Multi-Domain Security Management R80.10: Administration Guide
Multi-Domain Security Management R80.10: Administration Guide
MULTI-DOMAIN SECURITY
MANAGEMENT
R80.10
Administration Guide
Classification: [Protected]
© 2017 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Multi-Domain
Security Management R80.10 Administration Guide.
Revision History
Date Description
16 May 2017 First release of this document
Contents
Important Information................................................................................................... 3
Terms ............................................................................................................................ 7
Getting Started .............................................................................................................. 9
Welcome ................................................................................................................... 9
About this Guide ........................................................................................................ 9
Basic Multi-Domain Management Components ........................................................ 9
The Multi-Domain Server ............................................................................................... 9
Domain Servers .............................................................................................................10
Domain Log Servers ......................................................................................................10
SmartConsole ......................................................................................................... 12
Multi-Domain View ........................................................................................................12
Connecting to SmartConsole .........................................................................................13
Gateways & Servers View ..............................................................................................14
Architecture and Processes ........................................................................................ 15
Server Architecture ................................................................................................ 15
CPM ...............................................................................................................................16
PostgreSQL ...................................................................................................................16
Solr................................................................................................................................16
Multi-Domain Server Processes ....................................................................................16
Domain Server Processes .............................................................................................17
Check Point Registry ............................................................................................... 17
Automatic Start of Multi-Domain Server Processes ............................................... 17
Environment Variables ............................................................................................ 18
Standard Check Point Environment Variables ...............................................................18
Deploying Multi-Domain Management ........................................................................ 19
Planning your Deployment ...................................................................................... 19
Multi-Site High Availability Deployment ........................................................................19
Single Site Deployments ................................................................................................19
Platform & Performance Issues ....................................................................................21
Topology, IP Addresses and Routing..............................................................................21
Using More than one Interface on a Multi-Domain Server .............................................21
Synchronizing Clocks ....................................................................................................22
Protecting the Multi-Domain Management Deployment......................................... 22
Security Gateway Managed by a Domain Server ............................................................23
Defining an Access Control Policy for Multi-Domain Server Components .....................24
Managing Domains ...................................................................................................... 25
Creating a New Domain........................................................................................... 25
Assigning Trusted Clients to Domains ...........................................................................26
Configuring Automatic Domain IP Address Assignment ................................................27
Changing an Existing Domain Configuration ........................................................... 27
Deleting a Domain Server ..............................................................................................27
Deleting a Domain .........................................................................................................27
Connecting to a Domain Server ............................................................................... 27
Working with Cross-Domain Management ............................................................. 28
Changing an Existing Multi-Domain Server ............................................................ 29
Setting the Domain Server Display Format ............................................................. 29
Global Management .................................................................................................... 30
The Global Domain .................................................................................................. 30
Connecting to the Global Domain...................................................................................30
Changing the Global Domain .........................................................................................30
Working with Global Configuration Rules ......................................................................31
Dynamic Objects and Dynamic Global Objects ...............................................................36
Global Assignments ................................................................................................ 38
Configuring an Assignment ...........................................................................................39
Reassigning ...................................................................................................................40
Handling Assignment Errors .........................................................................................40
Deleting a Global Assignment........................................................................................40
Global Assignment Status .............................................................................................41
Updating IPS Protections ........................................................................................ 41
Updating the Application Control and URL Filtering Database ............................... 42
Managing Administrators and Permissions ................................................................ 43
Configuring Administrators .................................................................................... 43
Administrator - General ................................................................................................43
Contact Options .............................................................................................................44
Creating a Certificate for Logging in to SmartConsole ........................................... 44
Working with Permission Profiles .......................................................................... 45
Predefined Multi-Domain Permission Profiles ..............................................................45
Working with Multi-Domain Permission Profiles...........................................................47
Creating Custom Domain Permissions ..........................................................................48
Working with High Availability .................................................................................... 50
Overview of High Availability ................................................................................... 50
Multi-Site High Availability Deployment Example..........................................................51
Creating a Secondary Multi-Domain Server............................................................ 52
Creating a Secondary Domain Server ..................................................................... 52
Synchronization....................................................................................................... 53
Initial Synchronization ...................................................................................................53
Periodic Synchronization ...............................................................................................53
Manual Synchronization ................................................................................................54
Multi-Domain Server ICA Database Synchronization .....................................................54
Changing the Active Domain Server ........................................................................ 54
Looking at High Availability Status .......................................................................... 55
Failure Recovery ..................................................................................................... 56
Connecting to a Secondary Multi-Domain Server ..........................................................56
Promoting the Secondary Multi-Domain Server to Primary ..........................................56
Deleting a Secondary Multi-Domain Server or Multi-Domain Log Server .............. 58
Re-Establishing SIC Trust for a Secondary Multi-Domain Server .......................... 59
Logging and Monitoring .............................................................................................. 60
Working with Log Servers ....................................................................................... 60
Configuring Logging ................................................................................................ 61
Creating a Multi-Domain Log Server with Domain Log Servers.....................................61
Configuring Security Gateways to Send Logs to a Log Server ........................................62
Deleting a Domain Log Server .......................................................................................62
Configuring Log Settings ...............................................................................................62
Log Server Deployment Scenarios .......................................................................... 63
Using the Log View .................................................................................................. 64
Monitoring Multi-Domain Management .................................................................. 64
Monitoring Multi-Domain Server Status ........................................................................65
Monitoring Domain Server Status..................................................................................65
Monitoring Security Gateway Status ..............................................................................65
Multi-Domain Management Commands and Utilities ................................................. 67
Managing Security through API and CLI.................................................................. 67
Configuring the API Server ............................................................................................67
API Settings ...................................................................................................................68
Command Line Reference ....................................................................................... 68
cpmiquerybin.................................................................................................................68
mds_backup ..................................................................................................................69
mds_restore ..................................................................................................................71
mdsenv ..........................................................................................................................71
mdsquerydb ..................................................................................................................71
mdsstart ........................................................................................................................72
mdsstat .........................................................................................................................72
migrate_global_policies ................................................................................................73
threshold_config ...........................................................................................................74
Creating a Domain Server .............................................................................................74
Using XML to Export Settings for a Domain Server ........................................................75
Creating and Changing an Administrator Account .........................................................75
Multi-Domain Security Management
Terms
A centralized management solution for
large-scale, distributed environments with
many different Domain networks.
