MDS INSTALLATION AND CONFIGURATION
MDS INSTALLATION AND CONFIGURATION
MDS INSTALLATION AND CONFIGURATION
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>MDS</strong> <strong>INSTALLATION</strong> <strong>AND</strong> <strong>CONFIGURATION</strong><br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
Objectives<br />
Key Terms<br />
. . . . .<br />
3<br />
The <strong>MDS</strong> consists of multiple CMAs installed on a single machine. Each CMA<br />
controls any number of VPN-1/FireWall-1 remote Enforcement Modules at a<br />
single customer site.<br />
Check Point Provider-1 NG with Application Intelligence includes <strong>MDS</strong><br />
Manager and <strong>MDS</strong> Container components to support a growing customer base.<br />
The <strong>MDS</strong> Manager is the core component and is required for the first 200<br />
customer CMAs. Additional <strong>MDS</strong> machines can be added, and up to 500<br />
separate CMAs can be managed by each <strong>MDS</strong> in the Provider-1 NG<br />
configuration.<br />
1 List the minimum system requirements for installing the <strong>MDS</strong>.<br />
2 Demonstrate how to install an <strong>MDS</strong> Manager on a Sun Solaris<br />
SPARC-based or RedHat Linux system.<br />
3 Demonstrate how to configure an <strong>MDS</strong> Manager as the Primary <strong>MDS</strong>.<br />
• mds_setup<br />
mdsconfig<br />
mdsenv<br />
mdsstart<br />
mdsstop<br />
41<br />
Chapter 3
3<br />
42<br />
<strong>MDS</strong> <strong>INSTALLATION</strong> <strong>AND</strong> <strong>CONFIGURATION</strong><br />
Choosing the Type of <strong>MDS</strong><br />
CHOOSING THE TYPE OF <strong>MDS</strong><br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
The Multi Domain Server (<strong>MDS</strong>) contains separate file structures for each<br />
CMA. Customer specific information is kept separated in independent CMA<br />
databases to offer greater security and data integrity. Each CMA’s rules, objects,<br />
and users reside in the CMA database and are not shared. The following<br />
directories remain private and separated by CMA:<br />
• conf<br />
database<br />
state<br />
The <strong>MDS</strong> shares the VPN-1/FireWall-1 management functions. In this way, the<br />
CMA data is separated, but shares the same soft linked Management Server<br />
functions such as binary executables and INSPECT files.<br />
Every Provider-1 configuration must include an <strong>MDS</strong> Manager. The GUI<br />
connects to the <strong>MDS</strong> Manager to access the CMAs. Additional <strong>MDS</strong> machines<br />
can be added to the configuration as needed. There are two different types of<br />
Multi Domain Servers:<br />
<strong>MDS</strong> Container<br />
<strong>MDS</strong> Manager<br />
The <strong>MDS</strong> Container can maintain up to 500 separate CMAs and perform<br />
Security Policy management functions. The <strong>MDS</strong> Manager can perform tasks<br />
such as file synchronization for backup capabilities and acts as the Certificate<br />
Authority for the Provider-1 system at the NOC. The scalable architecture of<br />
Provider-1 allows MSPs to accommodate a growing customer base. In every<br />
scenario, both an <strong>MDS</strong> Manager and <strong>MDS</strong> Container are necessary. These two<br />
components can be on the same machine.
