Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-Domain Management with Provider-1 R70

Similar presentations


Presentation on theme: "Multi-Domain Management with Provider-1 R70"— Presentation transcript:

1 Multi-Domain Management with Provider-1 R70
Instructor:

2 Contents Preface Provider-1 R70 Deployment
MDS Installation and Configuration Lab: Installing and Configuring the Primary MDS Station Overview of the Multi-Domain GUI Lab: Security the NOC Lab: Adding the UK_Corp City Site to Provider-1 R70 Lab: Creation and Migration of Existing Japan Corp Site Provider-1 Logging Features Lab: MDS MLM Installation and Configuration Assigning Global Properties Lab: Creating and Assigning a Global Policy Advanced MDS Functions Lab: Configuring MDS High Availability

3 Course Objectives Choose the correct Provider-1 implementation
Classify the pieces of Provider-1 architecture and recognize their interactions Use tools to troubleshoot and solve issues that arise in architecture, file system, or processes Install Provider-1 Configure the Provider-1 container environment Create a Primary MDS Manager Install and configure the Multi Domain GUI Implement any necessary Management Plugins for a specific customer or Provider environment Troubleshoot and solve any issues that arise during installation and configuration Create and configure a CMA Migrate an existing Security Management configuration into Provider-1 Troubleshoot and solve any issues that arise working with CMAs

4 Course Objectives (continued)
Configure and implement a MLM Configure and implement a CLM Configure and implement a Global Policy Configure and implement IPS in the Global Policy Configure and implement VPNs globally and per customer Create a secondary MDS Manager and enable MDS High Availability Create and configure secondary CMAs Configure CMA High Availability

5 Preface: Multi-Domain Management with Check Point Provider-1 R70
Key Elements Overview of remote R70 Provider-1 and configuration Multiple customer site management

6 Course Layout The following professionals best benefit from this course: System administrators Support analysts Network engineers

7 Provider-1 Course Prerequisites
UNIX and Window operating systems Certificate management System administration CCSE certification Networking (TCP/IP)

8 Lab Setup All three city sites are configured for the purposes of this lab In the instance of Japan_Corp site, the Security Management and Security Gateway are preconfigured in a distributed installation Root password to all systems is: Be careful with root access

9 Lab Topology

10 IP Addresses and Classroom Configuration
Name Description NIC IP Address / Net Mask MDS1 Primary MDS eth0 /24 Default Gateway /24 CMA_NOC CMA on MDS1 Virtual IP Address /24 CMA_UK /24 CMA_Japan /24 MLM /24 MDG Multi-Domain GUI /24 MDS2 Secondary MDS /24 NOC NOC Firewall Internal External /16 /16

11 MDS Configuration Information
CMA Manages Site Backup on MDS2 CMA_NOC NOC Firewall USA_Corp CMA_NOC Backup CMA_UK SGLondon UK_Corp CMA_UK_Backup CMA_Japan SGTokyo Japan_Corp CMA_Japan_Backup

12 IP Addressing for Customer Sites
Name Description NIC IP Address / Subnet Mask SGLondon Security Gateway fw internal /24 fw external /16 Default gateway /16 SM London Protected Host eth0 /24 SGTokyo /24 /16 /16 SMTokyo Protected Host & Security Management GUI_Tokyo Protected Host & SmartConsole /24

13 Course and Lab Terminology
MDS—Multi-Domain Server MDG—Multi-Domain GUI NOC—Network Operations Center CLM—Customer Log Module CMA—Customer Management Add-ons MLM—Multi-Domain Log Module ICA—Internal Certificate Authority

14 Provider-1 R70 Deployment
Chapter 1 Provider-1 R70 Deployment

15 Key Points Identify Provider-1 components
Describe how Provider-1 uses CMAs to manage multiple customer security gateways Identify the relationships between Provider-1 R70 components Identify the remote-management communication process. Describe the difference between a standard and point of presence configuration Describe how to define a Provider-1 R70 operation within a secured environment Describe how to enable control connections Identify the Customer Log Module

16 Key Terms Network Operations Center Multi-Domain GUI
Customer Management Add-On Multi-Domain Server Managed Service Provider MDS Manager MDS Container Virtual IP Multi-Domain Log Module Open Platform for Security Remote Security Gateway Secure Internal Communications Enterprise management console Standard client-site configuration Point of presence configuration Control connections Customer Log Module

17 Provider-1 R70 Overview Large-scale enterprise IT Challenges:
Monitoring large user bases Controlling access to confidential internal sites Monitoring communication failures Administrators need to be alerted to external attacks Varying levels of secure access need to be provided for various roles in an organization as well as from multiple locations inside or outside a network.