Active Domain Server
Multi-Domain Server
The only Domain Server in a High Availability
A physical server that hosts all Domain
deployment that can manage a specified
servers.
Domain.
Network Objects
Administrator
Logical representations of every part of
A SmartConsole user with permissions to
corporate topology (physical machines,
manage Check Point security products and
software components, IP Address ranges,
the network environment.
services, and so on).
Best Practice
Permission Profile
A set of processes methods, systems, or
A predefined group of SmartConsole access
techniques that consistently shows better
permissions assigned to Domains and
results than those achieved in other ways.
administrators. With this feature you can
Domain configure complex permissions for many
administrators with one definition.
A network or a collection of networks related
to an entity, such as a company, business Policy Package
unit or geographical location.
A collection of different types of Security
Domain Log Server Policies, such as Access Control, Threat
Prevention, QoS, and Desktop Security. After
A log server for a specified Domain. installation, Security Gateways enforce all
Policies in the Policy Package.
Domain Server
A virtual Security Management Server that Rule
manages Security Gateways for one Domain A set of traffic parameters and other
as part of a Multi-Domain Management conditions that cause specified actions to be
environment. taken for a communication session.
Global Configuration Rule Base
All Policies defined in the Global Domain that The database that contains the rules in a
can be assigned to Domains, or to specified security policy and defines the sequence in
groups of Domains. which they are enforced.
Global Objects Security Gateway
For Multi-Domain Management, all network A computer or an appliance that inspects
and objects defined in the Global Domain. traffic and enforces Security Policies for
connected network resources.
Management Server
A Security Management Server or a Security Policy
Multi-Domain Server. A collection of rules that control network
traffic and enforce organization guidelines
Multi Domain Log Server
for data protection and access to resources
Physical server that hosts all Domain log with packet inspection.
servers.
SmartConsole
A Check Point GUI application used to
manage security policies, monitor products
and events, install updates, provision new
devices and appliances, and manage a
multi-domain environment and each domain.
VPN Community
A named collection of VPN domains, each
protected by a VPN gateway.
CHAPTE R 1
Getting Started
In This Section:
Welcome ..........................................................................................................................9
About this Guide ..............................................................................................................9
Basic Multi-Domain Management Components ...........................................................9
SmartConsole ...............................................................................................................12
Welcome
Check Point Multi-Domain Security Management is a centralized management solution for
large-scale, distributed environments with many discrete network segments, each with different
security requirements. This solution lets administrators create Domains based on geography,
business units or security functions to strengthen security and simplify management.
Each Domain has its own Security Policies, network objects and other configuration settings. You
use the Global Domain for common security Policies that apply to all or to specified Domains. The
Global Domain also includes network objects and other configuration settings that are common to
all or to specified Domains.
Domain Servers
A Domain is a virtual object that defines a network or a collection of networks related to an entity.
You can define a Domain for a company, business unit, department, branch or geographical
location. For example, a cloud service provider typically has one Domain for each customer. A
bank can have one Domain for each geographical region, state, or country.
A Domain Server is the functional equivalent of a Security Management Server in a single-domain
environment. You connect directly to a Domain Server with SmartConsole to manage a Domain
and its components:
• Domain Security Gateways
• Domain Security Policies, rules, and other Domain level security settings
• Domain system objects, such as services, users, and VPN Communities.
• Domain Software Blades and their related configuration settings
To learn more about working with SmartConsole to manage Domains, see the Security
Management Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=54842.
There can be more than one Domain Server for a Domain in a High Availability deployment, each
on a different Multi-Domain Server. One Domain Server is Active, and the other, fully synchronized
Domain Servers are Standby.
This illustration shows a sample deployment with two Multi-Domain Servers and two Domains.
The Multi-Domain Log Server contains two Domain Log Servers, one for each Domain.
Item Description
1 London Multi-Domain Server with an Active Domain Server for London and a Standby
Domain Server for Tokyo
2 Multi-Domain Log Server with Domain Log Servers for London and Tokyo
3 Tokyo Multi-Domain Server with an Active Domain Server for Tokyo and a Standby
Domain Server for London
4 Tokyo network
5 London network
6 Internet
SmartConsole
SmartConsole is the unified application of Check Point R80.10 Security Management. The
SmartConsole provides a consolidated solution for everything that is necessary for the security of
your organization:
• Security Policy Management
• Log Analysis
• System Health Monitoring
• Multi-Domain Management
SmartConsole makes it easy to manage your Multi-Domain Management environment. Before you
start to configure your cyber security environment and Policies, we recommend that you know the
SmartConsole application.
Multi-Domain View
Use the Multi-Domain view to manage Multi-Domain Servers, Domains, system objects,
configuration settings and other features. You must log into a Multi-Domain Server to see the
Multi-Domain view.
