Provider-1/SiteManager-1 - Check Point

More documents

Recommendations

Info

The Provider-1/SiteManager-1 Trust modelDifferent CMAs have different ICAs to ensure that a CMA establishes securecommunication with its own customer’s gateways, but that different customer CMAscannot penetrate each other’s internal networks and establish communication withanother customer’s gateways.FIGURE 1-20 SIC between CMA and Customer gatewayTrust between a CLM and its customer networkThe CLM (Customer Log Manager) also receives a certificate from the CMA’s ICA.This is so that the Customer’s VPN-1 Pro gateways can establish communication withthe CLM, for tracking and logging purposes. The gateways and CLM must be able totrust their communication with each other, but only if they belong to the samecustomer. Otherwise, different customers could monitor each other, which would be asecurity breach.36
Management ToolsMDS communication with CMAsEvery MDS Container communicates with the CMAs that it houses locally and securelythrough a protocol called SIC local. This type of authentication, SIC local, is managedby the Provider-1/SiteManger-1 environment and allows internal MDS communicationto be trusted.SIC is used for remote (not on the same host) communication, whereas SIC local isused for a host’s internal communication. SIC local communication does not make useof certificates.Trust between MDS to MDSThe primary MDS Manager, the first Manager created, has its own Internal CertificateAuthority. This ICA issues certificates to all other MDSs, so that trustedcommunication can be authenticated and secure between MDSs. All MDSs share oneInternal Certificate Authority.FIGURE 1-21 SIC between MDSsThe ICA creates certificates for all other MDSs, and for Provider-1/SiteManager-1administrators. Administrators also need to establish trusted communication with theMDSs.Authenticating the administratorAdministrators are authenticated to access the MDS via the MDG either by using a UserName and Password combination (which is considered only semi-secure) or by using acertificate issued by the MDS ICA (far more secure).Chapter 1 Introduction 37
Page 1 and 2: Check PointProvider-1/SiteManager-1
Page 3 and 4: Table Of ContentsChapter 1Chapter 2
Page 5 and 6: Chapter 5Chapter 6Chapter 7Global P
Page 7: Setting up a new MDS and initiating
Page 10 and 11: The Need for Provider-1/SiteManager
Page 12 and 13: The Need for Provider-1/SiteManager
Page 14 and 15: The Check Point SolutionIT services
Page 16 and 17: The Check Point SolutionThe Multi-D
Page 18 and 19: The Check Point SolutionExample: En
Page 20 and 21: The Check Point SolutionLeased line
Page 22 and 23: The Check Point SolutionLet’s loo
Page 24 and 25: The Check Point SolutionProvider-1/
Page 26 and 27: The Management ModelThe High Availa
Page 28 and 29: The Management ModelTABLE 1- 1Admin
Page 30 and 31: The Management ModelFIGURE 1-15MDG
Page 32 and 33: The Management ModelFIGURE 1-16 Ros
Page 34 and 35: The Provider-1/SiteManager-1 Trust
Page 38 and 39: The Provider-1/SiteManager-1 Trust
Page 40 and 41: Asking yourself the right questions
Page 42 and 43: Consider the following scenario...C
Page 44 and 45: MDS Managers and Containers in the
Page 46 and 47: Setting up the Provider-1/SiteManag
Page 52 and 53: Hardware Requirements and Recommend
Page 54 and 55: Licensing and Deployment• Custome
Page 56 and 57: Licensing and DeploymentTABLE 2-2MD
Page 58 and 59: Licensing and DeploymentMulti-Custo
Page 60 and 61: Licensing and DeploymentTABLE 2-8VP
Page 62 and 63: Licensing and DeploymentTABLE 2-11V
Page 64 and 65: Miscellaneous IssuesEach MDS Contai
Page 66 and 67: Miscellaneous IssuesStatic NAT allo
Page 68 and 69: The Provisioning Processdeployment
Page 70 and 71: Installation and ConfigurationNotes
Page 72 and 73: Installation and Configuration1 Fro
Page 74 and 75: Installation and ConfigurationInput
Page 76 and 77: Installation and Configurationa In
Page 78 and 79: Defining a Security Policy for the
Page 80 and 81: Defining a Security Policy for the
Page 82 and 83: Configurations with More than One M
Page 84 and 85: Configurations with More than One M
Page 86 and 87:
When a CMA Manages the VPN-1 Pro Ga
Page 88 and 89:
MDS Support for SmartView Reporter
Page 90 and 91:
CMA OPSEC APIsCMA OPSEC APIsThe fol
Page 92 and 93:
MDS OPSEC APIsMDS OPSEC APIsTo crea
Page 94 and 95:
MDS OPSEC APIs94
Page 96 and 97:
Overview• an actual customer, or
Page 98 and 99:
OverviewFIGURE 4-2MDG before Custom
Page 100 and 101:
Overviewon any MDS in the system. O
Page 102 and 103:
OverviewFIGURE 4-5Creating more cus
Page 104 and 105:
OverviewFIGURE 4-7SmartUpdate View
Page 106 and 107:
Configurationa CMA. Keep the CMAs I
Page 108 and 109:
ConfigurationAssign computers on wh
Page 110 and 111:
ConfigurationFIGURE 4-8Administrato
Page 112 and 113:
ConfigurationConfiguring a CMATo co
Page 114 and 115:
OverviewThe FireWall-1 administrato
Page 116 and 117:
OverviewFIGURE 5-3Policy creation w
Page 118 and 119:
OverviewGlobal policies can be assi
Page 120 and 121:
OverviewFIGURE 5-7Dynamic Global Ob
Page 122 and 123:
OverviewFor details about using Sma
Page 124 and 125:
OverviewAssigning a different globa
Page 126 and 127:
ConfigurationFor customers that alr
Page 128 and 129:
Configuration2 You are asked whethe
Page 130 and 131:
Configuration130
Page 132 and 133:
OverviewFIGURE 6-1Customer network
Page 134 and 135:
Managing Customer PoliciesFIGURE 6-
Page 136 and 137:
Working with CMAs and CLMs in the M
Page 138 and 139:
Logging Customer ActivityFIGURE 7-1
Page 140 and 141:
Exporting LogsTABLE 7-1TABLE 7-1 hi
Page 142 and 143:
Logging ConfigurationLog FilesFor e
Page 144 and 145:
Logging ConfigurationWorking with C
Page 146 and 147:
Logging ConfigurationConfiguring Lo
Page 148 and 149:
Logging ConfigurationTABLE 7- 3Log
Page 150 and 151:
OverviewFIGURE 8-1A FireWall-1 enfo
Page 152 and 153:
OverviewAfter a successful IKE nego
Page 154 and 155:
VPN-1 Connectivity in Provider-1FIG
Page 156 and 157:
Global VPN CommunitiesConversion Co
Page 158 and 159:
Global VPN CommunitiesCMA databases
Page 160 and 161:
Configuring Global VPN CommunitiesF
Page 162 and 163:
Configuring Global VPN Communities7
Page 164 and 165:
OverviewBy default, management acti
Page 166 and 167:
Checking the Status of Components i
Page 168 and 169:
Checking the Status of Components i
Page 170 and 171:
Monitoring issues for different com
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Using Check Point Applications to M
Page 180 and 181:
Using Check Point Applications to M
Page 182 and 183:
ConfigurationThe MDS Manager is the
Page 184 and 185:
ConfigurationFIGURE 10-2 CMA High A
Page 186 and 187:
ConfigurationFIGURE 10-3 Mirror MDS
Page 188 and 189:
ConfigurationMDS: Active or Standby
Page 190 and 191:
ConfigurationFor example, if a new
Page 192 and 193:
ConfigurationFIGURE 10-7 CMA databa
Page 194 and 195:
Configuration• Lagging — The da
Page 196 and 197:
Configuration3 Right-click the MDS,
Page 198 and 199:
ConfigurationSynchronize ClusterXL
Page 200 and 201:
Packages in MDS InstallationPackage
Page 202 and 203:
MDS File SystemFollowing is the lis
Page 204 and 205:
ProcessesSourcing these files (or i
Page 206 and 207:
MDS Configuration DatabasesMDS Conf
Page 208 and 209:
Connectivity Between Different Proc
Page 210 and 211:
Issues Relating to Different Platfo
Page 212 and 213:
Issues Relating to Different Platfo
Page 214 and 215:
SyntaxArgumentsource database direc
Page 216 and 217:
SyntaxArgumentstorestore=/new_path/
Page 218 and 219:
SyntaxArgumentfrequencystoreoffDesc
Page 220 and 221:
SyntaxArgumentstorestore=/new_path/
Page 222 and 223:
SyntaxOutputArgumentstorestore=/new
Page 224 and 225:
UsageSyntaxExampleExit CodeSince th
Page 226 and 227:
To edit the CMA database, use the f
Page 228 and 229:
SyntaxArgumentDescription-m mds For
Page 230 and 231:
SyntaxArgumentCustomerNameDescripti
Page 232 and 233:
Usage mdscmd deletecustomer -m mds
Page 234 and 235:
SyntaxArgumentCustomerNameDescripti
Page 236 and 237:
ArgumentDescription-i IP Specify th
Page 238 and 239:
SyntaxExampleArgumentDescription-s
Page 240 and 241:
mdsstartDescriptionUsageSyntaxThis
Page 242 and 243:
Further Info.You can run the cma_mi
Page 244 and 245:
244
Page 246 and 247:
DDData Centers 12Database Query Too
Page 248:
TSmartUpdatelicense types 105updati
show all

Provider-1/SiteManager-1 - Check Point

Create successful ePaper yourself

Delete template?

Save as template?