Checkpoint Security lectures Moving to Provider-1 When and How 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Agenda What is Provider-1 (just a reminder) Why it is better then SMC? Reasons to migrate How to migrate Preparations Process flow Check List 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures What is Provider-1 NGX? 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Check Point says: Benefits of Provider-1 NGX Centralized Management Security Product Scalability Multi-Level High Availability (MDS-HA and CMA-HA) Global security and Global VPN communities 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures What people say Check Point PS consultant: Global (corporate) policy, objects, services More diversity for administrators privileges Separate DBs for CMAs Consolidate SmartCenters, save Power, money, HW, space Multi user access to the MDS level Each CMA has its own processes, which goes better with multi cores/CPUs 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures What people say, cont. (1) Yet another Check Point PS consultant: There are some deployments where P-1 has to be used due to size but mostly due to the organization needs Global objects and global rules, but still having separate CMA based on either country, division, function, role, etc... Also multi-user: If you have 100 FW per SMC, you can only have 1 RW admin. If you need 5 concurrent edits, you need 5 CMA. Ease of backup / restore. Logical separation of policies, logs, etc... 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures What people say, cont. (2) CPUG gurus: Consolidates hardware - you only have one management server to look after, not many Patching easier - just apply one patch to the management server, not to many servers User management - particularly with large environments, trying to manage users on a whole lot of different management stations would be a complete nightmare. Easy importing of other management stations. There's also an economic angle to it. A CMA-U is cheaper than a full SmartCenter license, so there's a point when an organization has >5 SmartCenters where Provider-1 becomes a cheaper option. 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures What people say, cont. (3) CPUG again: I found the following useful when moving to Provider-1 in a large environment: Centralized policy, administrator, object, and version management is a huge win Consolidation of hardware (Moving from 20 SmartCenter Servers to 3 P1 MDS) Licensing and Logging are easier to manage Services between different business entities are easier to share (VPNs between different regions) but are still logically separate. 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures What people say, cont. (3) Check Point Forums on https://forums.checkpoint.com/ More then 200 views, but no reply… 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Organizational reasons – MSP/ISP Independent groups of FWs for customers Delegating major administrative functions to customer Parallel administration of policies and objects Need to maintain the Security system in whole Saving some HW and space 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Organizational reasons – Large Enterprise Different groups of FWs, multiple geographical locations, multiple purposes Delegating major administrative functions to local admin teams Diversification of administration procedures and access rights Global definition for vital policy elements and objects Unified company Security policies Saving some HW and space 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Technical reasons Consolidation of several management servers on a few machines Easy maintenance Better backups Nice performance Multiuser access, flexible admin rights And not named before: VSX.. 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures VSX on Providers-1 VSX migration from Smart Center to Provider-1 is hardy doable Consider using Provider-1 if you want to implement VSX 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Migrations on Provider-1 environment So, how do we do it after all? 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Tips and tools Doable between version and Operational Systems Manually or by using tools Can and should be simulated in the lab before touching production systems What to use? cma_migrate migrate_assist migrate_global_policies And some manual work, anyway 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Before you start Prepare your licenses the hardest part Plan IP address for MDS and CMAs Plan initial administrators for OS and MDG The options are to keep SMC IP or use another Install Provider-1 MDS 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Materials from Smart Center $FWDIR/conf -> conf $FWDIR/database -> database $FWDIR/logs -> logs (optional) $CPDIR/conf -> conf.cpdir $CPDIR/database -> database.cpdir Zip them and prepare to transfer to P1 machine 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Creating a new customer Create a new customer, name it as you wish Get through the wizard, assign: GUI clients Administrators Plug-ins (R65 and up) Then… 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Creating a CMA DO NOT start it! Choose to migrate Put the collected files into some folder on P1 and unzip Type in the folder onto the dialog window 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Potential issues Migration fails DB corruption MDS related issues Out of space MDS is too slow Not the right files  Some good reasons to simulate before going onto production You always can delete CMA and customer and start over 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Potential issues, cont. Implicit FW rules do not catch new MGMT IP To resolve this, create a dummy MGMT object, add it to masters list before migration and push policy Third party devices block new MGMT IP Change policies on them before migration CMA cannot start Most probably licensing issue If not, debug failing process 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checklist after migration SIC with managed objects Log server definition on Enforcement points Policy installation works Logs Licenses – to check twice (especially central ones) 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008

Checkpoint Security lectures Questions? Thank you guys 21-May-19 Checkpoint Security lectures By Valeri Loukine, 2008