For a guided tour of Multi-Domain view, click the What's New button at the bottom left of the
window. Click the < and > icons to scroll between the different What's New screens.
Item Description
1 View, as selected from the Navigation Toolbar and View tree
(This example shows the Multi-Domain > Domains view)
2 Navigation toolbar
3 Menu
4 View tree
5 Actions toolbar
7 Validation tab
8 Logged in administrator
Connecting to SmartConsole
Use SmartConsole to connect to a Multi-Domain Server when you work with Multi-Domain
Management objects and settings. Use SmartConsole to connect to a Domain Server when you
work with Domain Security Policies, rules, objects and configuration settings. You can also
connect to Domains or specified Domain Servers from within the Multi-Domain view.
Server Architecture
This section is an overview of the new management architecture introduced in R80, as shown in
this diagram:
Item Description
1 R80.10 SmartConsole application
6 PostgreSQL - Relational database system that contains the Rule Base, management
objects and configuration settings
Communication between the SmartConsole application (1) and the CPM (5) process uses Web
Services (3). CPM communicates directly with the PostgreSQL (7) database to update tables or
records. CPM can also use a use Solr (6) to run a query to get information or locate records in the
PostgreSQL database.
SmartConsole uses the CPMI (2) protocol to communicate with the legacy FWM (4) process. This is
necessary for backward compatibility with pre-R80 Security Gateways. In this case, CPM and FWM
communicate directly with each other.
In a Multi-Domain Management environment, only one CPM, PostgreSQL, and Solr instance is
necessary to handle transactions with all Domain Servers. In the backward compatibility mode,
there is one FWM instance for each Domain Server.
Note - Because many of the processes are shared between the MDS and all the Domains, it is not
possible to stop or start a Domain server independently of all the other Domains. It is only
possible to stop per Domain processes, like FWM, for specific Domains.
CPM
CPM is the Check Point main management server process for this release. It is a multi-threaded,
Java process that uses Web services to expose its functionality and to efficiently handle many,
concurrent requests.
• CPM uses port 19009 for remote communication and port 9009 for local SIC traffic
• Log files are located in In $MDS_TEMPLATE/log (<file_name>.elg)
• Jar files are located in In $MDS_TEMPLATE/cpm-server
PostgreSQL
PostgreSQL is the relational database manager that handles all Multi-Domain Management data,
and configuration parameters. It also manages a connection pool to support concurrent
connections, where each connection is a different process. The pool size is between 10 to 50
concurrent connections.
• PostgreSQL uses port 5432
• The PostgreSQL database is located at $CPDIR/database/postgresql (Also known as
$PGDIR)
• PostgreSQL logs are in $MDS_TEMPLATE/log/postrges.elg
Solr
Solr is the enterprise search platform that handles the state-of-the-art search capabilities in
SmartConsole. When a user searches for data in SmartConsole, Solr handles the request and gets
the data from the PostgreSQL tables. Solr stores some partial data in a cache for better search
performance.
• Solr uses port 8983
• Solr is deployed at $FWDIR/solr
Process Description
cpd SVN Foundation infrastructure process
fwm Legacy Check Point management server main process (R77.x and
earlier)
For proper operation of the Multi-Domain Server, these processes must run together with CPM,
postres, and solr. An exception to this rule is instances where cpca cannot run, such as for
Domain Log Servers. cpca must always run for Domain Servers.
Process Description
cpd SVN Foundation infrastructure process
fwm Legacy Check Point management server main process (R77.x and earlier)
For proper operation of the Domain Server, cpca, fwd and fwm must always run, except for
specified configurations where cpca cannot run. Other processes are required only as necessary
for applicable functionality.
Environment Variables
Different Multi-Domain Server processes require standard environment variables that:
• Point to the installation directories of different components
• Contain management IP addresses
• Hold data important for correct initialization and operation of the processes
Additionally, specific environment variables control certain parameters of different functions of
Multi-Domain Server.
Multi-Domain Server installation contains shell scripts for C-Shell and for Bourne Shell, which
define the necessary environment variables:
• The C-Shell version is /opt/CPshrd-R80.10/tmp/.CPprofile.csh
• The Bourne Shell version is /opt/CPshrd-R80.10/tmp/.CPprofile.sh
Sourcing these files (or in other words, using "source" command in C-Shell or "." command in
Bourne Shell) will define the environment necessary for the Multi-Domain Server processes to
run.
This chapter includes information to help you plan your deployment and gives a general overview
of the deployment process.
This example shows a single-site Multi-Domain Server deployment with three Domains at remote
locations. Each Domain has many gateways to protect the internal networks and resources. This
example has only one Multi-Domain Server and does not use High Availability.
Item Description
1 London Domain and networks
5 Multi-Domain Server
9 Internet
This illustration shows the configuration grid in the SmartConsole Multi Domain view for the
example deployment:
Note - The system automatically creates the Global Domain when you install Multi-Domain
Management.
Synchronizing Clocks
All Multi-Domain Server system clocks must synchronize to approximately one second. Before
you create a new Multi-Domain Server or Multi-Domain Log Server, you must synchronize its
clock with other system components.
Clock synchronization is important for these reasons:
• SIC trust can fail if devices are not synchronized correctly
• SmartEvent correlation uses time stamps, which must be accurate
• Make sure that cron jobs run at the correct time
• Certificate validation is based on the correct time
Use these resources to synchronize component system clocks:
• Manually, using the WebUI or the operating system CLI
• A third-party synchronization utility
This simple use case shows a small High Availability deployment with a Security Gateway
protecting each Multi-Domain Server. One of the Domain Servers manages these Security
Gateways.