18 Provider-1 R70

19 Managed Service Providers

20 Data Centers

21 Example MSP Deployment

22 Enterprises

23 Typical Financial Network Architecture

24 Example Enterprise Deployment

25 Network Operations Center Security
3 Rules must be created: MDS to Security Gateways Rule MDG to MDS Rule Security Gateways to MDS Rule

26 MDG Communication In a standard NOC configuration, all Provider-1 traffic passes through one central enforcement point. If the MDG or other GUI clients traverse the NOC firewall to get to the MDS, a rule needs to be created to allow the MDG to communicate with the CMAs that are loaded on the MDS.

27 Enhancing NOC Security
Installing a firewall to protect the modules of a Provider-1 system enables greater security for the Customers managed by the MSP administrator Configure the NOC firewall for NAT

28 The Check Point Solution
Three-tier architecture Multi-policy management NOC oriented features Enable High Availability on multiple levels

29 Multi-Domain GUI

30 Multi-Domain Server Accessed through the MDG
Allows administrators to control and monitor all gateways configured by the MDG Separately manages each database Rulebases Network objects Servers Users Types of MDS MDS Manager MDS Container MDS Synchronization Customer Management Add-Ons

31 Communication between CMA and Gateways

32 Multi-Domain Server Multi-Domain Log Modules OPSEC Support

33 Remote Security Gateway
A remote security gateway is any security gateway running VPN or inspection components, which can be managed from a Check Point management console

34 MDG to MDS Communication

35 CMA to Security Gateway Communication

36 Security Gateway Deployment
Security Gateway is deployed to secure network access points. This configuration can be done two different ways Standard client-site Point of presence

37 Basic Provider-1 R70 Configuration

38 Point-of-Presence Provider-1 R70 Configuration

39 NOC Security

40 Log Management

41 MDS Multi-Domain Log Module

42 Benefits of Provider-1 R70
Centralized Management Customer Security Product Scalability Multi-Level High Availability

43 Centralized Management
Allows MSPs to maintain multiple Security Gateways for multiple customers from one centralized location CMA created for each customer Each CMA maintains databases for that customer’s secured sites Since all data stored on MDS, the CMA maintains the Security Policy for each Customer’s remote Gateways. With the use of assigned virtual IP addresses, the Provider-1 Administrator can effectively manage Gateways for multiple Customers from one MDS

44 Customer Security Assignment of virtual IP addresses for each CMA provides for the separation of sensitive security data for each individual customer account Customer data is not shared, but maintained on a single server

45 Product Scalability Modular architecture
Add new customers and CMAs at any time MDS can manage up to 500 separate customers. Additional MDS can be integrated

46 Multi-Level High Availability
Decentralize backup and support functions Configure multiple MDGs, CMAs and MDS machines

47 Review Provider-1 R70 allows Administrators to manage multiple client accounts from a single machine Using virtual IP addressing, all customer data is maintained in separate secure database located on a the MDS In the standard Provider-1 configuration, a NOC includes the MDG and MDS, while point of presence configurations are designed for MSPs who offer other services to their clients while maintaining their customer’s firewalls When operating in a standard configuration a NOC keeps its own firewall separate from the Provider-1 setup.

48 Review (continued) Provider-1 allows Administrators to monitor network activity of all CMA firewalls Multiple CLMs can be configured on the MLM, enabling the use of central logging while still separating logs by customer. When operating in a standard configuration, the NOC will have its own firewall, separate from the Provider-1 setup. Check Point recommends the NOC firewall be administered by a NOC Security Administrator, while CMAs be administered by an MSP Administrator.

49 Review Questions Where does Provider-1 consolidate all NGX management tasks? Multi-Domain GUI Customer Management Add-On Multi-Domain Server NGX and / or Check Point QoS remote Security Gateway Network Operations Center Answer is E

50 Review Questions An Administrator with Manager permissions has all of the following view options except one. Which view option does he NOT have? General Global Policies GUI Clients High Availability Connected Administrators Answer is C

51 Review Questions Each MDS can maintain up to how many separate CMAs?
50 100 250 500 Limited only by disk space Answer is D

52 Review Communication from the MDS to Security Gateways takes place through the Internet using what? SSL XML encryption TrueCrypt PGP DES Answer is A

53 Review Questions Which service does the MDG use to connect to the MDS?
CPMI CPD SWTP SAM SVC Answer is A

54 Review Questions Which of the following rules is NOT required in the NOC rule base? MGD to MDS rule MDS to Security Gateway Security Gateway to MDS rule Stealth rule Answer is D

55 MDS Installation and Configuration
Chapter 2 MDS Installation and Configuration

56 Key Points List the minimum system requirements for installing the MDS
Demonstrate how to install an MDS Manager and MDS Container Demonstrate how to configure an MDS Manager as the Primary MDS

57 Key Terms MDS Container MDS Manager mds_setup mdsconfig mdsenv
mdsstart mdsstop

58 Choosing the Type of MDS
Two different types MDS Container MDS Manager

59 MDS — Manager Central point of entry for the Administrator into the Provider-1 environment via the MDG MDG can only access the MDS Manager The Manager is a CA for Provider-1 configuration No CMAs are loaded on the MDS Manager Only the MDS Container can maintain CMAs If only one MDS is installed in the configuration, both the Manager and Container functions can be installed and run on one machine.

