Provider-1/SiteManager-1 - Check Point

More documents

Recommendations

Info

The Management ModelThe High Availability scheme requires one Primary CMA and one Secondary CMA,which are housed separately, on different MDS computers. Administrators make securitypolicy changes through the active CMA. If policy changes are made with the activeCMA, the standby CMA can be setup to synchronize automatically to reflect thesechanges.These CMAs must be synchronized in order to maintain the same information. It ispossible to configure the High Availability feature to synchronize automatically for eachpolicy installation operation, on each policy save operation and on any other scheduledevent. If the active CMA’s data has not be synchronized with the standby CMA, youcan still use the standby CMA, which is updated until the moment of the lastsynchronization.Security Policies in Provider-1Security Policies are created to enforce security rules. Administrators can create securitypolicies and rules tailored to a specific customer, or a type of customer. In theProvider-1/SiteManager-1 environment, administrators create Customer securitypolicies for a specific set of gateways, using the CMA, which is the equivalent of theSmartCenter Server in the VPN-1 Pro model. To find out details about how theVPN-1 Pro works with security policies, see the VPN-1 Guide and FireWall-1 andSmartDefense Guide.The need for Global PoliciesBesides security policies for a specific set of gateways, administrators need to createpolicies which apply to the entire Provider-1 environment. The separation betweendifferent levels of policies, and different types of policies, means that Customer-levelsecurity rules do not need to be reproduced throughout the entire Provider-1environment. Policies can be created and privately maintained for each customer,ensuring a customer’s security integrity. Global Policies enforce security for the entireProvider-1 system. This is described in greater detail in Chapter 5, “Global PolicyManagement.”The Management ModelIn the Provider-1/SiteManager-1 environment, the management model has beendesigned so that network security managers can centrally and securely manage manydistributed systems. Network security is sharpened by differentiating between differentlevels of security needs, and differentiating between access privileges and needs. TheProvider-1/SiteManager-1 management model allows you to designate trusted users26
Administrators(administrators) with different access rights. It enables trusted communication bothwithin the Provider-1/SiteManager-1 network, and with customers’ networkenvironments.AdministratorsIt is important, for security purposes, that there be different types of administrativeauthority. Administrators with authority over the entire system are needed in order tomanage the entire Provider-1/SiteManager-1 system. But there also must be a level ofadministration authority which only applies to the customer environment and not tothe Provider-1/SiteManager-1 system.It is not appropriate for an administrator who remotely manages a VPN-1 Pro gatewayin a particular customer network, to be able to have authority over the entireProvider-1 system. This could be a serious security breach, as a customer’s internal staffwould have access to other customer networks. For an MSP which handles numerouscustomers, it would not be appropriate for a particular customer administrator who isnot familiar with the entire system to, say, have the authority to shut down an MDSManager and delete all the superusers from the system.In the Provider-1/SiteManager-1 environment, four types of administrators have beendesignated to handle different levels of responsibility. While there needs to beadministrators who have the authority to create and manage the entireProvider-1/SiteManager-1 environment, not every administrator in the system has thislevel of complete control.Chapter 1 Introduction 27
Page 1 and 2: Check PointProvider-1/SiteManager-1
Page 3 and 4: Table Of ContentsChapter 1Chapter 2
Page 5 and 6: Chapter 5Chapter 6Chapter 7Global P
Page 7: Setting up a new MDS and initiating
Page 10 and 11: The Need for Provider-1/SiteManager
Page 12 and 13: The Need for Provider-1/SiteManager
Page 14 and 15: The Check Point SolutionIT services
Page 16 and 17: The Check Point SolutionThe Multi-D
Page 18 and 19: The Check Point SolutionExample: En
Page 20 and 21: The Check Point SolutionLeased line
Page 22 and 23: The Check Point SolutionLet’s loo
Page 24 and 25: The Check Point SolutionProvider-1/
Page 28 and 29: The Management ModelTABLE 1- 1Admin
Page 30 and 31: The Management ModelFIGURE 1-15MDG
Page 32 and 33: The Management ModelFIGURE 1-16 Ros
Page 34 and 35: The Provider-1/SiteManager-1 Trust
Page 40 and 41: Asking yourself the right questions
Page 42 and 43: Consider the following scenario...C
Page 44 and 45: MDS Managers and Containers in the
Page 46 and 47: Setting up the Provider-1/SiteManag
Page 52 and 53: Hardware Requirements and Recommend
Page 54 and 55: Licensing and Deployment• Custome