Item Description
1 Active Domain Servers
4 Security Gateways
5 Internet
Allow connections between Domain Servers and Domain Server Security Gateway
Security Gateways Security Gateway Domain Server
Allow Domain Server status data and certificate Domain Server peer Domain Server
exchange between Domain Server High Availability peer
peers
Allow Domain Server synchronization between
peers
Managing Domains
In This Section:
Creating a New Domain ...............................................................................................25
Changing an Existing Domain Configuration ..............................................................27
Connecting to a Domain Server ...................................................................................27
Working with Cross-Domain Management .................................................................28
Changing an Existing Multi-Domain Server ................................................................29
Setting the Domain Server Display Format ................................................................29
Notes:
• When you create a new Domain, you must always create at least one new Domain Server with
it.
• You can also use this procedure to create Standby Domains and Domain Servers for Domain
Server for redundancy and Load Sharing. To do this, there must be at least one Secondary
Multi-Domain Server in the deployment.
• To create a Log Server, you must have a Multi-Domain Log Server or a Secondary
Multi-Domain Server in your environment.
Deleting a Domain
To delete a Domain:
1. In the Domains section, right-click a Domain.
2. Select Delete from the context menu.
This action automatically deletes the active and secondary Domain Servers, Domain Log Servers,
and the Domain object.
To work with a Security Gateway, double-click gateway object. A SmartConsole instance for the
applicable Domain Server opens and automatically shows the Gateway window for the selected
Security Gateway. In a High Availability environment, the Active Domain Server opens.
To work with a Domain, double-click its Domain Server object. A SmartConsole instance for the
applicable opens and automatically shows the Host window for the selected Domain Server. In a
High Availability environment, make sure that you select the Active Domain Server, which opens in
the Read/Write mode. Standby Domain Servers open as Read-Only and you cannot make any
changes to Domain objects.
Global Management
In This Section:
The Global Domain .......................................................................................................30
Global Assignments ......................................................................................................38
Updating IPS Protections .............................................................................................41
Updating the Application Control and URL Filtering Database .................................42
In this example, the placeholder for local Domain rules is rule number 3. Global Domain rules 1
and 2 run before the local Domain rules. Global rule 4 and the cleanup rule run after the local
Domain rules.
Each local Domain Policy includes both Global Domain Policy rules and local Domain rules that
apply to its Security Gateways. Local Domain Policy rules show in a Domain Layer under a parent
rule.
Sample Domain Policy Layer with Global and Local Domain Rules
No. Name Source Destination VPN Services & Action
Applications
1 Management to Gateways Management Any Any Accept
Gateway traffic Management Gateways
In this example, the Security Gateways handle the global configuration rules (1 and 2) and then the
local Domain rules. If there is still no match in the local rules, the Security Gateways handle the
last two global rules, including the cleanup rule.
Although a local Domain can define implied rules, it is a best practice to put critical global rules at
the beginning of the Rule Base. Put the global cleanup rule at the end. This overrides the implicit
cleanup rule and gives you flexibility to define an effective sequence for local Domain rules.
Sample Domain Rule Base with global and local Domain Rules
No. Name Protected Protection Action Track Install On
Scope Site
1 Max Security Portal Server N/A Strict Alert Policy
Finance Packet Targets
Server Capture
This example shows Policy Layer with Global Domain rules together with the local Domain rules.
• To delete the rules from a local Domain Layer, click the pencil icon in the Action column, and
select No domain rules in the local Domain. Publish the session.
• To use a different Domain Policy Layer, click the pencil icon in the Action column, and select a
different Domain Policy Layer from the list. Publish the session.
Upgrade Issues
When you upgrade an R77.x or earlier Multi-Domain Server, existing Policies are converted in this
manner:
• If a pre-R80.10 Policy has a Global Access Control Policy with no defined rules (placeholder
only), its mode is automatically set to no global Policy after upgrade to R80.10. You can change
the mode as necessary for both R80.10 and pre-R80.10 Policies.
• The Firewall Policy is converted into an R80.10 Network Policy Layer. Its implicit cleanup rule
is set to Drop.
• The Application & URL Filtering Policy is converted to the Application Policy Layer. The
implicit cleanup rule for it is set to Accept.
• If a Domain contains IPS rules, an IPS Layer is automatically created in the R80.10 Threat
Prevention Policy for the applicable Domain.
Note - Global security rules can be installed on Security Gateways, Edge Security
Gateways, and Open Security Extension (OSE) devices.
Global Assignments
A global assignment is a Multi-Domain Management system object that assigns a global
configuration to one specified Domain. You create global assignments to assign different
combinations of Global Access Control Policies, Global Threat Prevention Policies, and global
object definitions to different Domains.
When you create a new global assignment, it automatically assigns the specified global
configuration to the specified Domain. It also publishes the assignment and updates local Domain
Policies.
Best Practice - When you create a new Domain, create a global assignment for that Domain at the
same time.
When you do one or more of these actions, you must publish the Global Domain and reassign the
global configuration:
• Add, delete, or change rules in a global configuration
• Add, delete, or change user-defined objects in a global configuration
• Define the SmartEvent object in the global database
• Change the definition of a global assignment
The assign/reassign action does not automatically install Policies.
Best Practice - Install Policies after you assign or reassign a global assignment.