<strong>MDS</strong> <strong>INSTALLATION</strong> <strong>AND</strong> <strong>CONFIGURATION</strong><br />
Choosing the Type of <strong>MDS</strong><br />
. . . . .<br />
Multi Domain Server - Manager<br />
The <strong>MDS</strong> Manager is the central point of entry for the CMAs. The MDG can<br />
only access the <strong>MDS</strong> Manager. The Manager is a Certificate Authority for the<br />
Provider-1 NG configuration and, if multiple <strong>MDS</strong> Managers exist, establishes<br />
High Availability between them. High Availability (HA) is possible even if the<br />
additional Manager machine is located at a remote location.<br />
No CMAs are loaded on the <strong>MDS</strong> Manager. Only the <strong>MDS</strong> Container can<br />
maintain the CMAs. If the <strong>MDS</strong> Manager is installed as the only <strong>MDS</strong> in the<br />
configuration, both the Manager and Container functions can be installed and<br />
run on one machine.<br />
Multi Domain Server - Container<br />
The less-expensive <strong>MDS</strong> Container maintains the customer CMAs. Capable of<br />
maintaining up to 500 CMAs, the Container machine is an alternative for<br />
Administrators who want to increase their Provider-1 capabilities without<br />
dramatically increasing cost. The Container machine cannot function as a<br />
Certificate Authority for Provider-1 components or establish High Availability<br />
for CMAs. The Container machine can be used as an additional <strong>MDS</strong> to<br />
increase customer capacity and for backup capabilities.<br />
Multi Domain Server as Multi Domain Log Module<br />
The <strong>MDS</strong> can also be licensed to function as a Multi Domain Log Module<br />
(MLM). The MLM separates the logs of each CMA into different databases.<br />
The MLM is configured with a CLM for each Customer CMA. Unlike the<br />
CMAs loaded on an <strong>MDS</strong>, CLMs configured on the MLM do not require a<br />
separate license. No more than 200 CLMs can be loaded on one <strong>MDS</strong> MLM.<br />
43
3<br />
44<br />
<strong>MDS</strong> <strong>INSTALLATION</strong> <strong>AND</strong> <strong>CONFIGURATION</strong><br />
Choosing the Type of <strong>MDS</strong><br />
Licensing the Multi Domain Server<br />
The <strong>MDS</strong> can be licensed in a number of different ways, depending on the<br />
MSP’s Provider-1 configuration. The <strong>MDS</strong> can be licensed as either a Manager,<br />
a Container, or both.<br />
Feature String Description<br />
CPPR-<strong>MDS</strong>-M-NG <strong>MDS</strong> Manager component without Container<br />
CPPR-<strong>MDS</strong>-C10-NG <strong>MDS</strong> Container component for hosting up to 10 CMAs<br />
CPPR-<strong>MDS</strong>-C25-NG <strong>MDS</strong> Container component for hosting up to 25 CMAs<br />
CPPR-<strong>MDS</strong>-C50-NG <strong>MDS</strong> Container component for hosting up to 50 CMAs<br />
CPPR-<strong>MDS</strong>-C100-NG <strong>MDS</strong> Container component for hosting up to 100 CMAs<br />
CPPR-<strong>MDS</strong>-C200-NG <strong>MDS</strong> Container component for hosting up to 200 CMAs<br />
CPPR-<strong>MDS</strong>-MC10-NG Combined <strong>MDS</strong> Manager and Container for hosting up to<br />
10 CMAs<br />
CPPR-<strong>MDS</strong>-MC25-NG Combined <strong>MDS</strong> Manager and Container for hosting up to<br />
25 CMAs<br />
CPPR-<strong>MDS</strong>-MC50-NG Combined <strong>MDS</strong> Manager and Container for hosting up to<br />
50 CMAs<br />
CPPR-<strong>MDS</strong>-MC100-NG Combined <strong>MDS</strong> Manager and Container for hosting up to<br />
100 CMAs<br />
CPPR-<strong>MDS</strong>-MC200-NG Combined <strong>MDS</strong> Manager and Container for hosting up to<br />
200 CMAs<br />
Provider-1 NG licenses are additive. If an Administrator has a<br />
50 CMA license and adds a 25 CMA license, that<br />
Administrator would be licensed to manage up to 75 CMAs.