60 MDS — Container Maintains customer CMAs Maintains up to 500 CMAs
The container machine is an alternative for Administrators who want to increase their capacity without dramatically increasing costs Cannot function as a CA or establish HA for CMAs Can be used as an additional MDS to increase customer capacity and for backup capabilities

61 Multi-Domain Server as Multi-Domain Log Module
MDS can be licensed to function as MLM MLM separates logs of each CMA into different databases MLM is configured with a CLM for each customer CMA

62 Licensing Provider-1 Trial Period

63 Considerations Provider-1 Components Installed at the NOC
MDG Multi-Domain Servers (MDS), including Multi-Customer Log Modules (MLM) CMA CLM Selecting MDS and CMA Licenses Similar MDS components must be installed on different computers Two managers cannot share the same computer Each container must also be on a separate computer A Manager / Container combination can be housed on the same computer A second MDS Manager is recommended for disaster recovery A stand-alone MDS Manager is available to be used for management purposes only as an entry point to the system If many CMAs will be supported by the system, or if load increases, more MDS Containers are needed. MDS licenses is per IP and based on the following factors MDS type For containers, the MDS license depends on the number of CMAs managed

64 License Details CMA Licenses CLM Licenses Module Licenses
VSX bundle license VSX bundle license for HA CMAs License Violations

65 Replacing the Trial-Period License
After trial expires, a permanent license must be installed Before installing a new license, make sure the amount of CMAs and Virtual Systems do not exceed the amount permitted by the new licenses MDS will not start if exceeded

66 Upgrading Licenses License upgrade can be performed if you have purchased any Enterprise Software Subscription services. License upgrade can be performed automatically or manually

67 Minimum Hardware Requirements for Provider-1 MDS
Linux Intel Pentium IV or 2GHz equivalent processor 2 GB free disk space 4 GB RAM 1 or more network adapter cards CD-ROM drive Solaris UltraSPARC III 900 Mhz SecurePlatform Intel Pentium IV or 2GHz equivalent processor 10 GB free disk spacke (incl. operating system) 4 GB RAM 1 or more network adapter cards CD-ROM drive (bootable) Provider-1 disk space requirements: 800 MB for MDS 100 MB for each CMA

68 Minimum Hardware Requirements for Provider-1 MDG and SmartConsole
Windows Intel Pentium IV or 2 GHz equivalent processors 500 MB free disk space 512 MB RAM One network adapter card CD-ROM drive 1024 x 768 video adapter card

69 Software Requirements
Windows Provider-1 requires that service packs be applied to Windows 2000 and Windows 2003 systems, And supports Service Packs SP1, SP2, SP3, and SP4 Linux Provider-1 R70 supports RHEL 5.0 kernel only Prepare RHEL 5.0 for Provider-1 installation Solaris Requires software packages Requires patches

70 SecurePlatform Appliances
Certified hardware:

71 IP Allocation and Routing
Provider-1 uses a single IP address bound to its interface address to implement many virtual addresses MDS uses virtual IPs to provide CMAs, CMA-HAs, and CLMs Each MDS Container has an interface with an IP address which is network reachable Behind the interface’s IP address, the CMAs have a range of virtual IP addresses, which must also be routable When setting up routing tables, ensure you enable the following communication paths: Customer’s gateways to the Customer’s CLM(s) Customer’s CMA to CLM(s) Customer’s CMA to CMA-HA CMA and CMA-HA to Customer’s gateway Customer’s gateways to the CMA and CMA-HA

72 Virtual IP Limitations and Multiple Interfaces on an MDS
Limitation of 250 virtual IPs per interface for Solaris-platform MDS containers It is possible to support a larger number of CMAs per container by adding further interfaces Scaling to the full license limit depends on hardware and operating system limitations Large Rule Bases and objects at the global and CMA levels impact scalability

73 File Structure Key directories for the MDS: bin scripts lib conf
system customers /opt vs. /var/opt MDS Environment Variables CMA Directory Structure CPMI Database Scheme Files CPMI Database Tables Virtual NIC Data Auto-generated files Links to shared data Data Files for Different Applications CA Certificates Licenses