Configuring an Assignment
To create a new global assignment:
1. Connect to the Multi-Domain Server with SmartConsole.
2. Go to Multi-Domain > Global Assignments.
3. Click Assign > New Assignment.
4. In the Assignment window, select a Local Domain.
5. Optional: Select a Global Access Control Policy for this local Domain.
You can click Advanced to open the Advanced Assignment window to assign the selected
Policy:
• Only to the specified, local Domain Policies
• To all local Domain Policies, except for those explicitly specified
6. Optional: Select a Global Threat Prevention Policy for this local Domain.
You can click Advanced to open the Advanced Assignment window to assign the selected
Policy:
• Only to the specified, local Domain Policies
• To all local Domain Policies, except for those explicitly specified
7. Optional: Enable Manage protection actions.
This option lets you change IPS protection actions for Security Gateways on the local Domain.
8. Click Assign.
9. In the confirmation window, click Publish & Assign.
The system creates a task, which:
• Updates the local Domain and its Rule Base
• Publishes the changes
• Changes the assignment status to Up to Date
Reassigning
When you make changes to the global configuration items, the assignment status changes to Not
up to date. The assignment status does not change if you make changes to the local Domain
Policies.
Important - You must remove global objects from all local Domain rules before you can
delete a global assignment. If there is a rule that uses a global object when you try to
delete a global assignment, the delete operation fails.
The global configuration is not assigned or the assignment is not up to date. Assign or
update the global configuration as soon as possible.
4. Make sure that Automatically download contracts and other important data is selected.
This parameter is enabled by default. If it is not enabled, select it.
5. If you enabled the parameter, connect to Multi-Domain Server and reassign the global
configuration.
Configuring Administrators
To configure an administrator:
1. Connect to the Multi-Domain Server with SmartConsole, and go to Permissions &
Administrators > Administrators.
2. Click New, or select an existing administrator and then click Edit.
3. In the Administrator view, configure the settings described in the next sections.
Administrator - General
Authentication
• Name - Enter a unique administrator name.
• Authentication Method - Select an authentication method and enter other authentication
parameters as necessary. To learn more about the various authentication methods, see The
Check Point R80.10 Security Management Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54842.
To set a default value for this parameter, go to Permissions & Administrators > Advanced >
Administrator Settings > Authentication Default Values. Select a default authentication from
the list.
Permissions
• Multi-Domain Permission Profile - Select a Multi-Domain permission profile from the list
("Working with Permission Profiles" on page 45).
Accept the default permission profile or select a different one. You can also create a new
permission profile to assign. For an existing administrator, the currently selected permission
profile shows.
Click the View icon to see details of the currently assigned permission profile.
If the Edit icon shows, you have permissions to see and change the currently selected
permission profile. Click the Edit icon to change the settings.
Permission Profiles per Domain - Select one or more Domains, and then select a Domain
permission profile for each one.
+ - Click to select a Domain to add to the profile.
X - Click to remove the selected Domain from the profile.
Note - The Permission Profiles per Domain Section does not show for superusers, because
Read/Write Domain permission profiles are assigned automatically to all Domains.
• Expiration - Define when this administrator account expires.
• Never - The administrator account does not expire.
• Expire at - Select an expiration date for this administrator.
To set a default value for this parameter, go to Permissions & Administrators > Advanced >
Administrator Settings > Default Expiration Values.
Contact Options
You can optionally add contact information for this user:
• Email - Enter the administrator email address.
• Contact Details - Enter additional contact information.
• Phone - Enter the administrator telephone number.
Note - If you upgraded from an earlier release, the system copies these values into the new
release.
You can import the certificate file to the CryptoAPI (CAPI) certificate repository on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to log in to
SmartConsole using the CAPI Certificate option. The SmartConsole administrator does not need to
provide a password.
Global Manager Manage Global Domains, global configurations, global rules, and
global assignments. Global Managers can manage Domains, but
not add or delete domains or manage Multi-Domain Servers.
Global managers can manage administrators with equal or lower
permissions.
Global Managers can create new global assignments and can
assign Global Policies to Domains that they have permissions to
manage.
Domain-Level permissions are based on the assigned Domain
permission profile.
Domain Manager Manage Domain Policies, networks and objects based on their
permission profile. Domain Managers can manage
administrators with equal or lower permissions.
Domain Managers can reassign Global Policies to Domains that
they have permissions to manage. They cannot create new global
assignments.
Domain-Level permissions are based on the assigned Domain
permission profile.
Domain Level Only Manage Domain Policies, networks and objects based on their
permission profile. These administrators cannot manage the
Multi-Domain Management system or its configuration settings,
or login to the Multi-Domain Servers.
Domain-Level permissions are based on the assigned Domain
permission profile.
Read Only Read only permissions for all Domain data. Read Only lets the
administrator see an item, but not change it.
Domain Management
This profile defines the default Domain permissions that automatically apply when you create a
new administrator account. After you create the administrator account, you can change its Domain
profile as necessary.
Select a default profile from the list. This option is enabled automatically for superusers, and
Managers can optionally select it.
In the standard configuration, there is only one Active Domain Server for each Domain. All others
are Standby Domain Servers. If the Active Domain Server fails, you must manually change a
Standby Domain Server to Active.
Item Description
1 London Multi-Domain Server with an Active Domain Server for London and a Standby
Domain Server for Tokyo
2 Multi-Domain Log Server with Domain Log Servers for London and Tokyo
3 Tokyo Multi-Domain Server with an Active Domain Server for Tokyo and a Standby
Domain Server for London
4 Tokyo network
5 London network
6 Internet
Item Description
Active Domain Server
This illustration shows the configuration grid in the SmartConsole Multi Domain view for the
example deployment:
The system automatically creates the Global Domain when you install Multi-Domain Management.
Note - You cannot change settings for an existing Domain Server. You must first delete
the Domain Server and then create a new one.
To delete a secondary Domain Server configuration, right-click the applicable cell and select
Delete.
