Database with the Domain Management Server Database 111 Configuring a Multi-Domain Server to Enable Log Export 111 Configuring Log Export Profiles 111 Choosing Log Export Fields 112 Log Export Troubleshooting 112 Using SmartReporter 113 Monitoring 114 Overview 114 Monitoring Components in the Multi-Domain Security Management System 115 Exporting the List Pane's Information to an External File 115 Working with the List Pane 115 Verifying Component Status 116 Viewing Status Details 117 Locating Components with Problems 118 Monitoring Issues for Different Components and Features 118 Multi-Domain Server 119 Global Policies 119 Domain Policies 120 Gateway Policies 120 High Availability 120 Global VPN Communities 121 GUI Clients 122 Using SmartConsole 122 Log Tracking 122 Tracking Logs using SmartView Tracker 122 Real-Time Network Monitoring with SmartView Monitor 123 SmartReporter Reports 125 Architecture and Processes 126 Packages in Multi-Domain Server Installation 126 Multi-Domain Server File System 126 Multi-Domain Server Directories on /opt and /var File Systems 126 Structure of Domain Management Server Directory Trees 127 Check Point Registry 128 Automatic Start of Multi-Domain Server Processes, Files in /etc/rc3.d, /etc/init.d 128 Processes 128 Environment Variables 128 Multi-Domain Server Level Processes 129 Domain Management Server Level Processes 129 Multi-Domain Server Configuration Databases 130 Global Policy Database 130 Multi-Domain Server Database 130 Domain Management Server Database 130 Connectivity Between Different Processes 131 Multi-Domain Server Connection to Domain Management Servers 131 Status Collection 131 Collection of Changes in Objects 132 Connection Between Multi-Domain Servers 132 Large Scale Management Processes 132 UTM-1 Edge Processes 132 Reporting Server Processes 132 Issues Relating to Different Platforms 132 High Availability Scenarios 132 Migration Between Platforms 133 Commands and Utilities 134 Cross-Domain Management Server Search 134 Overview 134 Searching 134 Copying Search Results 135 Performing a Search in CLI 135 P1Shell 136 Overview 136 Starting P1Shell 136 File Constraints for P1Shell Commands 137 Multi-Domain Security Management Shell Commands 137 Audit Logging 140 Command Line Reference 140 cma_migrate 140 CPperfmon - Solaris only 141 cpmiquerybin 146 dbedit 146 mcd bin | scripts | conf 148 mds_backup 148 mds_restore 149 mds_user_expdate 149 mdscmd 149 mdsenv 158 mdsquerydb 159 mdsstart 159 mdsstat 160 mdsstop 160 merge_plug-in_tables 160 migrate_global_policies 161 Configuration Procedures 161 Index 163 Multi-Domain Security Management Administration Guide R75.40 | 9 Chapter 1 Multi-Domain Security Management Overview Multi-Domain Security Management is a centralized management solution for large-scale, distributed environments with many different network Domains. This best-of-breed solution is ideal for enterprises with many subsidiaries, branches, partners and networks. Multi-Domain Security Management is also an ideal solution for managed service providers, cloud computing providers, and data centers. Centralized management gives administrators the flexibility to manage polices for many diverse entities. Security policies should be applicable to the requirements of different departments, business units, branches and partners, balanced with enterprise-wide requirements. In This Chapter Glossary 9 Key Features 11 Basic Architecture 11 The Multi-Domain Server 13 Domain Management Servers 14 Log Servers 15 High Availability 16 Security Policies 17 The Management Model 17 Glossary This glossary includes product-specific terms used in this guide. Administrator Security administrator with permissions to manage the Multi- Domain Security Management deployment. Global Policy Policies that are assigned to all Domains, or to specified groups of Domains. Global Objects Network objects used in global policy rules. Examples of global objects include hosts, global Domain Management Servers, and global VPN communities. Internal Certificate Authority (ICA) Check Point component that authenticates administrators and users. The ICA also manages certificates for Secure Internal Communication (SIC) between Security Gateways and Multi- Domain Security Management components. Multi-Domain Security Management Check Point centralized management solution for large-scale, distributed environments with many different network Domains. Domain A network or group of networks belonging to a specified entity, such as a company, business unit or organization. Multi-Domain Security Management Overview Multi-Domain Security Management Administration Guide R75.40 | 10 Multi-Domain Server Multi-Domain Security Management server that contains all system information as well as the security policy databases for individual Domains. Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain. Multi-Domain Log Servers Physical log server that hosts the log database for all Domains. Domain Log Server Virtual log server for a specified Domain. Primary Multi-Domain Server The first Multi-Domain Server that you define and log into in a High Availability deployment. Permissions Profile Predefined group of SmartConsole access permissions that you assign to Domains and administrators. This lets you manage complex permissions for many administrators with one definition. Secondary Multi-Domain Server Any subsequent Multi-Domain Server that you define in a High Availability deployment. Active Multi-Domain Server The only Multi-Domain Server in a High Availability deployment from which you can add, change or delete global objects and global policies. By default, this is the primary Multi-Domain Server. You can change the active Multi-Domain Server. Standby Multi-Domain Server All other Multi-Domain Servers in a High Availability deployment, which cannot manage global policies and objects. Standby Multi- Domain Servers are synchronized with the active Multi-Domain Server. Active Domain Management Server In a High Availability deployment, the only Domain Management Server that can manage a specific Domain. Standby Domain Management Server In a High Availability deployment, any Domain Management Server for a specified Domain that is not designated as the active Domain Management Server. [...]... your Security Gateway using either a Security Management Server (configured as a standalone gateway /Security Management combination) or a Domain Management Server and the SmartDomain Manager Multi-Domain Security Management Administration Guide R75.40 | 30 Provisioning Multi-Domain Security Management Standalone Gateway /Security Management In this scenario the Security Gateway that protects your Multi-Domain. .. Domain 1 Security Gateway 2 Network Operation Center 3 Multi-Domain Server 4A USA Development Domain Management Server 4B Headquarters Domain Management Server 4C UK Development Domain Management Server Multi-Domain Security Management Administration Guide R75.40 | 12 Multi-Domain Security Management Overview The Multi-Domain Server The Multi-Domain Server is a physical computer that hosts Domain Management. .. shows how log servers operate in a Multi-Domain Security Management deployment Multi-Domain Security Management Administration Guide R75.40 | 15 Multi-Domain Security Management Overview List of Callouts Callout Description A Domain A B Domain B 1 Security Gateway 2 Multi-Domain Server 3 Multi-Domain Log Server 4 Domain Management Server - Domain A 5 Domain Management Server - Domain B 6 Domain Log Server... Multi-Domain Security Management Administration Guide R75.40 | 23 Provisioning Multi-Domain Security Management  A Multi-Domain Server and other Multi-Domain Servers in the system  A Domain Management Server and Domain Log Servers of the same Domain  A Domain Management Server and its high availability Domain Management Server peer  A GUI client and Multi-Domain Servers  A GUI client and Domain Management. .. Global Policy of the Multi-Domain Server> -p Multi-Domain Security Management Administration Guide R75.40 | 26 Provisioning Multi-Domain Security Management modify properties firewall_properties fwm_ticket_ttl 0 update properties firewall_properties quit If the Multi-Domain Security Management configuration consists of more than one Multi-Domain Server or Multi-Domain Log... The Management Model Introduction to the Management Model The Multi-Domain Security Management model is granular and lets you assign a variety of different access privileges to administrators These privileges let administrators do specified management tasks for the entire deployment or for specified Domains Multi-Domain Security Management Administration Guide R75.40 | 17 Multi-Domain Security Management. .. as described in the R75.40 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581) You install Multi-Domain Log Servers in the same manner as Multi-Domain Servers Multi-Domain Security Management Administration Guide R75.40 | 27 Provisioning Multi-Domain Security Management 2 If you are installing to a Secure Platform computer, synchronize all Multi-Domain Server... Protecting the Multi-Domain Security Management Environment You should always deploy a Check Point Security Gateway to protect your Multi-Domain Security Management network, including your Multi-Domain Server, Multi-Domain Log Server and management platforms This section presents the procedures for installing and defining Check Point Security Gateways to protect your Multi-Domain Security Management network... are routable Domain Management Servers and Domain Management Server-HA must be able to communicate with their Domain gateways, and Domain Log Servers to their Domain gateways Multi-Domain Security Management Administration Guide R75.40 | 22 Chapter 3 Provisioning Multi-Domain Security Management This chapter includes procedures and steps for provisioning your Multi-Domain Security Management deployment... Management Administration Guide R75.40 | 31 Provisioning Multi-Domain Security Management  Domain Security Gateways and their specified Domain Management Servers (Active and Standby) Callout Table Callouts Description A Primary Domain B Mirror Domain 1 Active Domain Management Servers 2 Primary Multi-Domain Server 3 Mirror Multi-Domain Server 4 Mirror Domain Management Servers 5 Security Gateways The Security . 163 Multi-Domain Security Management Administration Guide R75. 40 | 9 Chapter 1 Multi-Domain Security Management Overview Multi-Domain Security Management is a centralized management. organization. Multi-Domain Security Management Overview Multi-Domain Security Management Administration Guide R75. 40 | 10 Multi-Domain Server Multi-Domain Security Management server. security and the Multi-Domain Security Management system. Multi-Domain Security Management Overview Multi-Domain Security Management Administration Guide R75. 40 | 12 The Multi-Domain Servers