Multi-Domain Security

Management
R75.20
Administration Guide

13 July 2011
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12273
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).

Revision History
Date Description

13 July 2011 First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:[email protected]?subject=Feedback on Multi-Domain Security Management
R75.20 Administration Guide).
 Contents

Important Information .............................................................................................3

Multi-Domain Security Management Overview .....................................................9
Glossary .............................................................................................................. 9
Key Features ......................................................................................................11
Basic Architecture ..............................................................................................11
The Multi-Domain Server ....................................................................................13
Domain Management Servers ............................................................................14
Log Servers ........................................................................................................15
Multi-Domain Log Server ...............................................................................16
Domain Log Server ........................................................................................16
High Availability ..................................................................................................16
Security Policies .................................................................................................17
Global Policies ...............................................................................................17
The Management Model .....................................................................................17
Introduction to the Management Model ..........................................................17
Management Tools ........................................................................................18
Deployment Planning ...........................................................................................20
Multi-Domain Security Management Components Installed at the NOC .............20
Using Multiple Multi-Domain Servers ..................................................................20
High Availability .............................................................................................20
Multi-Domain Server Synchronization ............................................................21
Clock Synchronization ...................................................................................21
Protecting Multi-Domain Security Management Networks ..................................21
Logging & Tracking.............................................................................................21
Routing Issues in a Distributed Environment ......................................................21
Platform & Performance Issues ..........................................................................22
Enabling OPSEC ................................................................................................22
IP Allocation & Routing .......................................................................................22
Virtual IP Limitations and Multiple Interfaces on a Multi-Domain Server .........22
Multiple Interfaces on a Multi-Domain Server .................................................22
Provisioning Multi-Domain Security Management .............................................24
Provisioning Process Overview ..........................................................................24
Setting Up Your Network Topology.....................................................................24
The Multi-Domain Security Management Trust Model ........................................25
Introduction to the Trust Model ......................................................................25
Secure Internal Communication (SIC) ............................................................25
Trust Between a Domain Management Server and its Domain Network ........25
Trust Between a Domain Log Server and its Domain Network .......................25
Multi-Domain Server Communication with Domain Management Servers......26
Trust Between Multi-Domain Server to Multi-Domain Server .........................26
Using External Authentication Servers ...........................................................26
Re-authenticating when using SmartConsole Clients .....................................27
CPMI Protocol................................................................................................28
Creating a Primary Multi-Domain Server ............................................................28
Multiple Multi-Domain Server Deployments ........................................................28
Synchronizing Clocks.....................................................................................28
Adding a Secondary Multi-Domain Server or a Multi-Domain Log Server ......28
Changing an Existing Multi-Domain Server ....................................................30
Deleting a Multi-Domain Server .....................................................................31
Using SmartDomain Manager ............................................................................31
Launching the SmartDomain Manager ...........................................................31
Protecting the Multi-Domain Security Management Environment .......................32
 Standalone Gateway/Security Management ..................................................32
Domain Management Server and SmartDomain Manager .............................32
Security Gateways Protecting a Multi-Domain Server ....................................33
Making Connections Between Different Components of the System ..............34
Licensing ............................................................................................................35
Licensing Overview ........................................................................................35
The Trial Period .............................................................................................35
License Types................................................................................................35
Managing Licenses ........................................................................................36
Administrators Management ................................................................................38
Creating or Changing an Administrator Account .................................................39
Administrator - General Properties .................................................................39
Configuring Authentication .............................................................................41
Configuring Certificates..................................................................................41
Entering Administrator Properties ..................................................................42
Deleting an Administrator ...................................................................................42
Defining Administrator Properties .......................................................................42
Defining Administrator Groups ............................................................................42
Creating a New Group ...................................................................................43
Changing or Deleting a Group .......................................................................43
Managing Administrator Account Expiration .......................................................44
Working with Expiration Warnings..................................................................45
Configuring Default Expiration Settings ..........................................................46
Working with Permission Profiles........................................................................47
Permission Profiles and Domains ..................................................................48
Configuring Permissions ................................................................................48
Managing Permission Profiles ........................................................................51
Showing Connected Administrators ....................................................................52
Global Policy Management ..................................................................................54
Security Policies .................................................................................................54
The Need for Global Policies .........................................................................54
The Global Policy as a Template ...................................................................55
Global Policies and the Global Rule Base ......................................................55
Global SmartDashboard .....................................................................................56
Introduction to Global SmartDashboard .........................................................56
Global Services..............................................................................................56
Dynamic Objects and Dynamic Global Objects ..............................................57
Applying Global Rules to Gateways by Function ............................................57
Synchronizing the Global Policy Database.....................................................58
Creating a Global Policy through Global SmartDashboard .................................58
Global IPS ..........................................................................................................59
Introduction to Global IPS ..............................................................................59
IPS in Global SmartDashboard ......................................................................60
IPS Profiles ....................................................................................................60
Subscribing Domains to IPS Service ..............................................................61
Managing IPS from a Domain Management Server .......................................62
Managing Global IPS Sensors .......................................................................63
Assigning Global Policy ......................................................................................63
Assigning the First Global Policy ....................................................................63
Assigning Global Policies to VPN Communities .............................................63
Re-assigning Global Policies .........................................................................64
Viewing the Status of Global Policy Assignments ..........................................67
Global Policy History File ...............................................................................68
Configuration ......................................................................................................68
Assigning or Installing a Global Policy ...........................................................68
Reassigning/Installing a Global Policy on Domains ........................................69
Reinstalling a Domain Policy on Domain Gateways .......................................69
Remove a Global Policy from Multiple Domains.............................................70
Remove a Global Policy from a Single Domain ..............................................70
 Viewing the Domain Global Policy History File ...............................................70
Setting Policy Management Options ..............................................................70
Global Names Format ....................................................................................71
Domain Management ............................................................................................72
Defining a New Domain ......................................................................................72
Running the Wizard .......................................................................................72
Configuring General Properties ......................................................................74
Domain Properties .........................................................................................74
Assigning a Global Policy ..............................................................................74
Assigning Administrators ...............................................................................75
Assign GUI Clients .........................................................................................77
Version and Blade Updates ...........................................................................77
Defining your First Domain Management Servers ..........................................78
Configuring Domain Management Servers ....................................................79
Configuring Existing Domains .............................................................................80
Defining General Properties ...........................................................................80
Defining Domain Properties ...........................................................................80
Assign Global Policy Tab ...............................................................................80
Assigning Administrators ...............................................................................81
Defining GUI Clients ......................................................................................83
Version & Blade Updates ...............................................................................84
Configuring Domain Selection Groups ................................................................85
VPN in Multi-Domain Security Management .......................................................86
Overview ............................................................................................................86
Authentication Between Gateways.................................................................86
VPN Connectivity ...............................................................................................86
Global VPN Communities ...................................................................................87
Gateway Global Names .................................................................................87
VPN Domains in Global VPN .........................................................................88
Access Control at the Network Boundary .......................................................88
Joining a Gateway to a Global VPN Community ............................................89
Configuring Global VPN Communities ................................................................90
Enabling a Domain Gateway to Join a Global VPN Community .....................90
High Availability ....................................................................................................92
Overview ............................................................................................................92
Multi-Domain Server High Availability .................................................................92
Multiple Multi-Domain Server Deployments ...................................................92
Multi-Domain Server Status ...........................................................................93
Multi-Domain Server Clock Synchronization ..................................................94
The Multi-Domain Server Databases .............................................................94
How Synchronization Works ..........................................................................95
Configuring Synchronization ..........................................................................97
Domain Management Server High Availability ....................................................98
Active Versus Standby ...................................................................................99
Adding a Secondary Domain Management Server ........................................99
Domain Management Server Backup Using a Security Management Server .99
Configuration ....................................................................................................102
Adding another Multi-Domain Server ...........................................................102
Creating a Mirror of an Existing Multi-Domain Server...................................102
First Multi-Domain Server Synchronization ..................................................103
Restarting Multi-Domain Server Synchronization .........................................103
Selecting a Different Multi-Domain Server to be the Active Multi-Domain Server .. 103
Automatic Synchronization for Global Policies Databases ...........................103
Add a Secondary Domain Management Server ...........................................104
Mirroring Domain Management Servers with mdscmd .................................104
Automatic Domain Management Server Synchronization ............................104
Synchronize ClusterXL Gateways ................................................................104
Failure Recovery ..............................................................................................105
Recovery with a Functioning Multi-Domain Server .......................................105
 Recovery from Failure of the Only Multi-Domain Server ..............................106
Logging in Multi-Domain Security Management............................................... 108
Logging Domain Activity ...................................................................................108
Exporting Logs .................................................................................................109
Log Export to Text .......................................................................................109
Manual Log Export to Oracle Database .......................................................110
Automatic Log Export to Oracle Database ...................................................110
Log Forwarding ............................................................................................110
Cross Domain Logging ................................................................................110
Logging Configuration ......................................................................................111
Setting Up Logging ......................................................................................111
Working with Domain Log Servers ...............................................................111
Setting up Domain Gateway to Send Logs to the Domain Log Server .........112
Synchronizing the Domain Log Server Database with the Domain Management Server
Database .....................................................................................................112
Configuring a Multi-Domain Server to Enable Log Export ............................112
Configuring Log Export Profiles ...................................................................112
Choosing Log Export Fields .........................................................................113
Log Export Troubleshooting .........................................................................113
Using SmartReporter ...................................................................................114
Monitoring ........................................................................................................... 115
Overview ..........................................................................................................115
Monitoring Components in the Multi-Domain Security Management System ....116
Exporting the List Pane's Information to an External File .............................116
Working with the List Pane...........................................................................116
Verifying Component Status .............................................................................117
Viewing Status Details .................................................................................118
Locating Components with Problems ...........................................................119
Monitoring Issues for Different Components and Features ...............................119
Multi-Domain Server ....................................................................................120
Global Policies .............................................................................................120
Domain Policies ...........................................................................................121
Gateway Policies .........................................................................................121
High Availability ...........................................................................................121
Global VPN Communities ............................................................................122
GUI Clients ..................................................................................................123
Using SmartConsole.........................................................................................123
Log Tracking ................................................................................................123
Tracking Logs using SmartView Tracker ......................................................123
Real-Time Network Monitoring with SmartView Monitor ...............................124
SmartReporter Reports ................................................................................126
Architecture and Processes ............................................................................... 127
Packages in Multi-Domain Server Installation ...................................................127
Multi-Domain Server File System .....................................................................128
Multi-Domain Server Directories on /opt and /var File Systems ....................128
Structure of Domain Management Server Directory Trees ...........................128
Check Point Registry ...................................................................................129
Automatic Start of Multi-Domain Server Processes, Files in /etc/rc3.d, /etc/init.d .. 129
Processes ........................................................................................................129
Environment Variables .................................................................................129
Multi-Domain Server Level Processes .........................................................130
Domain Management Server Level Processes ............................................130
Multi-Domain Server Configuration Databases .................................................131
Global Policy Database................................................................................131
Multi-Domain Server Database ....................................................................131
Domain Management Server Database .......................................................132
Connectivity Between Different Processes .......................................................132
Multi-Domain Server Connection to Domain Management Servers..............132
Status Collection ..........................................................................................132
 Collection of Changes in Objects .................................................................133
Connection Between Multi-Domain Servers .................................................133
Large Scale Management Processes ..........................................................133
UTM-1 Edge Processes ...............................................................................133
Reporting Server Processes ........................................................................133
Issues Relating to Different Platforms ...............................................................134
High Availability Scenarios ...........................................................................134
Migration Between Platforms .......................................................................134
Commands and Utilities ..................................................................................... 135
Cross-Domain Management Server Search .....................................................135
Overview......................................................................................................135
Searching ....................................................................................................135
Copying Search Results ..............................................................................136
Performing a Search in CLI ..........................................................................136
P1Shell .............................................................................................................137
Overview......................................................................................................137
Starting P1Shell ...........................................................................................137
File Constraints for P1Shell Commands.......................................................138
Multi-Domain Security Management Shell Commands ................................138
Audit Logging ...............................................................................................141
Command Line Reference ................................................................................141
cma_migrate ................................................................................................141
CPperfmon - Solaris only .............................................................................142
cpmiquerybin ...............................................................................................147
dbedit ...........................................................................................................147
mcd bin | scripts | conf .................................................................................149
mds_backup ................................................................................................149
mds_restore .................................................................................................150
mds_user_expdate ......................................................................................150
mdscmd .......................................................................................................150
mdsenv ........................................................................................................159
mdsquerydb .................................................................................................160
mdsstart .......................................................................................................160
mdsstat ........................................................................................................161
mdsstop .......................................................................................................161
merge_plug-in_tables ..................................................................................161
migrate_global_policies ...............................................................................162
Index .................................................................................................................... 163
Chapter 1
Multi-Domain Security Management
Overview
Multi-Domain Security Management is a centralized management solution for large-scale, distributed
environments with many different network Domains. This best-of-breed solution is ideal for enterprises with
many subsidiaries, branches, partners and networks. Multi-Domain Security Management is also an ideal
solution for managed service providers, cloud computing providers, and data centers.
Centralized management gives administrators the flexibility to manage polices for many diverse entities.
Security policies should be applicable to the requirements of different departments, business units, branches
and partners, balanced with enterprise-wide requirements.