Synchronization
In a multi-domain environment, the Multi-Domain Servers work in active-active mode. All
Multi-Domain Servers are active and synchronize each other.
The Domains managed by the Multi-Domain Server work in active-standby mode, where the Active
Domain Server synchronizes all the standby Domain Servers.
The system automatically synchronizes periodically and when an administrator publishes changes
to the configuration.
Initial Synchronization
Initial synchronization occurs automatically when you create a secondary Multi-Domain Server,
Multi-Domain Log Server, or Domain Server. The system generates a task to copy all databases
and system information from the connected server to the new server.
Multi-Domain Server and Multi-Domain Log Server synchronization tasks show in the Task
Information area, in the Multi-Domain Server SmartConsole. Domain synchronization tasks show
in the Domain SmartConsole.
Periodic Synchronization
Multi-Domain Servers synchronize with all other peers and Multi-Domain Log Servers. Periodic
synchronization occurs automatically, and when an administrator publishes a session. Private
(non-published) sessions do not synchronize.
Periodic synchronizations are incremental. Only database changes synchronize with peers. Active
Domain Servers synchronize to the standby Domain Servers.
Manual Synchronization
Manual synchronization is a full synchronization that overwrites all data on the peers. It
disconnects all connected clients and overrides active sessions and running tasks.
When changes made in a session are published on the Active server (made public), the changes
are synchronized to the Standby server. Unpublished, private sessions are not synchronized.
Best practice - Use this option with caution, and only in cases of synchronization error. We
recommend that you publish changes before initiating full sync.
For Domain Servers, you can only run a manual synchronization from the active Domain Server to
the standby peers.
The Active Domain Server changes to Standby. Continue the procedure to set a different Domain
Server to Active. Until you do this, Domain SmartConsole clients open in the Read Only mode and
you cannot work with Domain objects or Policies.
Note - SmartConsole clients connected to the Active Domain Server will be disconnected during
the procedure for changing the Active Domain Server.
Note - Domain servers status is reflected also in the Domains view in the SmartConsole
connected to the Multi-Domain Server. For more information on synchronization status see the
R80.10 Security Management Administrator Guide
http://downloads.checkpoint.com/dc/download.htm?ID=54842.
Failure Recovery
In many cases, you can recover a failed Primary Multi-Domain Server in a High Availability
deployment. To do this, promote an existing Secondary Multi-Domain Server to become the
Primary. Promote a Secondary Domain Server to become Primary Domain Server. You can then
install and configure a new secondary Multi-Domain Server.
Important: Use Domain Server promotion only to recover a failed Multi-Domain Server.
3. On the Tables tab, select Other and then select (or search for) Multi-Domain Servers.
4. Delete the failed Domain Server object from the Object Name column.
5. Select the Multi-Domain Server to promote.
6. Double-click the Primary field in the bottom pane.
Important - To use this procedure, there must be at least one Active Domain Server on a
different Multi-Domain Server.
c) In the High Availability Status window, click Actions > Set Active.
d) Close SmartConsole.
3. Run these commands on the Multi-Domain Server command line to change the active Domain
Server from Secondary to Primary:
> mdsenv <domain_server_name>
> promote_util
These steps set the Multi-Domain Server context to the specified Domain Server.
4. Open the newly promoted Domain Server in SmartConsole.
5. Find (with Where Used) and delete all instances of the failed Domain Server, including the
failed Domain Server itself.
6. Publish the changes.
7. If necessary, manually synchronize the Domain Servers.
8. Re-assign Global Policies and install Policies on all Security Gateways.
9. If the promoted Domain Server is using a High Availability Domain Server license, replace it
with a standard Domain Server license.
To make Domain Server Active when there is no corresponding peer and the High Availability
Status window is not available, run these commands:
# mdsenv <domain_name>
# mgmt_cli make-server-active force true --domain <domain_name> --user
<user_name> --password <password>
These commands set the Domain Server to the Active state. Do this for all Domain Servers that do
not have a High Availability peer.
This chapter includes information that is directly related to Multi-Domain Management, with some
general background information and basic procedures. See the R80.10 Logging & Monitoring
Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=54830 for the full set
of conceptual information and procedures.
With R80, logging, event management, reporting, and monitoring, are more tightly integrated than
ever before. Security data and trends easy to understand at a glance, with Widgets and chart
templates that optimize visual display. Logs are now tightly integrated with the Policy rules so that
you can access all logs associated with a specific rule by simply clicking on that rule. Free-text
search also lets you enter specific search terms to retrieve results from millions of logs in
seconds.
One-click exploration makes it easy to move from high-level overview to specific event details
such as type of attack, timeline, application type and source. After you investigate an event, it is
easy to act on it. Depending on the severity of the event, you can choose to ignore it, act on it later,
or block it immediately. You can also easily toggle over to the rules associated with the event to
refine your Policy. Send reports to your manager or auditors that show only the content that is
relevant to each stakeholder.
In R80.10, SmartReporter and SmartEvent functionality is integrated into SmartConsole.
Using rich and customizable views and reports, R80 introduces a new experience for log and event
monitoring.
The new views are available from two locations:
• SmartConsole > Logs & Monitor
• SmartView Web Application. By browsing to: https://<Server IP>/smartview/
Where Server IP is IP address of the Multi-Domain Server or Multi-Domain Log Server.
Note - Include the final backward slash: /
Configuring Logging
Creating a Multi-Domain Log Server with Domain Log Servers
This section shows you how to create a new Multi-Domain Log Server and its related Domain Log
Servers.
Important: Before you start this procedure, make sure that you define the physical servers as the
correct server type (Secondary Multi-Domain Server or Multi-Domain Log Server) during
installation. An incorrect definition can cause deployment failure.