<strong>MDS</strong> <strong>INSTALLATION</strong> <strong>AND</strong> <strong>CONFIGURATION</strong><br />
Provider-1 NG with Application Intelligence <strong>MDS</strong> Minimum Requirements<br />
PROVIDER-1 NG WITH APPLICATION<br />
INTELLIGENCE <strong>MDS</strong> MINIMUM<br />
REQUIREMENTS<br />
. . . . .<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
The table below lists the minimum hardware and operating system<br />
requirements for installing the specified <strong>MDS</strong> components.<br />
Platform Sun Ultra SPARC-based systems<br />
Intel-based systems<br />
Operating Systems Solaris 2.8 32 bit, 2.8 64 bit<br />
Solaris 2.9 64 bit<br />
RedHat Linux 7.2<br />
RedHat Linux 7.3<br />
SecurePlatform NG with<br />
Application Intelligence (R55)<br />
Required Patches Solaris 2.8 32 bit - patch number 109147-18<br />
Solaris 2.8 64 bit - patch number 109147-18<br />
Solaris 2.8 - 109326-07<br />
Solaris 2.8 - 109147-18<br />
Solaris 2.9 - 112902-07<br />
OS Patch level of at least 6<br />
RedHat Linux 7.2 (Kernel 2.4.9-31)<br />
RedHat Linux 7.3 (Kernel 2.4.18-5)<br />
Edition VpnStrong (3DES)<br />
Disk Space Basic <strong>MDS</strong> installation (mostly under /opt):<br />
150 MB<br />
60 MB swap<br />
Memory <strong>MDS</strong> functionality:<br />
100 MB<br />
Disk space for each CMA (under /var/opt):<br />
10 MB per CMA<br />
Memory allocated per CMA:<br />
10-20 MB<br />
Network Interface All interfaces supported by the operating system<br />
The Linux kernel required to install the <strong>MDS</strong> on RedHat is<br />
available from the Check Point download center at:<br />
www.checkpoint.com/support/downloads<br />
45
3<br />
46<br />
<strong>MDS</strong> <strong>INSTALLATION</strong> <strong>AND</strong> <strong>CONFIGURATION</strong><br />
Provider-1 NG with Application Intelligence <strong>MDS</strong> Minimum Requirements
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
LAB 1: INSTALLING <strong>AND</strong> CONFIGURING<br />
THE PRIMARY <strong>MDS</strong> STATION<br />
. . . . .<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
Scenario: You have just been hired to deploy Provider-1 NG at an MSP that<br />
wants to offer security services to its customers. You must now deploy a<br />
Primary <strong>MDS</strong> at your new company’s NOC.<br />
Objectives: In this lab, you will install the <strong>MDS</strong> as a Manager and Container.<br />
You will then configure the station to function as the Primary <strong>MDS</strong> in your<br />
NOC environment.<br />
Topics: The following topics are covered in this lab:<br />
<strong>MDS</strong> installation on a LINUX or a Solaris system<br />
<strong>MDS</strong> configuration<br />
Configuring a Provider Superuser<br />
Configuring a GUI client<br />
47
3<br />
48<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
VERIFY <strong>MDS</strong> MACHINE <strong>CONFIGURATION</strong><br />
1 Verify that gzip and gunzip are installed on the Sun Solaris or Linux machine<br />
before attempting to install the <strong>MDS</strong>.<br />
2 Verify that your machine meets the minimum requirement for <strong>MDS</strong> installation,<br />
including patch level.<br />
A specific kernel must be running on the Linux machine before<br />
you can install the Provider-1 <strong>MDS</strong>. If the system does not boot<br />
up on this kernel, the <strong>MDS</strong> installation will fail.<br />
3 Insert the Provider-1 NG CD into the CD-ROM drive.<br />
TRANSFER PROVIDER-1 NG FILES TO SOLARIS MACHINE<br />
Begin from a Terminal or Console window on the machine that will function as<br />
your configuration’s Primary <strong>MDS</strong>.<br />
1 Enter the root password for your machine.<br />
2 Create a temporary directory for the <strong>MDS</strong>, for example:<br />
/Provider_NG<br />
The temporary directory from which the installation is<br />
performed is not automatically erased upon installation of the<br />
Provider-1 NG <strong>MDS</strong>. It can be used later for a reinstallation.<br />
3 Using the cd command, navigate to the <strong>MDS</strong> file on the Provider-1 CD.<br />
4 Select the package appropriate for the system on which you<br />
wish to install.<br />
5 Copy the tgzipped file to /Provider_NG.<br />
6 Change directory to /Provider_NG.<br />
7 Decompress the *.tgz file and untar it.<br />