In This Chapter

Glossary 9
Key Features 11
Basic Architecture 11
The Multi-Domain Server 13
Domain Management Servers 14
Log Servers 15
High Availability 16
Security Policies 17
The Management Model 17

Glossary
This glossary includes product-specific terms used in this guide.

Administrator Security administrator with permissions to manage the Multi-

Domain Security Management deployment.

Global Policy Policies that are assigned to all Domains, or to specified groups of
Domains.

Global Objects Network objects used in global policy rules. Examples of global
objects include hosts, global Domain Management Servers, and
global VPN communities.

Internal Certificate Authority Check Point component that authenticates administrators and
(ICA) users. The ICA also manages certificates for Secure Internal
Communication (SIC) between Security Gateways and Multi-
Domain Security Management components.

Multi-Domain Security Check Point centralized management solution for large-scale,

Management distributed environments with many different network Domains.

Domain A network or group of networks belonging to a specified entity,

such as a company, business unit or organization.

Page 9
 Glossary

Multi-Domain Server Multi-Domain Security Management server that contains all

system information as well as the security policy databases for
individual Domains.

Domain Management Server Virtual Security Management Server that manages Security
Gateways for one Domain.

Multi-Domain Log Servers Physical log server that hosts the log database for all Domains.

Domain Log Server Virtual log server for a specified Domain.

Primary Multi-Domain Server The first Multi-Domain Server that you define and log into in a High
Availability deployment.

Permissions Profile Predefined group of SmartConsole access permissions that you

assign to Domains and administrators. This lets you manage
complex permissions for many administrators with one definition.

Secondary Multi-Domain Any subsequent Multi-Domain Server that you define in a High
Server Availability deployment.

Active Multi-Domain Server The only Multi-Domain Server in a High Availability deployment
from which you can add, change or delete global objects and
global policies. By default, this is the primary Multi-Domain Server.
You can change the active Multi-Domain Server.

Standby Multi-Domain Server All other Multi-Domain Servers in a High Availability deployment,
which cannot manage global policies and objects. Standby Multi-
Domain Servers are synchronized with the active Multi-Domain
Server.

Active Domain Management In a High Availability deployment, the only Domain Management
Server Server that can manage a specific Domain.

Standby Domain In a High Availability deployment, any Domain Management

Management Server Server for a specified Domain that is not designated as the active
Domain Management Server.

Multi-Domain Security Management Overview Page 10

 Key Features

Key Features
Centralized Management Administrators with applicable permissions can manage multiple
Domains from a central console. Global policies let administrators
define security rules that apply to all Domains or to groups of
Domains.
Domain Security Virtual IP addresses for each Domain Management Server make
sure that there is total segregation of sensitive data for each
Domain. Although many Domains are hosted by one server,
access to data for each Domain is permitted only to administrators
with applicable permissions.
High Availability Multi-Domain Security Management High Availability features
make sure that there is uninterrupted service throughout all
Domains. All Multiple Multi-Domain Servers are synchronized and
can manage the deployment at any time. Multiple Domain
Management Servers give Active/Standby redundancy for
individual Domains.
Scalability The Multi-Domain Security Management modular architecture
seamlessly adds new Domains, Domain Management Servers,
Security Gateways, and network objects into the deployment.
Each Multi-Domain Server supports up to 500 Domains.

Basic Architecture
Multi-Domain Security Management uses tiered architecture to manage Domain network deployments.
 The Security Gateway enforces the security policy to protect network resources.
 A Domain is a network or group of networks belonging to a specified entity, such as a company,
business unit, department, branch, or organization. For a cloud computing provider, one Domain can be
defined for each customer.
 A Domain Management Server is a virtual Security Management Server that manages security policies
and Security Gateways for a specified Domain.
 The Multi-Domain Server is a physical server that hosts the Domain Management Server databases
and Multi-Domain Security Management system databases.
 The SmartDomain Manager is a management client that administrators use to manage domain security
and the Multi-Domain Security Management system.