74 MDS and CMA Command-Line Options
P1Shell mdsconfig Utility MDS Commands mdsenv mdsstart [-m] mdsstop [-m] mdscmd mdsstat cplic printlic cplic putlic fw mds ver mcd Customer Management Add-On Commands mdsenv fw ver cplic printlic cplic putlic

75 Lab 1: Installing and Configuring the Primary MDS Station
Scenario: You have just been hired to deploy Provider-1 at an MSP that wants to offer security services to its customers. You must now deploy a Primary MDS at your new company’s NOC. In this lab, you will install the MDS as a Manager and Container. You will then configure the station to function as the Primary MDS in your NOC environment Topics covered in this lab: Install SecurePlatform Configure SecurePlatform Install and Configure the Primary MDS Installing the MDG Install the R70 GUIclient Install the Multi-Domain GUIclient

76 Review The MDS consists of multiple CMAs installed on a single machine. Each CMA controls any number of Security Gateways at a single Customer site. Provider-1 includes Primary and additional MDS components to support a growing Customer base. The Primary MDS is the core component of a Provider-1 system. An additional MDS is required for any system with more than 500 Customers, and can manage up to 500 additional Customers.

77 Review Questions Which Provider-1 R70 component does not require a license? The MDS The MDG The CMA The MLM All Provider-1 components require a license. Answer is B

78 Review Questions How long is the initial Provider-1 R70 evaluation-license period? 10 days 15 days 30 days 60 days 90 days Answer is B

79 Overview of the Multi-Domain GUI
Chapter 3 Overview of the Multi-Domain GUI

80 Key Points List the minimum system requirements for installing the MDG. Demonstrate how to install the MDG on a Windows platform. Demonstrate how to log in to the MDG. Describe what is available to a Provider-1 Administrator from the following views: General Global Policies Administrators GUI Clients SmartUpdate High Availability Connected Administrators

81 Key Terms Selection Bar Customer Contents Mode MDS Contents Mode
Network Objects Mode Security Policies Mode VPN Communities Mode

82 Installing GUI Clients
MDG and SmartConsole clients should be installed together MDS installation includes two GUI client packages Check Point R70 SmartConsole Provider-1 Multi-Domain GUI Once you have set up the intial MDS Manager, you can use MDG to manage the Provider-1 system MDG computer must be a trusted GUI client and you must be an Administrator

83 Multi-Domain GUI Functionality
MDG allows Provider-1 Administrators to manage multiple Customer Security Policies Manage the function of the MDS Manager machine Provider-1 Administrators can create and configure from the MDG: Customers CMAs Secondary CMAs CLMs Administrators GUI clients

84 Navigating the MDG

85 Selection Bar Available Views General Global Policies Administrators
GUI Clients SmartUpdate High Availability Connected Administrators Manager permissions only have these view options

86 Provider-1 Administrative Modes
Switch modes to view either customer or MDS data MDS Contents Mode and Customer Contents Mode are available in the following views General High Availability

87 Provider-1 Properties Define common system wide parameters
Tabs used to configure Custom Commands Global Names Format Customer Fields Module Fields Global Policies

88 Object Menu – Custom Command Options Displayed

89 Provider-1 Properties Screen
Global Names Format Tab Module Fields Tab Customer Fields Tab Global Policies Tab

90 General View Where the administrator works directly with the Customer Data for all customers in that Provider-1 environment Customer Contents Mode MDS Contents Mode Network Objects Mode General Toolbar Buttons

91 Customer Contents Mode

92 MDS Contents Mode

93 Network Objects Mode

94 Network Objects Mode Information
Name IP Address Customer Multi Domain Server Cluster Status Policy Module Local Installation Global Name Critical Notifications

95 System Status Icons Icon Object Description All
Indicates that the first status from the object has not yet been received; the status report should be received within 30 seconds A status has been received but the system does not recognize it. MDS The MDS has started. The MDS has stopped The MDS has been disconnected from the system. CMA/CLM The CMA or CLM has started. The CMA or CLM has stopped. Security Gateway An application is installed on this module and it is no longer responding to status updates from the Security Management Server At least one of the applications installed on this module is not running properly. There is either no application installed on this module or the application is installed, but cannot be reached.