Solaris example:<br />
gzip -d Provider-1_R55_<strong>MDS</strong>_pr22_solaris.tgz<br />
tar -xvf Provider-1_R55_<strong>MDS</strong>_pr22_solaris.tar<br />
Linux example:<br />
gzip -d mds_release_ng_r54_linux_pr4.tgz<br />
tar -xvf mds_release_ng_r54_linux_pr4.tar
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
PERFORM <strong>MDS</strong> <strong>INSTALLATION</strong><br />
Install and configure the <strong>MDS</strong> software on the machine functioning as the<br />
Primary <strong>MDS</strong> in your MSP configuration.<br />
. . . . .<br />
The steps in this lab pertain to both Sun Solaris and Linux<br />
environments. Although you may notice slight variations in the<br />
language, all differences are cosmetic, unless otherwise stated<br />
in the lab.<br />
1 From the Provider_NG directory, locate the mds_setup program.<br />
2 Run the following script:<br />
./mds_setup<br />
The system displays the following output:<br />
******************************************************<br />
Welcome to the Check Point setup center for<br />
Provider-1/SiteManager-1. This utility will guide you<br />
through the installation or upgrade process.<br />
Version: NG with Application Intelligence (R55)<br />
******************************************************<br />
Checking for installed components. This may take a few<br />
seconds. Please wait...<br />
No previous Provider-1 installation was detected on<br />
this machine.<br />
*** Do you want to proceed with fresh installation<br />
[yes/no]?<br />
49
3<br />
50<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
3 Type y, and press Enter. Various Check Point modules are installed and the<br />
system displays the following output:<br />
Which type of installation would you like to install?<br />
(1) Provider-1 <strong>MDS</strong> Manager station.<br />
(2) Provider-1 <strong>MDS</strong> Container station.<br />
(3) Provider-1 <strong>MDS</strong> Manager + Container station.<br />
(4) Provider-1 MLM station.<br />
Enter your selection [1,2,3,4,?,q]<br />
4 Type 3, to select the Provider-1 <strong>MDS</strong> Manager + Container station option, and<br />
press Enter. The system displays the following output:<br />
Are you installing the Primary <strong>MDS</strong> Manager [y,n,?,q]<br />
5 Type y, and press Enter. The system displays the following output:<br />
Do you want the <strong>MDS</strong> station to start automatically with<br />
each reboot of the machine i.e. from rc3.d boot level<br />
[y,n,?,q]<br />
6 Type y, to start the <strong>MDS</strong> automatically after reboot, and press Enter. The system<br />
displays the following output:<br />
## Executing checkinstall script.<br />
The selected base directory must exist<br />
before installation is attempted.<br />
Do you want this directory created now [y,n,?,q]<br />
This step does not appear in a Linux distribution. The system<br />
creates the directory automatically, without interaction from the<br />
user.
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
7 Type y, and press Enter. The directory is created and the system displays the<br />
following output:<br />
Installation of was successful.<br />
copying system files to <strong>MDS</strong>DIR<br />
Please read the following license agreement.<br />
Hit ’ENTER’ to continue...<br />
8 Press Enter. The system displays the License Agreement:<br />
This End-user License Agreement (the "Agreement") is an<br />
agreement between you (both the individual installing<br />
the Product and any legal entity on whose behalf such<br />
individual is acting) (hereinafter "You" or " Your")<br />
and Check Point Software Technologies Ltd. (hereina<br />
fter "Check Point"). TAKING ANY STEP TO SET-UP OR<br />
INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO <strong>AND</strong><br />
ACCEPTANCE OF THIS END USER LICENSE AGREEMENT. WRITTEN<br />
APPROVAL IS NOT A PREREQUISITE TO THE VALIDITY OR<br />
ENFORCEABILITY OF THIS AGREEMENT <strong>AND</strong> NO SOLICITATION OF<br />
ANY SUCH WRITTEN APPROVAL BY OR ON BEHALF OF YOU SHALL<br />
BE CONSTRUED AS AN INFERENCE TO THE CONTRARY. IF YOU<br />
HAVE ORDERED THIS PRODUCT <strong>AND</strong> SUCH ORDER IS CONSIDER<br />
ED AN OFFER BY YOU, CHECK POINT’S ACCEPTANCE OF YOUR<br />
OFFER IS EXPRESSLY CONDITIONAL ON YOUR ASSENT TO THE<br />