Multi-Domain Security Management Overview Page 11

 Basic Architecture

The Multi-Domain Servers and SmartDomain Manager are typically located at central Network Operation
Centers (NOCs). Security Gateways are typically located together with protected network resources, often
in another city or country.

List of Callouts
Callout Description

A USA Development Domain

B Headquarters Domain

C UK Development Domain

1 Security Gateway

2 Network Operation Center

3 Multi-Domain Server

4A USA Development Domain Management Server

4B Headquarters Domain Management Server

4C UK Development Domain Management Server

Multi-Domain Security Management Overview Page 12

 The Multi-Domain Server

The Multi-Domain Server

The Multi-Domain Server is a physical computer that hosts Domain Management Servers, system
databases, and the Multi-Domain Log Server. The system databases include Multi-Domain Security
Management network data, administrators, Global Policies, and domain management information.

Callout Description

A Domain Management Server database

B Global objects database

C Multi-Domain Security Management System database

1 Multi-Domain Server

2 Domain Management Servers

3 Administrators and permissions

4 GUI clients

5 Licenses

6 Software packages

7 Network objects

8 Multi-Domain Log Server

9 Global policies

10 Global IPS

11 Global VPN communities

Multi-Domain Security Management Overview Page 13

 Domain Management Servers

Callout Description

12 Other Global objects

13 SmartDomain Manager in Network Operations Center

A Multi-Domain Server can host a large amount of network and policy data on one server. To increase
performance in large deployments, distribute traffic load, and configure high availability, you can use
multiple Multi-Domain Servers.

Domain Management Servers

A Domain Management Server is the Multi-Domain Security Management functional equivalent of a Security
Management Server. Administrators use Domain Management Servers to define, change and install Domain
security policies to Domain Security Gateways. A Domain can have multiple Domain Management Servers
in a high availability deployment. One Domain Management Server is active, while the other, fully
synchronized, Domain Management Servers are standbys. You can also use a Security Management
Server as a backup for the Domain Management Server.
Typically, a Domain Management Server is located on the Multi-Domain Server in the Network Operations
Center network.

List of Callouts
Callout Description

A USA Development Domain

B Headquarters Domain

C UK Development Domain

Multi-Domain Security Management Overview Page 14

 Log Servers

Callout Description

1 Security Gateway

2 Network Operation Center

3 Headquarters Domain Management Server

4A USA Development Domain Management Server

4B Headquarters Domain Management Server

4C UK Development Domain Management Server

After you define a Domain Management Server, you define Security Gateways, network objects, and
security policies using the basic procedures in the R75.20 Security Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277). You manage Security
Gateways using the Domain Management Server SmartDashboard.
You must define routers to communicate between Domain gateways and Domain Management Servers.
Traffic must be allowed between the Multi-Domain Servers, network, gateways and Domain gateways. It
should also be allowed for SmartConsole Client applications and Domain Management Server connections.
Access rules must be set up as appropriate in Domain gateway rule base.
If you are using Logging or High Availability Domain network, routing must be configured to support these
functions. For further details, see Logging in Multi-Domain Security Management (on page 108), and High
Availability (on page 92).

Log Servers
This section shows how log servers operate in a Multi-Domain Security Management deployment.

Multi-Domain Security Management Overview Page 15

 High Availability

List of Callouts
Callout Description

A Domain A

B Domain B

1 Security Gateway

2 Multi-Domain Server

3 Multi-Domain Log Server

4 Domain Management Server - Domain A

5 Domain Management Server - Domain B

6 Domain Log Server - Domain A

7 Domain Log Server - Domain B

Multi-Domain Log Server

A Multi-Domain Log Server hosts log files for multiple Domains. Typically, the Multi-Domain Log Server is
hosted on a Multi-Domain Server dedicated for log traffic. This improves performance by isolating log traffic
from management traffic.
You can optionally install a Multi-Domain Log Server on a Multi-Domain Server together with the Domain
Management Servers and system databases. This option is appropriate for deployments with lighter traffic
loads. You can also create a redundant log infrastructure by defining the Multi-Domain Log Server as the
primary log server and the Multi-Domain Server as a backup.
You can have multiple Multi-Domain Log Servers in a Multi-Domain Security Management environment. You
use the SmartDomain Manager to manage your Domain Log Servers) with a different log repository for each
Domain.

Domain Log Server

A Domain Log Server is a virtual log server for a single Domain. Typically, Domain Log Servers are virtual
components installed on a Multi-Domain Log Server. You can also configure Domain Log Servers to monitor
specified Domain gateways.

High Availability
Multi-Domain Security Management High Availability gives uninterrupted management redundancy for all
Domains. Multi-Domain Security Management High Availability operates at these levels:
 Multi-Domain Server High Availability - Multiple Multi-Domain Servers are, by default, automatically
synchronized with each other. You can connect to any Multi-Domain Server to do Domain management
tasks. One Multi-Domain Server is designated as the Active Multi-Domain Server. Other Multi-Domain
Servers are designated as Standby Multi-Domain Servers.
You can only do Global policy and global object management tasks using the active Multi-Domain
Server. In the event that the active Multi-Domain Server is unavailable, you must change one of the
standby Multi-Domain Servers to active.
 Domain Management Server High Availability - Multiple Domain Management Servers give
Active/Standby redundancy for Domain management. One Domain Management Server for each
Domain is Active. The other, fully synchronized Domain Management Servers for that Domain, are
standbys. In the event that the Active Domain Management Server becomes unavailable, you must
change one of the standby Domain Management Servers to active.

Multi-Domain Security Management Overview Page 16

 Security Policies

You can also use ClusterXL to give High Availability redundancy to your Domain Security Gateways. You
use SmartDashboard to configure and manage Security Gateway High Availability for Domain Management
Servers.

Note - The current version supports multiple Domain Management Servers for
each Domain.

Security Policies
A Security Policy is a set of rules that are enforced by Security Gateways. In a Multi-Domain Security
Management deployment, administrators use Domain Management Servers to define and manage security
policies for Security Gateways included in Domains.

Global Policies
Global policies are a collection of rules and objects that are assigned to all Domains, or to specified groups
of Domains. This is an important time saver because it lets administrators assign rules to any or all Domain
gateways without having to configure them individually.

The Management Model

Introduction to the Management Model
The Multi-Domain Security Management model is granular and lets you assign a variety of different access
privileges to administrators. These privileges let administrators do specified management tasks for the entire
deployment or for specified Domains.

Multi-Domain Security Management Overview Page 17

 The Management Model

Management Tools
The SmartDomain Manager
Administrators use the SmartDomain Manager to manage the system and to access the SmartConsole
client applications for specific Domains. The SmartDomain Manager has many views to let administrators
see information and do various tasks.

Multi-Domain Security Management Overview Page 18

 The Management Model

The SmartDomain Manager

Administrators use the SmartDomain Manager to manage the system and to access the SmartConsole
client applications for specific Domains. The SmartDomain Manager has many views to let administrators
see information and do various tasks.

SmartConsole Client Applications

Administrators use SmartConsole clients to configure, manage and monitor security policies. SmartConsole
clients include all the following:
 SmartDashboard lets administrators define and manage security policies.
 SmartView Tracker lets administrators see, manage and track log information.
 SmartUpdate lets administrators manage and maintain the license repository, as well as to update
Check Point software.
 SmartView Monitor lets administrators monitor traffic on Multi-Domain Servers, Security Gateways, and
QoS gateways. They can also see alerts and test the status of various Check Point components
throughout the system.
 SmartReporter lets administrators generate reports for different aspects of network activity.
 SmartProvisioning lets administrators manage many SmartProvisioning Security Gateways.

Multi-Domain Security Management Overview Page 19

Chapter 2
Deployment Planning
Effective planning is essential to implementing Multi-Domain Security Management. This chapter examines
different aspects of deployment preparation. Included are several issues that you should take into
consideration when planning a new Multi-Domain Security Management deployment.