Page 56 and 57: Licensing and DeploymentTABLE 2-2MD
Page 58 and 59: Licensing and DeploymentMulti-Custo
Page 60 and 61: Licensing and DeploymentTABLE 2-8VP
Page 62 and 63: Licensing and DeploymentTABLE 2-11V
Page 64 and 65: Miscellaneous IssuesEach MDS Contai
Page 66 and 67: Miscellaneous IssuesStatic NAT allo
Page 68 and 69: The Provisioning Processdeployment
Page 70 and 71: Installation and ConfigurationNotes
Page 72 and 73: Installation and Configuration1 Fro
Page 74 and 75: Installation and ConfigurationInput
Page 76 and 77:
Installation and Configurationa In
Page 78 and 79:
Defining a Security Policy for the
Page 80 and 81:
Defining a Security Policy for the
Page 82 and 83:
Configurations with More than One M
Page 84 and 85:
Configurations with More than One M
Page 86 and 87:
When a CMA Manages the VPN-1 Pro Ga
Page 88 and 89:
MDS Support for SmartView Reporter
Page 90 and 91:
CMA OPSEC APIsCMA OPSEC APIsThe fol
Page 92 and 93:
MDS OPSEC APIsMDS OPSEC APIsTo crea
Page 94 and 95:
MDS OPSEC APIs94
Page 96 and 97:
Overview• an actual customer, or
Page 98 and 99:
OverviewFIGURE 4-2MDG before Custom
Page 100 and 101:
Overviewon any MDS in the system. O
Page 102 and 103:
OverviewFIGURE 4-5Creating more cus
Page 104 and 105:
OverviewFIGURE 4-7SmartUpdate View
Page 106 and 107:
Configurationa CMA. Keep the CMAs I
Page 108 and 109:
ConfigurationAssign computers on wh
Page 110 and 111:
ConfigurationFIGURE 4-8Administrato
Page 112 and 113:
ConfigurationConfiguring a CMATo co
Page 114 and 115:
OverviewThe FireWall-1 administrato
Page 116 and 117:
OverviewFIGURE 5-3Policy creation w
Page 118 and 119:
OverviewGlobal policies can be assi
Page 120 and 121:
OverviewFIGURE 5-7Dynamic Global Ob
Page 122 and 123:
OverviewFor details about using Sma
Page 124 and 125:
OverviewAssigning a different globa
Page 126 and 127:
ConfigurationFor customers that alr
Page 128 and 129:
Configuration2 You are asked whethe
Page 130 and 131:
Configuration130
Page 132 and 133:
OverviewFIGURE 6-1Customer network
Page 134 and 135:
Managing Customer PoliciesFIGURE 6-
Page 136 and 137:
Working with CMAs and CLMs in the M
Page 138 and 139:
Logging Customer ActivityFIGURE 7-1
Page 140 and 141:
Exporting LogsTABLE 7-1TABLE 7-1 hi
Page 142 and 143:
Logging ConfigurationLog FilesFor e
Page 144 and 145:
Logging ConfigurationWorking with C
Page 146 and 147:
Logging ConfigurationConfiguring Lo
Page 148 and 149:
Logging ConfigurationTABLE 7- 3Log
Page 150 and 151:
OverviewFIGURE 8-1A FireWall-1 enfo
Page 152 and 153:
OverviewAfter a successful IKE nego
Page 154 and 155:
VPN-1 Connectivity in Provider-1FIG
Page 156 and 157:
Global VPN CommunitiesConversion Co
Page 158 and 159:
Global VPN CommunitiesCMA databases
Page 160 and 161:
Configuring Global VPN CommunitiesF
Page 162 and 163:
Configuring Global VPN Communities7
Page 164 and 165:
OverviewBy default, management acti
Page 166 and 167:
Checking the Status of Components i
Page 168 and 169:
Checking the Status of Components i
Page 170 and 171:
Monitoring issues for different com
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Using Check Point Applications to M
Page 180 and 181:
Using Check Point Applications to M
Page 182 and 183:
ConfigurationThe MDS Manager is the
Page 184 and 185:
ConfigurationFIGURE 10-2 CMA High A
Page 186 and 187:
ConfigurationFIGURE 10-3 Mirror MDS
Page 188 and 189:
ConfigurationMDS: Active or Standby
Page 190 and 191:
ConfigurationFor example, if a new
Page 192 and 193:
ConfigurationFIGURE 10-7 CMA databa
Page 194 and 195:
Configuration• Lagging — The da
Page 196 and 197:
Configuration3 Right-click the MDS,
Page 198 and 199:
ConfigurationSynchronize ClusterXL
Page 200 and 201:
Packages in MDS InstallationPackage
Page 202 and 203:
MDS File SystemFollowing is the lis
Page 204 and 205:
ProcessesSourcing these files (or i
Page 206 and 207:
MDS Configuration DatabasesMDS Conf
Page 208 and 209:
Connectivity Between Different Proc
Page 210 and 211:
Issues Relating to Different Platfo
Page 212 and 213:
Issues Relating to Different Platfo
Page 214 and 215:
SyntaxArgumentsource database direc
Page 216 and 217:
SyntaxArgumentstorestore=/new_path/
Page 218 and 219:
SyntaxArgumentfrequencystoreoffDesc
Page 220 and 221:
SyntaxArgumentstorestore=/new_path/
Page 222 and 223:
SyntaxOutputArgumentstorestore=/new
Page 224 and 225:
UsageSyntaxExampleExit CodeSince th
Page 226 and 227:
To edit the CMA database, use the f
Page 228 and 229:
SyntaxArgumentDescription-m mds For
Page 230 and 231:
SyntaxArgumentCustomerNameDescripti
Page 232 and 233:
Usage mdscmd deletecustomer -m mds
Page 234 and 235:
SyntaxArgumentCustomerNameDescripti
Page 236 and 237:
ArgumentDescription-i IP Specify th
Page 238 and 239:
SyntaxExampleArgumentDescription-s
Page 240 and 241:
mdsstartDescriptionUsageSyntaxThis
Page 242 and 243:
Further Info.You can run the cma_mi
Page 244 and 245:
244
Page 246 and 247:
DDData Centers 12Database Query Too
Page 248:
TSmartUpdatelicense types 105updati
show all

Provider-1/SiteManager-1 - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?