96 General Toolbar Buttons
Menu Description View > Customer Contents Mode Displays the Customer Contents mode of the General view View > MDS Contents Mode Displays the MDS Contents mode of the General view View > Network Objects Mode Displays the Network Objects mode of the General View > Expand All Expands all collapsed items displayed in the pane View > Collapse All Collapses all expanded items displayed in the pane Manage > New Multi Domain Server Launches the Add Multi-Domain Server Wizard (only available in the MDS Contents mode) View > Default Column Width Restores the default width of the pane’s columns Manage > New Customer Launches the Add Customer Wizard (only available in the Customer Contents mode) Manage > Add Customer Management Add-on Launches the Add Customer Management Add-on to Customer wizard Manage > Configure Allows Administrators to edit the selected object Manage > Delete Deletes the selected object

97 General Toolbar Buttons
Menu Description Manage > Start Customer Management Add-on Starts the selected CMA Manage > Stop Customer Management Stops the selected CMA View > Clear All Filters Removes all filters to display all information available on all objects View > Filter Details Displays the Filter Details Window, to see which filters the system is currently applying to the List pane View > Show/Hide Commands Launches the Show/Hide Commands window, used to specify which of the List pane’s columns is displayed Manage > Export to File Launches the Export to File window, used to send the List pane’s data to an external file Manage > Find Launches the Find function to allow the Administrator to search for items configured in Provider-1 Manage > Provider-1 Properties Opens the Provider-1 Properties screen to allow for GUI customization

98 Security Policies Mode
Displays each available Global Policy

99 VPN Communities Mode Displays each available Global VPN Community
Includes 2 panes VPN Communities tree Troubleshooting list General Toolbar Buttons Global Policies Toolbar VPN Communities Toolbar

100 Administrators View Allows you to configure and manage Administrators for the MDS and Customers.

101 Types of Administrators in Provider-1
Icon Type Description None Has no Provider-1 permissions and cannot access the MDG; this type of Administrator can only connect to specified CMAs or CLMs with R70 permissions using the Check Point Smart-Consoles. Customer Manager Can access the General, Global Policies, System Status and High Availability views of the MDG, in addition to specified Customer Policies Customer Superuser Accesses all views and all Customers, but cannot add or delete Multi-Domain Servers, add or edit Provider-1 Administrators, or edit GUI clients Provider-1 Superuser Has the highest level of permissions; this type of Administrator can access all views and performall actions.

102 Administrators Toolbar Buttons
Menu Description View — Customers per Administrator or View — Administrators per Customer Toggles between the Customers per Administrator view and the Administrators per Customer view View > Expand All Expands all collapsed items displayed in the pane View > Collapse All Collapses all expanded items displayed in the pane View > Default Column Width Restores the default width of the pane’s columns Manage > New Administrator Adds a new Administrator Manage > Edit Administrator Edits the selected Administrator Manage > Delete Administrator Deletes the selected Administrator Manage > Assign Opens the Assign Customers to Administrator window or the Add Administrator to Customer window, depending on the current view settings Manage > Remove Removes either the selected customer from an Administrator or the selected Administrator from a Customer, depending on the current view settings Manage > Find Launches the Find function to allow the Administrator to search for items configured in Provider-1 Manage > Provider-1 Properties Opens the Provider-1 Properties screen to allow for GUI customization

103 GUI Clients View Allows you to assign GUI clients for each Customer loaded on the MDS

104 GUI Clients Toolbar Icons
Button Menu Description View > Customers per GUI Client or View > GUI Clients per Customer Toggles between the Customers per GUI Client view and the GUI Clients per Customer views View > Expand All Expands all collapsed items displayed in the pane View > Collapse All Collapses all expanded items displayed in the pane View > Default Column Width Restores the default width of the pane’s columns Manage > New GUI Client Adds a new GUI Client Manage > Edit GUI Client Edits the selected GUI Client Manage > Delete Administrator Deletes the selected GUI Client Manage > Assign Opens the Assign GUI client to Customer window or the Assign Customer to GUI Client window, depending on the current view settings Manage > Remove Removes either the selected Customer from a GUI client or the selected GUI client from a Customer, depending on the current view settings Manage > Find Launches the Find function to allow the Administrator to search for items configured in Provider-1 Manage > Provider-1 Properties Opens the Provider-1 Properties screen to allow for GUI customization

105 SmartUpdate View Centrally manage package installations

106 SmartUpdate Toolbar Icons
Button Menu Description View > Expand All Expands all collapsed items displayed in the pane View > Collapse All Collapses all expanded items displayed in the pane SmartUpdate > Products > Upgrade all Products Upgrades all products on the selected remote Check Point node SmartUpdate > Products > Install Installs specified products on the selected remote SmartUpdate > Products > Uninstall Uninstalls specified products on the selected remote Check Point node SmartUpdate > Products > Verify Installation Verifies that a product can be installed on a SmartUpdate > Products > New Products >Add From Download Center Adds products to the Product Repository from the Check Point Download Center SmartUpdate > Products > New Products >Add From CD Adds products to the Product Repository from a CD SmartUpdate > Products > New Products >Import File Adds products to the Product Repository by importing a file SmartUpdate > Products > Get Check Point Node Data Updates the Product Repository SmartUpdate > Products > Reboot Check Point Node Reboots the selected Check Point node