In This Chapter

Multi-Domain Security Management Components Installed at the NOC 20

Using Multiple Multi-Domain Servers 20
Protecting Multi-Domain Security Management Networks 21
Logging & Tracking 21
Routing Issues in a Distributed Environment 21
Platform & Performance Issues 22
Enabling OPSEC 22
IP Allocation & Routing 22

Multi-Domain Security Management

Components Installed at the NOC
The following components are deployed at the Network Operation Center:
 SmartDomain Manager
 Multi-Domain Server and the Multi-Domain Log Server
 Domain
 Domain Log Server

Using Multiple Multi-Domain Servers

For better performance in large deployments with many Domains and Security Gateways, we recommend
that you use more than one Multi-Domain Server. This lets you distribute the traffic load over more than one
server. You can also use additional Multi-Domain Servers for high availability and redundancy.
You can also define a Multi-Domain Server as a dedicated Multi-Domain Log Server to isolate log traffic
from business-critical traffic.

High Availability
When deploying many complex Domain networks, you can implement High Availability failover and recovery
functionality:
 Multi-Domain Server High Availability makes sure that at least one backup server can fail over
continuous SmartDomain Manager access even when one of the Multi-Domain Servers is not available.
 For Domain Management Server High Availability, you need at least two Multi-Domain Servers. You
then create two or more Domain Management Servers. These Domain Management Servers are the
Active and Standby Multi-Domain Servers for the Domain gateways.

Page 20
 Protecting Multi-Domain Security Management Networks

Multi-Domain Server Synchronization

If your deployment contains multiple Multi-Domain Servers, each Multi-Domain Server must be fully
synchronized with all other Multi-Domain Servers. The Multi-Domain Security Management network and
administrators databases are synchronized automatically whenever changes are made on one Multi-Domain
Server. The Global Policy database is synchronized either at user-defined intervals and/or specified events.
You can also synchronize the databases manually.
Multi-Domain Server synchronization does not back up Domain Management Servers or their data. Domain
policies are included in the Domain Management Server database and are not synchronized by the Multi-
Domain Server. You must configure your system for Domain Management Server High Availability to give
redundancy at the Domain Management Server level. .

Clock Synchronization
Multi-Domain Server (including dedicated Multi-Domain Log Servers) system clocks must be synchronized
to the nearest second. When adding another Multi-Domain Server to your deployment, synchronize its clock
with the other Multi-Domain Server before installing the Multi-Domain Security Management package.
Use a synchronization utility to synchronize Multi-Domain Server clocks. We recommended that you
automatically synchronize the clocks at least once a day to compensate for clock drift.

Protecting Multi-Domain Security

Management Networks
The Multi-Domain Security Management network and Network Operation Center (NOC) must be protected
by a Security Gateway. You can manage this gateway using a Domain Management Server or a Security
Management Server.
This Security Gateway must have a security policy that adequately protects the NOC and allows secure
communication between Multi-Domain Security Management components and external Domain networks.
This is essential to make sure that there is continual open communication between all components. Multi-
Domain Servers communicate with each other and with Domain networks. The Security Gateway routing
must be correctly configured.
The Security Gateway security policy must also allow communication between Domain Management
Servers and Domain Security Gateways. External Domain administrators must be able access Domain
Management Servers.

Logging & Tracking

If you are deploying a very large system where many different services and activities are being tracked,
consider deploying one or more dedicated Multi-Domain Log Servers.

Routing Issues in a Distributed

Environment
If you have a distributed system, with Multi-Domain Servers located in remote locations, examine routing
issues carefully. Routing must enable all Multi-Domain Server components to communicate with each other,
and for Domain Management Servers to communicate with Domain networks. See IP Allocation & Routing
(on page 22).

Deployment Planning Page 21

 Platform & Performance Issues

Platform & Performance Issues

Examine your Multi-Domain Security Management system hardware and platform requirements. Make sure
that you have the needed platform patches installed. If you have a Multi-Domain Server with multiple
interfaces, ensure that the total load for each Multi-Domain Server computer conforms to performance load
recommendations. See Hardware Requirements and Recommendations.

Enabling OPSEC
Multi-Domain Security Management supports OPSEC APIs on the following levels:
 Gateway level — Gateways managed by Multi-Domain Security Management support all OPSEC APIs
(such as CVP, UFP, SAM etc.)
 Domain Management Server level — Domain Management Servers support all OPSEC Management
APIs. This includes CPMI, ELA, LEA and SAM.
 Domain Log Server level— Log servers support all logging OPSEC APIs. This includes ELA and LEA.

IP Allocation & Routing

Multi-Domain Security Management uses a single public IP interface address to implement many private,
"virtual" IP addresses. The Multi-Domain Server assigns virtual IPs addresses to Domain Management
Servers and Domain Log Servers, which must be routable so that gateways and SmartConsole clients can
connect to the Domain Management Servers.
Each Multi-Domain Server has an interface with a routable IP address. The Domain Management Servers
use virtual IP addresses. It is possible to use either public or private IPs.
When configuring routing tables, make sure that you define the following communication paths:
 Domain Security Gateways to the Domain Log Servers.
 All Domain Management Servers to Domain Log Servers.
 Active Domain Management Servers to and from standby Domain Management Servers.
 All Domain Management Servers to the Domain gateways.
 The Domain gateways to all Domain Management Servers.

Virtual IP Limitations and Multiple Interfaces on a Multi-

Domain Server
There is a limitation of 250 Virtual IP addresses per interface for Solaris-platform Multi-Domain Servers.
Since each Domain Management Server and Domain Log Server receives its own Virtual IP address, there
is a limit of 250 Domain Management Servers or Domain Log Servers per Solaris Multi-Domain Server.
If you have more than one interface per Multi-Domain Server, you must specify which one is the leading
interface. This interface will be used by Multi-Domain Servers to communicate with each other and perform
database synchronization. During Multi-Domain Server installation, you will be prompted to choose the
leading interface by the mdsconfig configuration script.
Ensure that interfaces are routable. Domain Management Servers and Domain Management Server-HA
must be able to communicate with their Domain gateways, and Domain Log Servers to their Domain
gateways.

Multiple Interfaces on a Multi-Domain Server

If you have more than one interface per Multi-Domain Server, you must specify which will be the leading
interface. This interface will be used by Multi-Domain Servers to communicate with each other and perform
database synchronization. During Multi-Domain Server installation, you will be prompted to choose the
leading interface by the configuration script mdsconfig.

Deployment Planning Page 22

 IP Allocation & Routing

Ensure that interfaces are routable. Domain Management Servers and Domain Management Server-HA
must be able to communicate with their Domain gateways, and Domain Log Servers to their Domain
gateways.

Deployment Planning Page 23

Chapter 3
Provisioning Multi-Domain Security
Management
This chapter includes procedures and steps for provisioning your Multi-Domain Security Management
deployment.

In This Chapter

Provisioning Process Overview 24

Setting Up Your Network Topology 24
The Multi-Domain Security Management Trust Model 25
Creating a Primary Multi-Domain Server 28
Multiple Multi-Domain Server Deployments 28
Using SmartDomain Manager 31
Protecting the Multi-Domain Security Management Environment 32
Licensing 35

Provisioning Process Overview

This list is an overview of the Multi-Domain Security Management provisioning process. Many of these
procedures are described in detail in this chapter.
1. Setup network topology and verify connectivity. It is important that you configure routing and
connectivity between all network components, such as Multi-Domain Servers, Domain Management
Servers and Domain gateways. Thoroughly test connectivity between all components and nodes. Make
sure that you configure and test connectivity when adding new Multi-Domain Servers, Domain
Management Servers and Domain gateways to the Multi-Domain Security Management system.
2. Install and create the Primary Multi-Domain Server. Configure administrators and GUI Clients at this
time. See the R75.20 Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12269).
3. Install SmartDomain Manager and SmartConsole Clients. See Using the SmartDomain Manager for
the First Time (see "Using SmartDomain Manager" on page 31).
4. Install the Multi-Domain Server license. If you have a trial license, this step can be postponed until
before the trial period ends in 15 days. See Adding Licenses using the SmartDomain Manager.
5. Install and configure Multi-Domain Log Servers and secondary Multi-Domain Servers as needed.
See Multiple Multi-Domain Server Deployments (on page 28).
6. Install and configure Security Gateways to protect your Multi-Domain Security Management network.
Define and install the security policy. See Protecting the Multi-Domain Security Management
Environment (on page 32).

Setting Up Your Network Topology

The Multi-Domain Server and Security Gateways should be TCP/IP ready. A Multi-Domain Server should
contain at least one interface with a routable IP address and should be able to query a DNS server in order
to resolve the IP addresses of other machine names.
As applicable, ensure that routing is properly configured to allow IP communication between:

Page 24
 The Multi-Domain Security Management Trust Model

 The Domain Management Server and Domain Log Server and its managed gateways.
 A Multi-Domain Server and other Multi-Domain Servers in the system.
 A Domain Management Server and Domain Log Servers of the same Domain.
 A Domain Management Server and its high availability Domain Management Server peer.
 A GUI client and Multi-Domain Servers.
 A GUI client and Domain Management Servers and Domain Log Servers.