• Run the following script before cleanup - Enter a predefined script to run before the
cleanup starts.
• Send Alert when free disk space is below - Send an alert when available disk space is less
that the specified quantity. Select to enable (default). Clear to disable.
Enter the minimum disk space and unit of measure (Default = 3 GB).
5. In the Advanced view, configure these settings:
• Accept Syslog messages - Include syslog messages in the log files.
• Stop Logging - Stop all logging activity when the available disk space is less than the
specified quantity.
Enter the minimum disk space and unit of measure (Default = 100 MB).
• Create a new log file - Close and save the active log file when the active log file is larger
than the specified size. The log file has an extension that is a sequential number. You can
move these saved log files to external storage or export them to an external database.
Enter the maximum log file size. (Default = 1 GB).
Item Description
1 Queries - Predefined and favorite search queries.
3 Query search bar - Define custom queries in this field. You can use the GUI tools or
manually enter query criteria. Shows the query definition for the most recent query.
4 Log statistics pane (Tab hidden) - Top results of the most recent log query.
5 Log Servers - All Multi-Domain Log Servers, Domain Log Servers, and other Log Server
objects in the Multi-Domain Management deployment. Select one or more Log Servers
from this list to include in a query.
6 Results pane - All log entries for the most recent query.
API Settings
Select Automatic start to automatically start the API server when you start or reboot the
management server.
The Automatic start option is activated by default during Security Management Server installation
if the management server has more than 4GB of RAM installed. If the Security Management
Server has less than 4GB of RAM, Automatic Start is deactivated.
If you change Automatic start option:
1. Publish the session changes.
2. Run api restart on the management server.
Access Settings
Select one of these options to configure which SmartConsole clients connect to the API server:
• Management server only - Only the Security Management Server itself can connect to the API
Server. This option only lets you use the mgmt_cli utility to send API requests. You cannot use
SmartConsole or web services to send API requests.
• All IP addresses that can be used for GUI clients - You can send API requests from all IP
addresses defined as Trusted Clients in SmartConsole. You can send API requests from all IP
addresses. This includes requests from SmartConsole, Web services and the mgmt_cli utility.
• All IP addresses - You can send API requests from all IP addresses. This includes requests
from SmartConsole, Web services and the mgmt_cli utility.
cpmiquerybin
cpmiquerybin connects to a specified database, runs a user-defined query and shows the query
results. The results can be a collection of Firewall sets or a tab-delimited list of specified fields
from each retrieved object. The default database of the query tool is based on the shell
environment settings.
To connect to a Domain Server database, run mdsenv (on page 71) and define the necessary
environment variables. Use the Domain Server name or IP address as the first parameter.
Note - The MISSING_ATTR string shows when you use an attribute name that does not
exist in the objects in query result.
Syntax
cpmiquerybin <query_result_type> <database> <table> <query> [-a <attributes_list>]
Parameter Description
<query_result_type> Query result in one of these formats:
• attr – Returns values from one or more specified fields for
each object. Use the -a parameter followed by a comma
separated list of fields.
• object – display FW-1 sets containing data of each retrieved
object.
<database> Name of the database file in quotes. For example, "mdsdb". Use
"" to run the query on the default database.
<query> One or more query strings in a comma separated list. Use the null
("") query to return all objects in the database table.
You can use wildcard character (*) as a replacement for one or
more matching characters in your query string.
You can see complete documentation of the cpmiquerybin utility, with the full query syntax,
examples and a list of common attributes in sk65181.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetail
s=&solutionid=sk65181
Return Values
0 - Query returns data successfully
1 - Query does not return data or there is a query syntax error
Example:
# cpmiquerybin attr "" network_objects "" -a __name__
DMZZone
WirelessZone
ExternalZone
InternalZone
AuxiliaryNet
LocalMachine_All_Interfaces
CPDShield
InternalNet
LocalMachine
DMZNet
This example shows the names of the currently defined network objects.
mds_backup
mds_backup backs up binaries and data from a Multi-Domain Server to a user specified working
directory. You then copy the backup files from the working directory to external storage. This
command requires Multi-Domain Superuser privileges.
Multi-Domain Security Management Administration Guide R80.10 | 69
Multi-Domain Management Commands and Utilities
mds_backup runs the gtar and dump commands to backup all databases. The collected
information is stored in one .tgz file. The file name is a combination of the backup date and time
and is saved in the current working directory. For example, 13Sep2015-141437.mdsbk.tgz
Argument Description
-g Executes without prompting to disconnect GUI clients.
-d Target directory for the backup file. If not specified, the backup file is saved to the
current directory. You cannot save the backup file to the root directory.
-v "Dry run" - Show all files to be backed up, but does not perform the backup
operation.
Comments
• Do not create or delete Domains or Domain Servers until the backup operation completes.
• It is important not to run mds_backup from directories that will be backed up. For example,
when backing up a Multi-Domain Server, do not run mds_backup from
/opt/CPmds-<current_release> because it is a circular reference (backing up directory
that you need to write into).
• Active log files are not backed up. This is necessary to prevent inconsistencies during the
read-write operations.
Best Practice - We recommend that you do a log switch before you start the backup
procedure.
• You can back up the Multi-Domain Server configuration without the log files. This backup is
typically significantly smaller than a full backup with logs. To back up without log files, add this
line to the file $MDSDIR/conf/mds_exclude.dat configuration file:
log/*
mds_restore
Use this command to restore a Multi-Domain Server that was backed up with mds_backup. It is
best practice to restore to a clean install of the previous version. Use the R80.10 Installation and
Upgrade Guide http://downloads.checkpoint.com/dc/download.htm?ID=54829 for major versions,
or the Release Notes for minor versions or hotfixes.