107 SmartUpdate Toolbar Icons
Button Menu Description SmartUpdate > Licenses > Attach Installs the license for the selected Check Point node, and associates the license with the node’s IP address in the License Repository SmartUpdate > Licenses > Detach Uninstalls the license from the selected Check Point Node, and makes the license available toany Check Point node SmartUpdate > Licenses > New License > Add From Download Center Adds a new license to the License Repository directly from the Check Point User Center Add Manually Adds a new license to the License Repository, by manually entering in license information or pasting information into the appropriate fields Import From File Adds a new license to the License Repository by importing a license file SmartUpdate > Products > View Repository Displays the Product Repository window containing all products in the repository that are available for installation on remote Check Point nodes SmartUpdate > Licenses > View Repository Displays the License Repository window containing all attached and unattached licenses SmartUpdate > Status > View Operation Status Displays the Operation Status pane, allowing Administrators to track current and past SmartUpdate operations SmartUpdate > Tools > Find Launches the Find function to allow the Administrator to search for items configured in Provider-1 Manage > Provider-1 Properties Opens the Provider-1 Properties screen to allow for GUI customization

108 High Availability View
Used by Administrators to manage CMAs and MDS that are configured for High Availability Change the status of the Primary CMA to Secondary, and also verify if synchronization is active

109 Customer Contents Mode
Allow Administrators to view the High Availability status of all CMAs configured in Provider-1

110 MDS Contents Mode Allows Administrators to view the High Availability status of all MDS, MLMs, and CMAs configured in Provider-1

111 High Availability Toolbar Icons
Button Menu Description View > Customer Contents View > MDS Contents View > Expand All Expands all collapsed items displayed in the pane View > Collapse All Collapses all expanded items displayed in the pane Set Default Column Width Sets All Columns in the View to the Default Column Width Select and Synchronize Opens the MDS Selection and Synchronization Box Change Over Changes the Status of the Active MDS to Standby Find Find the Specified Text within a Specific View Provider-1/SiteManager-1 Properties Opens the Provider-1/SiteManager-1 Properties Screen

112 Connected Administrators View
Allows Administrators to have a central location to view the status of all currently connected Administrators The Connected Administrators view is the only MDG view that allows Administrators to disconnect other users currently logged into the MDS database.

113 Connected Administrators Toolbar Buttons
Menu Description View > Default Column Width Restores the default width of the pane’s columns Manage > Find Launches the Find function to allow the Administrator to search for items configured in Provider-1 Manage > Provider-1 Properties Opens the Provider-1 Properties screen to allow for GUI customization

114 Lab 2: Securing the NOC Scenario: With the MDG and MDS installed, you must now protect your Network Operations Center. Begin with configuring the Customer Management Add-On that manages the Security Policies installed on the remote Security Gateway protecting your Network Operations Center. Once the NOC CMA is configured, establish communications with the Security Gateway and install a Security Policy. After the Security Gateway has been configured, Create new Administrators for your configuration and assign them privileges based on their functions and security clearances. Topics: Create a virtual IP addressing scheme Use the MDG to Log In to the MDS Adding the NOC Firewall CMA Configure the NOC Customer Management Add-On Establishing Communication with the NOC Security Gateway Configuring the CMA’s Security Policy Creating Administrators Assigning privileges to Administrators Verifying Administrator privileges Setting Up a NOC Firewall for Control Connections Rule Base Configuration

115 Lab 3: Adding the UK_Corp City Site to Provider 1 R70
Scenario: Now that you have installed the MDG and MDS, you can begin to configure the Customer Management Add-Ons that wil manage the Security Policies installed on your customers’ remote Security Gateway. Topics: Log In to the MDS Add the UK_Corp Customer Configure the Customer Management Add-On Establishing Communication with the UK_Corp Security Gateway Installing and Configuring a Security Gateway for Distributed Management Configure CMA Management Objects Establish SIC Between the UK_Corp CMA and Remote Gateway Configure Gateway Properties Backing Up the UK_Corp CMA

116 Lab 4: Creation and Migration of Existing Japan_Corp Site
Scenario: You are integrating a customer’s pre-existing security Management Server and Security Gateway into a CMA in your Provider-1 environment. . Topics: Determine the Virtual IP Addressing Scheme Create the Japan_Corp Customer and CMA Adding the Japan_Corp Customer and CMA Import Japan_Corp Security Manager Server Files into the Japan_Corp CMA Reconfigure the System-Created CMA Object Reconfigure the Imported Rule Base Backing Up the Japan_Corp CMA.