The Multi-Domain Security Management

Trust Model
Introduction to the Trust Model
Multi-Domain Servers and Domain Management Servers establish secure communication between system
components with full data integrity. This is a critical component for making sure that system management
commands and system information are delivered securely.
Multi-Domain Security Management systems must establish safe communication between the various
components of the Multi-Domain Security Management deployment. Secure Internal Communication (SIC)
makes sure that this communication is secure and private.

Secure Internal Communication (SIC)

Secure Internal Communication (SIC) defines trust between all Multi-Domain Security Management system
components. A basic explanation of how SIC operates is in the R75.20 Security Management Administration
Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12277).
Secure communication makes sure that the system can receive all the necessary information it needs to run
correctly. Although information must be allowed to pass freely, it also has to pass securely. This means that
all communication must be encrypted so that an imposter cannot send, receive or intercept communication
meant for someone else, be authenticated, so there can be no doubt as to the identity of the communicating
peers, and have data integrity, not have been altered or distorted in any way. Of course, it is helpful if it is
also user-friendly.

Trust Between a Domain Management Server and its

Domain Network
To ensure authenticated communication between Multi-Domain Security Management and Domain
networks, each Domain Management Server has its own Internal Certificate Authority (ICA). The ICA issues
certificates to the Domain Management Server gateways. The Domain Management Server ICA is part of
the Domain Management Server data hosted by Multi-Domain Server. Each Domain Management Server
ICA is associated with a specific Domain. A high availability Domain secondary Domain Management Server
shares the same Internal Certificate Authority with the primary Domain Management Server.
The Domain Management Server ICA issues certificates to Security Gateways. SIC trust can then be
established between the Domain Management Server and each of its Security Gateways.
Different Domain Management Servers have different ICAs to ensure that a Domain Management Server
establishes secure communication with its own Domain gateways. Other Domain Management Servers
cannot access the internal networks and establish communication with other Domain gateways.

Trust Between a Domain Log Server and its Domain

Network
The Domain Log Server also receives a certificate from the Domain Management Server ICA. This is so that
the Security Gateways can establish communication with the Domain Log Server, for tracking and logging

Provisioning Multi-Domain Security Management Page 25

 The Multi-Domain Security Management Trust Model

purposes. The gateways and Domain Log Servers must be able to trust their communication with each
other, but only if they belong to the same Domain. Otherwise, different Domains could monitor each other,
which would be a security breach.

Multi-Domain Server Communication with Domain

Management Servers
Every Multi-Domain Server communicates with the Domain Management Servers that it hosts locally using
the SIC local protocol. SIC local is managed by Multi-Domain Security Management and activates trusted
Multi-Domain Server communication.
SIC is used for remote communication, whereas SIC local is used for a host's internal communication. SIC
local communication does not make use of certificates.

Trust Between Multi-Domain Server to Multi-Domain

Server
The primary Multi-Domain Server (the first Multi-Domain Server defined) has its own Internal Certificate
Authority. This ICA issues certificates to all other Multi-Domain Servers, so that trusted communication can
be authenticated and secure between Multi-Domain Servers. All Multi-Domain Servers share one Internal
Certificate Authority.
The ICA creates certificates for all other Multi-Domain Servers, and for Multi-Domain Security Management
administrators. Administrators also need to establish trusted communication with the Multi-Domain Servers.

Using External Authentication Servers

Multi-Domain Security Management supports external authentication methods. When an administrator
authenticates all authentication requests are sent to the external authentication server. The external server
authenticates the user and sends a reply to the Multi-Domain Server. Only authenticated administrators can
connect to the Multi-Domain Server or the Domain Management Server.
Multi-Domain Security Management supports the following external authentication methods:
 RADIUS
 TACACS
 RSA SecurID ACE/Server
TACACS and RADIUS authentication methods, when authenticating an administrator connecting to a
Domain Management Server, use the Multi-Domain Server as a proxy between the Domain Management
Server and the external authentication server. Therefore, each Multi-Domain Server must be defined on the
authentication server, and the authentication server must be defined in the global database. In addition, if
the Multi-Domain Server is down, the Domain Management Server will not be able to authenticate
administrators.

Configuring External Authentication

To configure External Authentication:
1. Open the SmartDomain Manager and select Administrators.
2. Define a new administrator.
3. In the General tab, enter the same user name that was created on the authentication server.
4. Mark the administrator's permission.
5. On the Authentication tab, select the Authentication Scheme. If using RADIUS or TACACS, choose
the appropriate server that was configured in Global SmartDashboard.
6. If using SecurID, do the following:
a) Generate the file sdconf.rec on the ACE/Server, and configure the user to use Tokencode only.
b) Copy sdconf.rec to /var/ace/ on each Multi-Domain Server.

Provisioning Multi-Domain Security Management Page 26

 The Multi-Domain Security Management Trust Model

c) Edit the file /etc/services and add the following lines:

securid 5500/udp
securidprop 5510/tcp
d) Reboot the Multi-Domain Server machines.
Alternatively, instructions 3, 4, and 5 can be performed from the command line interface (CLI) with the
following syntax:
mdscmd setadminauth <administrator name>
<undefined | os | fw1 | securid | tacacs | radius>
[authentication server name]
[-m Multi-Domain Server -u user -p password]

Re-authenticating when using SmartConsole Clients

When one SmartConsole client runs another SmartConsole client, Multi-Domain Security Management uses
the credentials entered when the administrator logged into the first client.
However, there are cases where it is useful to require administrators to re-authenticate for each
SmartConsole client they launch. When using RSA SecurID to authenticate Multi-Domain Security
Management administrators, for instance, it is common to require re-authentication when SmartConsole
Clients connect to Multi-Domain Servers or Domain Management Servers.
You can compel administrators to re-authenticate every time a new GUI client is launched and connects to:
 a specific Domain Management Server
 all Domain Management Servers created on this system in the future
 this Multi-Domain Server or Multi-Domain Log Server
The instructions for each are listed below.

...When Connecting to a Specific Domain Management Server

Run these commands from a root shell on the Multi-Domain Server that hosts the specified Domain
Management Server:
dbedit -s <Domain Management Server IP > -u <name of administrator with edit permissions for
this Domain Management Server> -p
< administrator password>
modify properties firewall_properties fwm_ticket_ttl 0
update properties firewall_properties
quit
If the relevant Domain has more than one Domain Management Server, synchronize the Domain
Management Servers for the change to take effect on both. If the Domain owns one or more Domain Log
Servers, the Install Database operation should be performed on each Domain Log Server for the change to
take effect.

...When Connecting to all Domain Management Servers Created on This

System in the Future
Do these steps in the root directory of each Multi-Domain Server:
Run the command mdsenv.
Edit the file $Multi-Domain Server_TEMPLATE/conf/objects_5_0.C
Find the line containing: fwm_ticket_ttl
Replace it with the line: fwm_ticket_ttl (0)

Provisioning Multi-Domain Security Management Page 27

 Creating a Primary Multi-Domain Server

...When Connecting to this Multi-Domain Server or Multi-Domain Log

Server
Run these command in a root shell on the Multi-Domain Server hosting the Domain Management Server:
dbedit -s <IP of the Multi-Domain Server or Multi-Domain Log Server> -u <name of the administrator
with edit permissions for the Global Policy of the Multi-Domain Server> -p <password of the
administrator>
modify properties firewall_properties fwm_ticket_ttl 0
update properties firewall_properties
quit
If the Multi-Domain Security Management configuration consists of more than one Multi-Domain Server or
Multi-Domain Log Server, synchronize the Global Policy for this change to take effect on all Multi-Domain
Server or Multi-Domain Log Server machines.

CPMI Protocol
The CPMI (Check Point Management Interface) protocol is a generic open protocol that allows third party
vendors to interoperate with Check Point management products. The client side of CPMI is included in the
OPSEC SDK documentation, so third-party products can integrate with the Domain Management Servers.
See the CPMI guide in the OPSEC SDK documentation.

Creating a Primary Multi-Domain Server

Use the distribution DVD or the Multi-Domain Server installation utility to do one of these installation types:
 Fresh installations.
 Multi-Domain Server upgrades from previous versions of Multi-Domain Security Management.
To install or upgrade the primary Multi-Domain Server, follow the instructions in the R75.20 Installation and
Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12269).