TERMS OF THIS AGREEMENT, TO THE EXCLUSION OF ALL OTHER<br />
TERMS. IF THESE TERMS ARE CONSIDERED AN OFFER BY CHECK<br />
POINT, YOUR ACCEPTANCE IS EXPRESSLY LIMITED TO THE<br />
TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL<br />
THE TERMS OF THIS AGREEMENT, YOU MUST RETURN THIS PROD-<br />
UCT WITH THE ORIGINAL PACKAGE <strong>AND</strong> THE PROOF OF PAYMENT<br />
TO THE PLACE YOU OBTAINED IT FOR A FULL REFUND.<br />
. . . . .<br />
9 Read the License Agreement. Pressing the Space Bar to page down. The system<br />
displays the following output:<br />
Do you accept all the terms of this license agreement<br />
(y/n) ?<br />
51
3<br />
52<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
10 Type y, and press Enter. The system displays the following output:<br />
Welcome to <strong>MDS</strong> Configuration Program<br />
========================================<br />
This program will guide you through several steps where<br />
you will define your <strong>MDS</strong> configuration. At any later<br />
time, you can reconfigure these parameters by running<br />
mdsconfig<br />
Configuring Leading VIP Interfaces...<br />
=====================================<br />
The Leading VIP Interfaces are real interfaces<br />
connected to an external network. These interfaces are<br />
used when setting CMA virtual IP addresses. Each<br />
leading interface can host up to 250 virtual IP<br />
addresses (250 CMAs). The following real interfaces are<br />
defined on this machine:<br />
hme0<br />
Typically, the leading interface on a Solaris machine is hme0.<br />
On an intel-based machine, the leading interface is usually<br />
eth0.<br />
If only one interface is active, the system will automatically<br />
configure it as the leading interface. If more than one interface<br />
is active, the system will ask you to specify which is the leading<br />
interface.
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
11 The system displays the following output:<br />
External interface has been added.<br />
Configuring Licenses...<br />
=======================<br />
The following licenses are installed on this host:<br />
Host Expiration Features<br />
Eval 4Feb2004 CPMP-PNP-1-NG<br />
Do you want to add licenses (y/n) [n] ?<br />
. . . . .<br />
Check Point provides a full-featured 15-day evaluation license<br />
with the software. For real-world deployments, the system must<br />
be licensed before the end of the 15-day evaluation period.<br />
12 Type n, and press Enter. The system displays the following output:<br />
Configuring Random Pool...<br />
==========================<br />
You are now asked to perform a short random keystroke<br />
session. The random data collected in this session will<br />
be used in various cryptographic operations.<br />
Please enter random text containing at least six<br />
different characters. You will see the ’*’ symbol after<br />
keystrokes that are too fast or too similar to preceding<br />
keystrokes. These keystrokes will be ignored.<br />
Please keep typing until you hear the beep and the bar<br />
is full.<br />
[ ]<br />
53
3<br />
54<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
13 Type a string of random keys. Stop when you hear a beep and the bar displayed<br />
on the screen is full.<br />
Try not to type the same letter twice. Type slowly when<br />
configuring the random key! Typing too fast and ignoring the<br />
beep could cause the machine to freeze, requiring you to reboot<br />
and restart the installation.<br />
14 Once the random string has been completed, the system displays the following<br />
output:<br />
Thank you.<br />
Configuring Groups...<br />
=====================<br />
<strong>MDS</strong> access and execution permissions<br />
-------------------------------------------<br />
Usually, a <strong>MDS</strong> module is given group permission<br />
for access and execution. You may now name such a group<br />
or instruct the installation procedure to give no group<br />
permissions to the <strong>MDS</strong> module. In the latter case, only<br />
the Super-User will be able to access and execute the<br />
<strong>MDS</strong> module.<br />
Please specify group name [ for no group<br />
permissions]:<br />
15 Press Enter, and the system displays the following output:<br />
No group permissions will be granted. Is this ok<br />
(y/n) [y] ?