117 Review The MDG allows the Provider-1 Administrator to launch the Check Point Management GUI Clients, such as the SmartDashboard, SmartView Tracker, SmartView Status, and SmartView Monitor. The MDG installation consists of the following two clients. These clients are needed to successfully manage accounts using Provider-1: The Check Point SmartConsole package The MDG package The MDG enables remote management of multiple Customers from a central interface. A CMA manages the Security Policy of a single Customer. A Provider-1 Administrator can directly launch the following to manage a specific CMA: SmartDashboard SmartView Tracker SmartView Status SmartView Monitor SecureUpdate Large Scale Manager

118 Review Questions Which type of Administrator can access all views and Customers, but cannot add or delete Multi-Domain Servers? None Customer Manager Customer Superuser Provider Superuser SiteManager Superuser Answer is C

119 Review Questions When adding a CMA, which IP address is used to represent the CMA on the MDS? Virtual IP address Internal IP address External IP address NAT IP address First IP address Answer is A

120 Provider-1 R70 Logging Features
Chapter 4 Provider-1 R70 Logging Features

121 Chapter 4 Provider-1 Logging Features
Key Points Define a Customer Log Module. Describe the steps needed to configure a CLM in a Provider-1 environment. Describe the steps needed to install and configure an MDS MLM in a Provider-1 environment. Key Terms Customer Log Module (CLM) Multi-Domain Log Module (MLM)

122 Log Management By default, Security Gateway logs are sent to the CMA.
Log management can be performed by the following modules: CLM MDS MLM

123 Customer Log Module

124 Multi-Domain Log Module System
MDS MLM is installed at the NOC to collect logs for each managed CMA CLMs loaded on the MLM separate logs from each managed CMA

125 MLM Deployment

126 Using Eventia Reporter
Eventia can produce both log-based reports and Express reports for modules managed by Provider-1 CMAs Audit traffic and generate detailed or summarized reports Reporting Server Processes

127 Lab 5: MDS MLM Installation and Configuration
Scenario: After the success of offering security services to various clients, you decide to offer a log-analysis service to your premium customers. This new service will allow your customers to view a log repository that collects logs for their protected sites. Topics Installing and configuring an MDS to function as an MLM

128 Review Provider-1 R70 enables real-time event tracking and management for an expanding Customer base. A centralized logging system provides detailed information on network activity for all Customer sites. Log management in Provider-1 can be performed by the following modules: Customer Log Module (CLM) Multi-Domain Log Module (MLM)

129 Review Questions How many CLMs can each MDS MLM manage? 100 250 500
unlimited Answer is B

130 Review Questions How many CMA managed Security Gateways can be configured to log to the CLMs loaded on the MLM? 100 250 500 Unlimited Answer is D

131 Assigning Global Policies
Chapter 5 Assigning Global Policies

132 Chapter 5 Assigning Global Policies
Key Points Identify the differences between CMA Security Policies and Global Policies. Describe the steps for implementing a Global Policy. Describe how to create a Global Service. Describe how to create a Global VPN. Key Terms Global Policy Global Rules Global Objects Global Policy Database Global VPN

133 Global Policy Defines Security Policy rules applied to all Customers to which the Global Policy is assigned Administrators can define multiple Global Polices and assign and install them on selected Customer CMAs

134 Global Policy Rules In the Global SmartDashboard, the Customer’s rules are represented by a placeholder. Global Rules are positioned either before or after existing rules in a Customer Rule Base

135 Customer Rule Base—Global Rules Applied

136 Global Objects

137 Global Services

138 Global Policy Database
Contains defined Global Objects, services, rules of the Global SmartDashboard Database must be synchronized if more than one MDS Manager exists in the NOC configuration

139 Customer History

140 Global IPS Check Point’s IPS-1 protections can be centrally managed with Provider-1 Configure Global IPS in the Global SmartDashboard

141 Configuring IPS in Global SmartDashboard

142 Subscribing a Customer to the Global IPS Service

143 Modifying IPS from the SmartDashboard of a CMA
IPS can be modified on the CMA: Directly changing a setting on the IPS or Web IPS tabs Performing an Online Update Activating one of the settings in Central Configuration Ramifications of Modifying IPS on the CMA

144 Global VPNs Use this function to quickly configure VPNs between different Customers managed by the same MDS

145 Configuring a Global VPN
At least two customers configured on the MDS must have CMAs that include Security Gateways configured for VPN functionality To configure a gateway in a VPN Community, the gateway must have Check Point Security Gateway installed and selected in the Check Point products section of the Gateway objects’ General Properties screen To configure cross-Customer VPN, the following CMA information must be imported into the Global Policy Gateway Objects VPN Domain Objects that include gateway objects Certificate Authority Objects and Certificates

146 Global VPN Communities
Only can be configured as site-to-site communities A remote-access VPN cannot be implemented as a Global VPN All gateways participating in a Global VPN Community must share the same VPN configuration

147 Lab 6: Creating and Assigning a Global Policy
Scenario: You have decided to reduce the amount of customer-specific rules in each CMA’s Security Policy. Topics: Navigating the Global SmartDashboard Creating Global Objects and Rules

148 Review A Global Policy defines Security Policy rules applied to all Customers to which a Global Policy is assigned. The Global SmartDashboard allows the Provider-1 Administrator to edit a Global Policy. A Global Policy consists of rules positioned before or after the rules of the CMAs to which the Global Policy is assigned. Global VPNs can be created to include any Security Gateway with Check Point Security Gateway installed which is managed by a CMA included in the assigned Global Policy.