Multiple Multi-Domain Server Deployments

In Multi-Domain Security Management systems where more than one Multi-Domain Server is installed, you
need to take various configuration factors into account. The following section describes what in detail you
need to know.

Synchronizing Clocks
All Multi-Domain Server system clocks must be synchronized to the second to ensure proper operation.
Before creating a new Multi-Domain Server, you must first synchronize the new computer clock with other
Multi-Domain Server platforms in the system.
You can synchronize Multi-Domain Server clocks using any synchronization utility. It is recommended that
all the Multi-Domain Server clocks be synchronized automatically at least once a day do compensate for
clock drift.

Adding a Secondary Multi-Domain Server or a Multi-

Domain Log Server
Before you begin:
 If you are installing a Multi-Domain Server or Multi-Domain Log Server on a Linux or Solaris platform,
you must synchronize the new platform clock with all other Multi-Domain Server platform in your

Provisioning Multi-Domain Security Management Page 28

 Multiple Multi-Domain Server Deployments

deployment before starting the installation and configuration process. For Secure Platform installations,
you synchronize the clocks after completing the installation routine and rebooting the computer.
 Make certain that you are logged on with Superuser permissions.
To create a new Multi-Domain Server or Multi-Domain Log Server:
1. Install Multi-Domain Server or Multi-Domain Log Server on SecurePlatform or Linux computers as
described in the R75.20 Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12269). You install Multi-Domain
Log Servers in the same manner as Multi-Domain Servers.
2. If you are installing to a Secure Platform computer, synchronize all Multi-Domain Server clocks at this
time. For Linux and Solaris platforms, you should have synchronized the clocks prior to starting the
installation.
3. In the Primary SmartDomain Manager General View, select the Multi-Domain Server Contents Mode
from the View menu.
4. Select New Multi-Domain Server from the Manage menu, or right-click the Multi-Domain Security
Management root of the Multi-Domain Server Contents tree and select New Multi-Domain Server.

5. In the Multi-Domain Server Configuration window, enter the following information:

 Multi-Domain Server Name: Multi-Domain Server computer name
 Multi-Domain Server IP Address: Multi-Domain Server IP address
 Domain Management Server IP address Range: Range of valid IP addresses for Domain
Management Servers
 Status Checking Interval: Time in seconds between Multi-Domain Server status updates
6. Click Communication to establish SIC trust. Enter the Activation Key that you specified while installing
the Multi-Domain Server or Multi-Domain Log Server computer.

7. Click Initialize. If SIC trust succeeds, the Trust State field displays Trust established.

Provisioning Multi-Domain Security Management Page 29

 Multiple Multi-Domain Server Deployments

If you are setting up a high availability deployment, a prompt appears asking you to perform an Initial
synchronization for this Multi-Domain Server. This operation synchronizes the primary and secondary
Multi-Domain Servers.
8. Click Yes to perform the synchronization. When the synchronization finishes, click OK to continue.
9. If you created a new Multi-Domain Server, you can now connect directly to it. Log on the new Multi-
Domain Server using the SmartDomain Manager.

Multi-Domain Log Server Configuration - Additional Step

If you created a Multi-Domain Log Server, set up your Domain Log Servers for Domain activity logging. See
Logging in Multi-Domain Security Management (on page 108).

Changing an Existing Multi-Domain Server

To modify an existing Multi-Domain Server:
1. In the SmartDomain Manager General view Multi-Domain Server Contents mode, select a Multi-
Domain Server and choose Manage > Configure, or double-click the Multi-Domain Server, or right-click
the Multi-Domain Server and select Configure Multi-Domain Server.

2. In the Multi-Domain Server Configuration window, enter or modify the following information as
required:
 Multi-Domain Server Name: Multi-Domain Server computer name
 Multi-Domain Server IP Address: Multi-Domain Server IP address
 Domain Management Server IP address Range: Range of valid IP addresses for Domain
Management Servers
 Status Checking Interval: Time in seconds between Multi-Domain Server status updates
3. If you wish to re-establish SIC trust, perform the following steps:
a) From the Multi-Domain Server command line, execute the mdsconfig utility. Select (5) from the
Configuration Options menu and follow the instructions on the screen to re-initialize SIC
communication.
b) In the SmartDomain Manager Multi-Domain Server Configuration window, click Communication.
c) In the Communication window, click Reset.
d) Enter the Activation Key that you specified with the mdsconfig utility.
4. Click Initialize. If SIC trust succeeds, the Trust State field displays Trust established.
5. In the Multi-Domain Server Configuration window, click OK.

Provisioning Multi-Domain Security Management Page 30

 Using SmartDomain Manager

Deleting a Multi-Domain Server

If you want to delete the Multi-Domain Server, do so only if you are certain that you no longer need it. If you
delete a Multi-Domain Server in error, you will have to reconfigure it from scratch (including its Domain
Management Servers and gateways).
To delete a Multi-Domain Server:
1. In the SmartDomain Manager General view Multi-Domain Server Contents mode, right click a Multi-
Domain Server and select Delete Multi-Domain Server.
2. Confirm the deletion and click OK.

Using SmartDomain Manager

Once you have set up your primary Multi-Domain Server, use the SmartDomain Manager to configure and
manage the Multi-Domain Security Management deployment. Ensure that you have installed the
SmartDomain Manager software on your computer and that your computer is a trusted GUI Client. You must
be an administrator with appropriate privileges (Superuser, Global Manager, or Domain Manager) to run
the SmartDomain Manager.

Launching the SmartDomain Manager

To start the SmartDomain Manager:
1. Select: Start > Programs > Check Point SmartConsole > Multi-Domain Security Management.
2. Enter your User Name and Password or browse to your Certificate and enter the password to open
the certificate file.
3. Enter the Multi-Domain Server computer name or IP address to which to you intend to connect.
4. After a brief delay, the SmartDomain Manager opens, showing those network objects and menu
commands accessible according to your Multi-Domain Security Management permissions.

Provisioning Multi-Domain Security Management Page 31

 Protecting the Multi-Domain Security Management Environment

Protecting the Multi-Domain Security

Management Environment
You should always deploy a Check Point Security Gateway to protect your Multi-Domain Security
Management network, including your Multi-Domain Server, Multi-Domain Log Server and management
platforms. This section presents the procedures for installing and defining Check Point Security Gateways to
protect your Multi-Domain Security Management network. You can manage your Security Gateway using
either a Security Management Server (configured as a standalone gateway/Security Management
combination) or a Domain Management Server and the SmartDomain Manager.

Standalone Gateway/Security Management

In this scenario the Security Gateway that protects your Multi-Domain Security Management deployment
and a Security Management Server are installed on a single Linux or SecurePlatform computer.
To deploy a Security Gateway/Security Management standalone installation:
1. Install and configure a Check Point Security Gateway and Security Management Server on a single
computer as described in the R75.20 Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12269).
2. Verify connectivity between the Security Gateway/Security Management Server, the Multi-Domain
Server, the SmartDashboard client and any other Multi-Domain Security Management network
components.
3. Verify that SIC trust has been successfully established.
4. Log on to SmartDashboard.
5. Create and configure the Security Gateway object to protect your Multi-Domain Security Management
deployment.
6. Define and install a Security Policy for the gateway.

Domain Management Server and SmartDomain Manager

In this scenario, the Security Gateway that protects your Multi-Domain Security Management deployment is
installed on a SecurePlatform or Linux computer and is managed by Domain Management Server on the
Multi-Domain Server itself.
1. Install Check Point Security Gateway on a SecurePlatform or Linux computer, without the Security
Management Server, as described in the R75.20 Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12269).
2. Verify connectivity with the Multi-Domain Server.
3. Launch the SmartDomain Manager and log into the Multi-Domain Server.
4. Define a Domain for the gateway and create a Domain Management Server for this Domain. For more
information, refer to Configuring a New Domain (see "Defining a New Domain" on page 72).
5. In the SmartDomain Manager, launch SmartDashboard from the Domain Management Server and
create the network object representing the Security Gateway on the Domain Management Server.
a) Right-click the Network Objects icon, and from the drop-down menu select New > Check Point >
Gateway.
b) Enter configuration details for the gateway, including an IP address. The external gateway should
have a routable IP address.
c) The products installed on this computer should be Firewall and SVN Foundation. You can install
additional products as required.
6. Establish SIC trust with the gateway.
7. Define and install a Security Policy for the gateway.