If the Multi-Domain Management environment has multiple Multi-Domain Servers, restore all
Multi-Domain Servers at the same time.
mdsenv
Use mdsenv to set shell environment variables to run commands on a specified Domain Server.
When run without an argument, the command sets the shell for Multi-Domain Server level
commands (mdsstart, mdsstop, and so on).
Syntax
mdsenv [<name>]
parameter Description
<name> Domain Server name.
mdsquerydb
mdsquerydb is an advanced database query tool that lets administrators use shell scripts to get
information from Check Point Security Management Server databases. Use mdsquerydb to get
information from the Multi-Domain Server, Domain Server and global databases.
The system comes with pre-defined queries, defined in the $MDSDIR/confqueries.conf
configuration file. Do not change or delete these queries.
Syntax
mdsquerydb <key_name> [-f <output_file_name>]
Parameter Description
<key_name> Query key, which must be defined in the pre-defined queries
configuration file.
-f <output_file_name> Send the query results to the specified file name. If this parameter
is not specified, the data is sent to the standard output.
NetworkObjects Get all Domains' internal Check Point installed network objects
Domains Get names of all Domains Irit B comment from QA Draft
Administrators Get names of all Administrators
MDSs Get names and IPs of all MDSs
DomainManagementServers Get names of all Domain Servers
GuiClients Get names and IPs of all gui clients
CMAs Backwards Compatibility (DomainManagementServers)
Customers Backwards Compatibility (Domains)
Examples:
To retrieve list of all defined keys, run: # mdsquerydb
To send a list of Domains in the Multi-Domain Server database to the standard output, run:
# mdsenv
# mdsquerydb Domains
To send a list of network objects in the global database to /tmp/gateways.txt, run:
mdsenv
mdsquerydb NetworkObjects –f /tmp/gateways.txt
To get a list of gateway objects in the Domain Server DServer1,run:
mdsenv DServer1
mdsquerydb Gateways –f /tmp/gateways.txt
mdsstart
Use mdsstart to start the Multi-Domain Server and all Domain Servers and mdsstop to stop the
Multi-Domain Server and all Domain Servers.
Syntax
mdsstart [-m|-s]
Parameter Description
-m Starts only the Multi-Domain Server and not the Domain Servers.
-s Starts the Domain Servers sequentially. The system waits for each
Domain Server to come up before it starts the next one.
You can decrease the amount of time it takes to start and stop the Multi-Domain Server when
there are many Domain Servers. To do this, set the environment variable NUM_EXEC_SIMUL to a
smaller number of Domain Servers that start or stop at the same time. By default, the system
attempts to start or stop up to 10 Domain Servers at the same time.
mdsstat
mdsstat shows the status of processes on the Multi-Domain Server and Domain Servers. The
status can be UP or Down.
Syntax
mdsstat [-h] [-m] [<name>]
Parameter Description
-h Displays help message.
Status:
up: The process is up.
down: The process is down.
pnd: The process is pending initialization.
init: The process is initializing.
N/A: The process's PID is not yet available.
N/R: The process is not relevant for this Multi-Domain Server.
Example:
# mdsstat
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS | - | 192.168.3.101 | up 17284 | up 17266 | up 17251 | up 17753 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA |DOM211_Server | 192.168.3.211 | up 32227 | up 32212 | up 25725 | up 32482 |
| CMA |DOM212_Server | 192.168.3.212 | up 4248 | up 4184 | up 4094 | up 4441 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 2 2 up 0 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+
migrate_global_policies
This utility transfers (and upgrades, if necessary) the global configuration database from one
Multi-Domain Server to another Multi-Domain Server. migrate_global_policies replaces all
existing global configurations. Each existing global configuration is saved with a *.pre_migrate
extension.
If you migrate only the global configurations (without the Domain Servers) to a new Multi-Domain
Server, disable all Security Gateways that are enabled for global use.
Note - You can only use migrate_global_policies when the target Multi-Domain
Server does not have global configurations defined.
You can migrate global Policies from these Multi-Domain Management versions:
• R75.x
• R76.x
• R77.x
You can only use migrate_global_policies to import files created with export_database
from Multi-Domain Servers with the above versions. You cannot export an R80 global
configuration database and then use migrate_global_policies on an R80 Multi-Domain
Server.
Syntax
migrate_global_policies <path>
parameter Description
<path> The fully qualified path to the directory where the global policies
files, originally exported from the source Multi-Domain Server
($MDSDIR/conf), are located.
Example
# migrate_global_policies /tmp/exported_global_db.22Jul2007-124547.tgz
threshold_config
Use threshold_config to configure Policy thresholds. You must be in expert mode to run this
command. After you run threshold_config, follow the on-screen instructions to make
selections and configure the global settings and each threshold.
Syntax
threshold_config
When you run threshold_config, you get these options:
• Show Policy name - Shows you the name configured for the threshold Policy.
• Set Policy name - Lets you set a name for the threshold Policy.
• Save Policy- Lets you save the Policy.
• Save Policy to file - Lets you export the Policy to a file.
• Load Policy from file - Lets you import a threshold Policy from a file.
• Configure global alert settings - Lets you configure global settings for how frequently alerts
are sent and how many alerts are sent.
• Configure alert destinations - Lets you configure a location or locations where the SNMP
alerts are sent.
• View thresholds overview - Shows a list of all thresholds that you can set.
• Configure thresholds - Open the list of threshold categories to let you select thresholds to
configure.