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
16 Press Enter, and the system displays the following output:<br />
Setting Group Permissions...<br />
Configuring Certificate Authority...<br />
====================================<br />
The Provider-1/SiteManager-1 system uses an internal<br />
Certificate Authority to provide Secured Internal<br />
Communication (SIC) Certificates for the components in<br />
this system.<br />
Note that your components won’t be able to communicate<br />
with each other until the CA is initialized and they<br />
have their SIC certificate.<br />
Press ’Enter’ to initialize the Certificate<br />
Authority...<br />
17 Press Enter, and the system displays the following output:<br />
Internal Certificate Authority created successfully<br />
Certificate was created successfully<br />
Setting FQDN to: 10.1.1.1<br />
Executing "$CPDIR/bin/cp_conf ca fqdn 10.1.1.1" in<br />
order to set FQDN<br />
Trying to contact Certificate Authority. It might take<br />
a while...<br />
10.1.1.1 was successfully set to the Internal CA<br />
Executing "$CPDIR/bin/cp_conf ca fqdn 10.1.1.1" in<br />
order to set FQDN - Done<br />
Certificate Authority initialization ended successfully<br />
Configuring Certificate’s Fingerprint...<br />
========================================<br />
The following text is the fingerprint of this <strong>MDS</strong><br />
machine:<br />
MILK HUFF SANE IRA MAT DOLT MUD BUSS NUDE TRAY ILL AWK<br />
Do you want to save it to a file? (y/n) [n] ?<br />
. . . . .<br />
55
3<br />
56<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
18 Type n, and press Enter. The system displays the following output:<br />
Configuring Administrators...<br />
=============================<br />
Do you want to add administrators (y/n) [y] ?<br />
19 Type y, and press Enter. The system displays the following output:<br />
Enter the administrator name:<br />
20 Type the name of the administrator (admin), and press Enter. The system displays<br />
the following output:<br />
Enter the password for the administrator:<br />
21 Enter the password of the Provider-1 NG administrator (abc123), and press Enter.<br />
The system displays the following output:<br />
Verify Password:<br />
22 Confirm the password, and press Enter. The system displays the following output:<br />
Please choose the administrator type you wish to<br />
define:<br />
1) Provider Superuser<br />
2) Customer Superuser<br />
3) Customer Manager<br />
4) Regular administrator (None)<br />
5) Don’t add administrator now.<br />
Enter your choice (1-5):
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
. . . . .<br />
23 Type 1 to give the administrator Provider Superuser rights, and press Enter. The<br />
system displays the following output:<br />
Updating administrator admin to the database...<br />
This operation requires the Multi Domain Server to be<br />
running.<br />
Please wait...<br />
Starting <strong>MDS</strong> server...<br />
...<br />
admin updated successfully.<br />
Do you want to add administrators (y/n) [n] ?<br />
24 Type n, and press Enter. The system displays the following output:<br />
Configuring GUI clients...<br />
==========================<br />
Do you want to add Provider-1 GUI clients (y/n) [y] ?<br />
25 Type y, and press Enter. The system displays the following output:<br />
Please choose the Provider-1 GUI client type you wish<br />
to define:<br />
1) <strong>MDS</strong> GUI clients by IP.<br />
2) <strong>MDS</strong> GUI clients by name.<br />
3) AnyHost GUI client.<br />
4) Don’t add GUI clients now.<br />
Enter your choice (1-4):<br />
26 Type 1, and press Enter. The system displays the following output:<br />
Enter the GUI client IP:<br />
57
3<br />
58<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
27 Type the IP address of the MDG, and press Enter. The system displays the<br />
following output:<br />
Enter the GUI client host name:<br />
28 Type MDG for the hostname of the GUI client, and press Enter. The system<br />
displays the following output:<br />
Updating GUI client MDG to the database...<br />
MDG updated successfully.<br />
Do you want to add Provider-1 GUI clients (y/n) [n] ?<br />
29 Type n, and press Enter. The system displays the following output:<br />
Stopping <strong>MDS</strong> only<br />
CPD stopped<br />
<strong>MDS</strong> stopped<br />
Do you want to start <strong>MDS</strong> now [yes/no]?