Provisioning Multi-Domain Security Management Page 32

 Protecting the Multi-Domain Security Management Environment

Security Gateways Protecting a Multi-Domain Server

A Security Gateway that protects a Multi-Domain Server must have an installed security
policy that allows connections between:
 The Active and Standby Domain Management Servers and their Domain Security Gateways.
 Log transfers between Domain Security Gateways and Domain Log Servers.
 Domain Security Gateways and their specified Domain Management Servers (Active and Standby).

Callout Table
Callouts Description
A Primary Domain
B Mirror Domain
1 Active Domain Management Servers
2 Primary Multi-Domain Server
3 Mirror Multi-Domain Server
4 Mirror Domain Management Servers
5 Security Gateways

The Security Policy must also allow connections between:

 The Multi-Domain Security Management network Domain Management Server and the network
gateway.
 Between Multi-Domain Servers, if they are distributed between several management networks.
 GUI Clients and the Multi-Domain Server, according to which GUI Clients are allowed SmartDomain
Manager access.
For general information regarding creating Security Policies using SmartDashboard, see the R75.20
Security Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277).

Provisioning Multi-Domain Security Management Page 33

 Protecting the Multi-Domain Security Management Environment

Making Connections Between Different Components of

the System
To make secure communication and proper access between different system components:
1. Launch SmartDashboard and connect to the Domain Management Server. Create objects to represent
each Domain Management Server, Domain Management Server-HAs, Domain Log Servers, and the
Domain gateways.
2. Examine the implied rules for the Domain Management Server. These rules are created to allow Domain
Log Server and Domain Management Server communication with gateways for specialized services
specific to the type of CPMI communication each management uses to communicate with the Domain
gateways. Rules must be created to permit the Security Gateway to these specialized CPMI
communication services between a specific Domain Management Servers and Domain Log Servers and
the Domain gateways.
3. Using the implied rules as a template, create rules for each Domain permitting services from the source
Domain Management Servers/Domain Log Servers to the Domain gateways, and from Domain
gateways to Domain Management Servers/Domain Log Servers.
4. Examine your network deployment and decide which components should be used in rules in order to
enable communications, perform status collections and push/pull certificates. For instance, if the Multi-
Domain Security Management network is distributed, with different Multi-Domain Servers in remote
locations and Security Gateways protecting a remote Multi-Domain Security Management network, rules
must be defined to enable the Multi-Domain Servers to communicate with one another. In such a rule,
the Multi-Domain Servers need to appear in both the Source and Destination column of the rule. Use the
table below to examine how to create rules that allows connections between specified components.
Description Source Destination

Enable connections between the SmartDomain GUI Client Multi-Domain

Manager and the Multi-Domain Server. Server

Enable connections between a Multi-Domain Server Multi-Domain Multi-Domain

to all other Multi-Domain Servers (for all Multi- Servers Servers
Domain Servers with the same ICA).
The connection is bi-directional, i.e. each Multi-
Domain Server must be able to connect to all other
Multi-Domain Servers.

Domain Management Server status collection. Each Domain Security

Domain Management Server collects different status Management Gateway
information from its Domain gateways. If a Domain Server,
Domain
has two or more Domain Management Servers, the Domain
Management
first Domain Management Server collects statuses Management
Server-HA
from the peer ("Mirror") Domain Management Server-HA
Servers as well.

Multi-Domain Server-level status data collection. In a Multi-Domain Multi-Domain

system with more than one Multi-Domain Server, Servers Servers
each Multi-Domain Server collects status data from
other Multi-Domain Servers in the system.

Enable passing a certificate to a Multi-Domain Multi-Domain Multi-Domain

Server. Servers Servers
When creating a new Multi-Domain Server in the
system, it must be supplied with a SIC certificate
created by the Primary Multi-Domain Server.

Provisioning Multi-Domain Security Management Page 34

 Licensing

Push a certificate to a Domain Management Server. Domain Domain

Management Management
When defining a Mirror Domain Management Server
Server Server-HA
for a Domain, it must receive a certificate. Usually
this is a one- time operation, unless you decide to
supply the Domain Management Server with a new
certificate.

Domain level High Availability synchronization Domain Domain

protocol. Management Management
Server Server-HA
When creating a Mirror Domain Management Server
and later when synchronizing Domain Management Domain Domain
Servers (of the same Domain). Management Management
Server-HA Server

Licensing
Licensing Overview
This Multi-Domain Security Management version uses a simplified licensing model that matches its scalable
architecture. This lets you purchase licenses according to the size and complexity of your deployment. You
only purchase the management Software Blade licenses that you need. You can always add additional
licenses as your deployment grows.
Multi-Domain Security Management uses the Check Point Software Blade architecture. You install and
license management Blades on the Multi-Domain Server. For an environment that uses multiple Multi-
Domain Servers, you must install the Blades on each Multi-Domain Server.
Dedicated log servers (Multi-Domain Log Servers and Domain Log Servers) have their own special licenses.

The Trial Period

All Check Point products have a 15 day trial period. During this period the software is fully functional and all
features are available without a license. After this period, you must obtain an extended evaluation license or
a permanent license to continue using the software.
The Multi-Domain Security Management trial period begins as soon you install a Multi-Domain Server
(regardless of its type). The trial license has a limit of 200 Domain Management Servers.
Each Domain Management Server has its own trial license for a primary Domain Management Server
managing an unlimited number of gateways. This license supports the Check Point SmartUpdate and
SmartMap features. It expires on the same day as the Multi-Domain Server trial license.

License Types
In this section:

Multi-Domain Server Licenses 36

Domain Management Server Licenses 36
VSX Licenses 36
Log Server Licenses 36
Gateway Licenses 36

This section includes details about the various license types in a Multi-Domain Security Management
deployment. Refer to the User Center for current information about license types and bundles.

Provisioning Multi-Domain Security Management Page 35

 Licensing

Multi-Domain Server Licenses

You must install a Global Policy Software Blade license on all Multi-Domain Servers. You can add blade
licenses for other Check Point management features according to your requirements. In a high availability
deployment, the same Blade licenses must be installed on all Multi-Domain Servers.
All Multi-Domain Servers in your deployment must have licenses attached for the same optional Software
Blades. You cannot attach an optional software blade to one Multi-Domain Server and not the others.
If you are upgrading to R75.20 from an earlier version, you can attach a free Enabler license to your
existing Multi-Domain Server licenses that lets you use the new functionality. You must still attach Software
Blade licenses for optional features.

Domain Management Server Licenses

Each Domain Management Server requires a Domain Management Server license. In a High Availability
deployment, you must attach a full license to the first Domain Management Server. You can then attach
High Availability blade licensees to any additional Domain Management Servers. Each additional Domain
Management Server must be maintained on a different Multi-Domain Server.
Domain Management Servers are licensed according to the number of gateways they manage. Domain
Management Server licenses are available in these bundles:
 A Domain with up 2 Security Gateways.
 A Domain with up to 10 Security Gateways.
 A Domain with an unlimited number of Security Gateways.
Domain Management Server licenses are associated with their Multi-Domain Server. You can freely move
licenses among Domain Management Servers on the same Multi-Domain Server, but you cannot move
licenses to a different Multi-Domain Server.
The number of QoS gateways managed by a Domain Management Server is unlimited and requires no
special license.

VSX Licenses
VSX Virtual Systems can use Domain Management Server licenses without any additional licensing
requirements. If you are managing only one Virtual System in a Domain, you can purchase a special one-
Domain license.

Log Server Licenses

A Multi-Domain Server is a specialized Multi-Domain Server that can only host Domain Log Servers. Each
Domain Log Server requires its own Domain Log Server license, whether it is hosted by a Multi-Domain Log
Server or a Multi-Domain Server.

Gateway Licenses
Each Domain gateway requires the appropriate Software Blade licenses. Gateways are licensed according
to the number of nodes at a site. A node is any computing device with an IP address connected to the
protected network.
Multi-Domain Security Management also supports Quality of Service (QoS) gateways.

Managing Licenses
You can use SmartUpdate to manage licenses for Multi-Domain Servers, Domain Management Servers,
Domain Security Gateways, Software Blades. SmartUpdate lets you add licenses to a central repository
and assign them to components as necessary.
You can also manage Domain Management Server component and blade licenses directly from the Domain
Management Server Configuration Window from the SmartDomain Manager General view. If you save
your licenses in the SmartUpdate central repository, you can get these licenses from the repository by using
this window.