149 Review Questions To assign a Global IPS Policy to a Customer that preserves the Customer Administrator’s previous changes, but updates any other fields with the latest global settings, which mode would you use? Assign Override Merge Update Answer is C, Merge.

150 Advanced MDS Functions
Chapter 6 Advanced MDS Functions

151 Chapter 6 Advanced MDS Functions
Key Points Describe the steps needed to migrate an existing Security Management Server into the Provider-1 environment. Describe the steps needed to install and configure an additional MDS for High Availability functions. Describe the steps needed to synchronize multiple MDS machines. Describe the steps needed to back up and restore an MDS. Key Terms mds_backup mds_restore

152 Migrating Existing Security Management Servers into Provider-1
All CMAs loaded on an MDS are Security Management Servers. It is possible to migrate an existing Security Management Server into a Provider-1 configuration.

153 MDS High Availability Features
Configure multilevel database synchronization for maximum resource stability HA is available for the following Provider-1 components: Security Gateways Customer Management Add-Ons Multi-Domain Servers Multi-Domain GUIs

154 Methodology of MDS Synchronization
All MDS data is stored in three separate databases. Only MDS Managers can synchronize databases between Multi-Domain Servers. The following databases are synchronized in an MDS HA environment: MDS Database Global Properties Database Internal Certificate Authority Database

155 MDS Synchronization If more than one MDS is present in the Provider-1 configuration, the Administrator will synchronize the MDS with all others as part of the installation process. If defined in the MDG, the status of an unsynchronized MDS will be Never Synced. Once the initial installation and configuration is complete, the MDS will establish SIC with other Multi-Domain Servers and synchronize the appropriate databases. Once this initial synchronization has occurred, the MDS status will change from Never Synced to Synchronized.

156 CMA High Availability A single CMA can now have at minimum one backup CMA CMAs regularly synchronize their databases Once CMA is Active while the others are Standby Each CMA must be on a different Container

157 Security Management Server Backup of a CMA

158 MDS Clock Synchronization
For the proper execution of MDS HA, all synchronized MDS machines must have the same time setting. HA between MDS machines requires synchronization of clocks to the second. Use a time/date utility or a time server to help automate this task.

159 Backing Up a CMA To back up a CMA, an Administrator has two options: either configure and back up specific CMAs, or mirror an entire MDS, creating an identical file structure for each CMA loaded on the Primary MDS to the Secondary or backup MDS.

160 MDS Archiving Utilities
Back-up the entire MDS, including all CMA data. If multiple Multi-Domain Servers are present, all MDS backups can take place concurrently. Using the archiving utility, an Administrator can perform the following tasks: Back up MDS data into a single zip file Restore all MDS data

161 Archiving Scripts The archiving utility, located in the $MDSDIR/scripts and $MDSDIR/conf directories, is made up of the sets of scripts and binaries listed below: $MDSDIR/scripts directory scripts: mds_backup mds_restore $MDSDIR/conf text file: mds_exclude

162 Restoring the MDS mds_restore
The mds_restore command must be used with the name of a backed up file created with the mds_backup command: mds_restore 19Oct mdsbk.tgz

163 Lab 7: Configuring MDS High Availability
Scenario: Now that you have a substantial client base, you decide to implement MDS High Availability as part of your contingency plans, for greater NOC security. Topics: Install SecurePlatform Install and Configure the Secondary MDS Mirroring an Existing MDS Complete CMA Mirroring Process

164 Review Multiple MDS machines can be configured to enable Check Point High Availability functions. Through the synchronization of resources, the MDS can eliminate reliance on one MDS at one location.

165 Review Questions Which of these directories is not copied to the MDS, to migrate an existing NGX SmartCenter Server into the Provider-1 environment? $CPDir\conf $CPDir\database $FWDir\conf $FWDir\database

166 Review Questions How often should you synchronize the clocks of multiple MDS machines, down to the second? Daily Weekly Monthly They sync automatically


Download ppt "Multi-Domain Management with Provider-1 R70"

Similar presentations


Ads by Google