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station<br />
30 Type y, and press Enter. The system displays the following output:<br />
Adding Virtual IPs<br />
<strong>MDS</strong>: Starting <strong>MDS</strong> Server<br />
[1] 1908<br />
[2] 1909<br />
[3] 1910<br />
<strong>MDS</strong> Server Started<br />
******************************************************<br />
The installation of Provider-1/SiteManager-1 NG with<br />
Application Intelligence (R55) has completed<br />
successfully.<br />
Please logout from this shell, and login again to<br />
activate the enviromnent settings of the new version.<br />
******************************************************<br />
A log file was created:<br />
/opt/CPInstLog/mds_setup.log01_20_13_02<br />
31 Type the following command, and press Enter:<br />
eject CDROM<br />
32 Remove the CD from the CD-ROM drive.<br />
33 Type the following command, and press Enter:<br />
init 6<br />
End of lab.<br />
. . . . .<br />
59
3<br />
60<br />
Lab 1: Installing and Configuring the Primary <strong>MDS</strong> Station
CMA Management<br />
. . . . .<br />
CMA MANAGEMENT<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
Each Customer Management Add-on is loaded on the <strong>MDS</strong> and functions as a<br />
Check Point Management Server. Each CMA manages a single customer’s<br />
network and requires a dedicated CMA license. CMAs can be licensed as a<br />
single server or as a mirror server for HA configurations.<br />
Licensing the Customer Management Add-ons<br />
The CMAs can be licensed in a number of different ways, depending on the<br />
MSP’s Provider-1 configuration.<br />
Feature String Description<br />
CPPR-CMA-1-NG First Customer CMA that manages one module<br />
CPPR-CMA-2-NG First Customer CMA that manages up to two modules<br />
CPPR-CMA-4-NG First Customer CMA that manages up to four modules<br />
CPPR-CMA-U-NG First Customer CMA that manages an unlimited number of<br />
modules<br />
CPPR-CMA-1-HA-NG Mirror CMA that manages one module<br />
CPPR-CMA-2-HA-NG Mirror CMA that manages up to two modules<br />
CPPR-CMA-4-HA-NG Mirror CMA that manages up to four modules<br />
CPPR-CMA-U-HA-NG Mirror CMA that manages an unlimited number of modules<br />
61
3<br />
mdsconfig Utility<br />
<strong>MDS</strong> Commands<br />
62<br />
<strong>MDS</strong> and CMA Command Line Options<br />
<strong>MDS</strong> <strong>AND</strong> CMA COMM<strong>AND</strong> LINE OPTIONS<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
This section provides basic command line options for administering the <strong>MDS</strong><br />
and CMAs. All command line options must be performed in the C shell and in<br />
the directory specified in the description.<br />
The mdsconfig utility executes automatically during the initial installation of<br />
any <strong>MDS</strong>. This utility is used to setup the <strong>MDS</strong> parameters and assign basic<br />
configuration details, such as GUI Clients, Administrator rights, etc. If<br />
reconfiguration is necessary, the mdsconfig utility can be run from the <strong>MDS</strong><br />
environment.<br />
— mdsenv<br />
The mdsenv command sets the environment variable for the <strong>MDS</strong>. Once the<br />
<strong>MDS</strong> environment is set, all <strong>MDS</strong> specific commands can be executed.<br />
— mdsstart [-m]<br />
The mdsstart command starts the <strong>MDS</strong> and all CMAs loaded on the <strong>MDS</strong>. If<br />
the command is run with the -m qualifier, the <strong>MDS</strong> is started but the CMAs are<br />
not.<br />
— mdsstop [-m]<br />
The mdsstop command stops the <strong>MDS</strong> and all CMAs loaded on the <strong>MDS</strong>. If<br />
the command is run with the -m qualifier, the <strong>MDS</strong> is stopped but the CMAs are<br />
not.<br />
— mdscmd<br />
The mdscmd is a CPMI client that allows an Administrator to add or remove a<br />
customer or to use the mirror option to back up <strong>MDS</strong> information. This utility<br />
walks the administrator through the addition or removal of customers from the<br />
<strong>MDS</strong> and all mdscmd commands are logged and synchronized with other <strong>MDS</strong><br />
machines.<br />
— mdsstat<br />
The mdsstat command utility displays detailed information on the process<br />
status of both the <strong>MDS</strong> and CMAs.
— cplic printlic<br />
<strong>MDS</strong> and CMA Command Line Options<br />
The cplic printlic command displays all <strong>MDS</strong> licenses.<br />
— cplic putlic<br />
. . . . .<br />
The cplic putlic command allows Administrators to add licenses to the <strong>MDS</strong>.<br />
— fw mds ver<br />
The fw mds ver command displays the version information of the <strong>MDS</strong> DLL.<br />
— MSP_RETRY_INTERVAL [Number of seconds]<br />
The MSP_RETRY_INTERVAL command changes the <strong>MDS</strong> setting that<br />
regulates how often it looks to see if a GUI client is connected to a CMA.<br />
— MSP_RETRY_INIT_INTERVAL [Number of seconds]<br />
The MSP_RETRY_INIT_INTERVAL command changes the <strong>MDS</strong> setting<br />
that regulates how often it requests that the CMAs send status information to<br />
the <strong>MDS</strong>.<br />
— MSP_SPACING_REG_CMAS_FOR_STATUSES<br />
Customer Management Add-on Commands<br />
— mdsenv [CMA name]<br />
The MSP_SPACING_REG_CMAS_FOR_STATUSES command<br />
initiates the <strong>MDS</strong> to contact the CMAs with a request to start collecting status<br />
information. If there is no MDG connection to the <strong>MDS</strong>, it will not initiate a<br />
status collection request to the CMAs. The above command forces the request<br />
to each CMA in one-second intervals.<br />
The mdsenv command sets the environment variable for the specified CMA.<br />
Once the CMA environment is set, all CMA specific commands can be<br />
executed. This command must be repeated, referencing the appropriate CMA,<br />
if the user intends to execute commands for a different CMA. All CMA specific<br />
commands can only take place once the correct environment variable has<br />
been set.<br />
— fw ver<br />
The fw ver command displays the VPN-1/FireWall-1 version information for<br />
the CMA for which the environment is set.<br />
63
3<br />
64<br />
<strong>MDS</strong> and CMA Command Line Options<br />
— cplic printlic<br />
The cplic printlic command displays all licenses assigned to the CMA for<br />
which the environment is set.<br />
— cplic putlic<br />
The cplic putlic command adds licenses to the CMA for which the<br />
environment is set.
Summary<br />
Review Questions<br />
Review<br />
. . . . .<br />
REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
The <strong>MDS</strong> consists of multiple CMAs installed on a single machine.<br />
Each CMA controls any number of VPN-1/FireWall-1 remote Enforcement<br />
Modules at a single Customer site.<br />
Check Point Provider-1 NG with Application Intelligence includes Primary<br />
<strong>MDS</strong> and additional <strong>MDS</strong> components to support a growing customer base.<br />
The Primary <strong>MDS</strong> is the core component of a Provider-1 NG with<br />
Application Intelligence system.<br />
An additional <strong>MDS</strong> is required for any system with more than 500<br />
Customers, and can manage up to 500 additional Customers.<br />
1 What are the main differences between <strong>MDS</strong> Manager and <strong>MDS</strong><br />
Container machines?<br />
2 How many <strong>MDS</strong> Manager machines are required for each Provider-1<br />
configuration?<br />
65
3<br />
66<br />
Review<br />
Review Questions and Answers<br />
1 What are the main differences between <strong>MDS</strong> Manager and <strong>MDS</strong> Container<br />
machines?<br />
- The MDG can only connect to the <strong>MDS</strong> Manager machine.<br />
- The <strong>MDS</strong> Manager machine acts as the Certificate Authority for the<br />
Provider-1 configuration.<br />
- The <strong>MDS</strong> Container machine maintains all CMA data.<br />
2 How many <strong>MDS</strong> Manager machines are required for each Provider-1<br />
configuration?<br />
One <strong>MDS</strong> Manager machine is necessary for standard operations, two for<br />
<strong>MDS</strong> - level High Availability functions.