Provisioning Multi-Domain Security Management Page 36

 Licensing

License Violations
A license violation occurs when the trial license or an evaluation, or other time-limited license expires. When
a license violation occurs, syslog messages are sent, pop-up alerts show in the SmartDomain Manager, and
audit entries in SmartView Tracker show the nature of the violation. In addition, the status bar of the
SmartDomain Manager shows a license violation message.
If a Multi-Domain Server is in the license violation state, you cannot define any new Domain Management
Servers. Otherwise the system continues to function normally. Licenses are enforced separately for each
Multi-Domain Server. This means that if there is a license violation for one Multi-Domain Server, all other
Multi-Domain Servers will continue to operate normally if their licenses are valid.

Managing Licenses Using SmartUpdate

To manage licenses using SmartUpdate, select the SmartUpdate view in the SmartDomain Manager
Selection Bar. If you loaded SmartUpdate, you can also right-click a Multi-Domain Server object and select
Applications > SmartUpdate from the Options menu. Licenses for components and blades are stored in a
central repository.
To view repository contents:
1. Select SmartUpdate from the SmartDomain Manager Main menu.
2. Select SmartUpdate > Network Objects License & Contract > View Repository. The repository pane
shows in the SmartUpdate view.
To add new licenses to the repository:
1. Select SmartUpdate from the SmartDomain Manager Main menu.
2. Select SmartUpdate > Network Objects License & Contract > Add License.
3. Select a method for adding a license:
 From User Center - Obtain a license file from the User Center.
 From file - Import a license file to the repository.
 Manually - Open the Add License window and enter licenses information manually. You can copy
the license string from a file and click Past License to enter the data.
You can now see the license in the repository.
To attach a license to a component:
1. Select SmartUpdate from the SmartDomain Manager Selection Bar.
2. Select SmartUpdate > Network Objects License & Contract > Attach License.
3. Select a license from the Attach Licenses window. The license shows as attached in the repository.
You can do a variety of other license management tasks using SmartUpdate. Refer to the R75.20 Security
Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277) for details.

Adding Licenses from the Configure Domain Management Server Window

This section shows the procedure for adding Domain Management Server component and blade licenses
from the Configure Domain Management Server Window.
To add a Multi-Domain Server/Multi-Domain Log Server license to a Multi-Domain Server:
1. In the SmartDomain Manager, go to the General view.

Provisioning Multi-Domain Security Management Page 37

 Licensing

2. Double-click a Domain Management Server. The Configure Domain Management Server window
opens.

3. Click Add License and select one of these options:

Add License Information Manually
a) Click Manually.
b) In the email message that you received from Check Point, select the entire license string (starting
with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard.
c) In the Add License window, click Paste License to paste the license details you have saved on the
clipboard into the Add License window.
d) Click Calculate to display your Validation Code. Compare this value with the validation code that
you received in your email. If validation fails, contact the Check Point licensing center, providing
them with both the validation code contained in the email and the one displayed in this window.
Import a License File
a) Click Fetch From File.
b) In the Open window, browse to and double-click the desired license file.
From License Repository
a) Click From License Repository.
This option is only available if you have valid, unattached licenses in the repository.
b) In the Select Domain License select, click a Domain Management Server license.
The license automatically attaches to the Domain Management Server and the window closes.

Administrators Management
Multi-Domain Security Management Administrators use SmartDomain Manager and SmartConsole clients to
manage the Multi-Domain Security Management deployment. Each administrator has permissions to
manage different aspects of the environment.

Administrators Management Page 38

 Creating or Changing an Administrator Account

Creating or Changing an Administrator

Account
This procedure lets you add a new administrator account or change an existing administrator account.
To add a new administrator account:
1. In the SmartDomain Manager, go to the Administrators view.
2. Right-click an empty area in the Administrators pane.
The Add Administrator window opens.
3. Continue to configure administrator properties as necessary.
To edit an existing new administrator account:
1. In the SmartDomain Manager, go to the Administrators view.
2. Double-click an existing administrator in the Administrators pane.
The Edit Administrator window opens.
3. Continue to configure administrator properties as necessary.

Administrator - General Properties

The administrator general properties include basic information such as the administrator name, type and the
administrator expiration date.
To configure administrator general properties:
1. In the Add or Edit Administrator window, go to the General Properties pane.
2. Enter a unique Administrator Name.
The administrator name cannot contain spaces or special characters.
3. Select Launch Global SmartDashboard in Read Only mode if this administrator can see but not
change settings in the Global SmartDashboard.
4. Optionally, add an email address or comment to this administrator definition.

Selecting an Administrator Type

Multi-Domain Security Management uses different administrator types, each with a different scope of
administrative authority. This table shows the different administrator types:

Administrators Management Page 39

 Creating or Changing an Administrator Account

Administrator Permissions

Multi-Domain Manages the Multi-Domain Security Management deployment, including all

Superuser Domains, Multi-Domain Servers, Domain Management Servers, and
administrator accounts.
Multi-Domain superusers can do these tasks for Multi-Domain Servers:
 Add, edit or delete Multi-Domain Servers and Multi-Domain Log Servers.
 Allow or block access the SmartDomain Manager.
Domain Manages networks for all Domains using the SmartDomain Manager and
Superuser SmartConsole clients. Domain superusers can create, edit and delete Domains
as well as see all Domain network objects.
Domain superusers can manage Global Managers, Domain Managers and None
administrators. They cannot configure the Multi-Domain Server environment or
manage Multi-Domain Superusers.

Global Manager Manages global policies, global objects and specified Domain networks. Global
managers can see information or do actions according to their permissions
profile settings.
Global managers can manage Domain Managers and None administrators.
Global managers can only see network objects in their assigned Domains. They
cannot create new Domains.

Domain Manages specified Domain networks. Domain managers can use SmartConsole
Manager clients to see information or do actions according to their permissions profile
settings.
Domain Managers can manage None administrators. They cannot access the
Global SmartDashboard to manage global objects and global policies.

None Do not have permissions to manage Multi-Domain Security Management or use

the SmartDomain Manager. None administrators can manage specified Domain
networks, using the SmartConsole clients.

To select an administrator type:

1. In the Add or Edit Administrator window, go to the General Properties pane.
2. Select Launch Global SmartDashboard in Read Only mode to prevent this administrator from
changing global properties.
3. Select an administrator type.

Configuring the Expiration Date

You can assign an expiration date to each administrator account. After this expiration date, the administrator
cannot:
 Log in to the SmartDomain Manager,
 Do actions in the Multi-Domain Security Management environment.
 Use the SmartConsole clients.
Note - Multi-Domain Security Management account expiration has no effect on
operating system administrators. Operating system administrators, which are
different from Multi-Domain Security Management administrators, can always
access the Multi-Domain Server command line.

Multi-Domain Security Management includes tools for managing expiration dates and warning
administrators of impending expirations. Administrators can manage expiration dates for other
administrators with a lower level administrator type. Typically, Multi-Domain Security Management or
Domain superusers do these management tasks.
To configure the expiration date:
1. In the Add or Edit Administrator window, go to the General Properties pane.

Administrators Management Page 40

 Creating or Changing an Administrator Account

2. Do one of these steps to set the expiration date:

 Select Expire at and then select an expiration date using the calendar control.
OR
 Select Never expires to prevent this administrator account from expiring.

You can configure the default expiration dates ("Configuring Default Expiration Settings" on page 46)
that appear in this window in the Multi-Domain Security Management window.

Configuring Authentication
All administrators must authenticate to log in to the SmartDomain Manager and manage the Multi-Domain
Security Management deployment. Select and configure an authentication method for this administrator.
To select and configure the authentication method:
1. In the SmartDomain Manager, create a new administrator or double-click an existing administrator.
2. In the Add or Edit Administrator window, go to the Authentication pane.
3. Select and configure one of these authentication methods:
 Undefined - Administrators are not authenticated or are authenticated by a certificate created in the
Certificates pane.
 SecurID - Administrators enter a one-time password as displayed on the SecurID smart card.
 Check Point Password - Administrators enter the Check Point products password.
Enter and confirm the password.
 OS Password - Administrators authenticate using their operating system password.
 RADIUS - Administrators authenticate by a password defined on the specified RADIUS server.
 TACACS - Administrators authenticate by a password defined on the specified TACACS server.

Configuring Certificates
You can create a certificate that let administrators connect to the Multi-Domain Server and Domain
Management Servers. You can also revoke an existing certificate.
To create a certificate:
1. In SmartDomain Manager, create a new administrator or double-click an existing administrator.
2. In the Add or Edit Administrator window, go to the Authentication pane.
3. Click Generate and save.
4. In the message box, click OK to continue.
5. Enter and confirm the certificate password.
6. Save the certificate.
To revoke an existing certificate:
1. In SmartDomain Manager, create a new administrator or double-click an existing administrator.
2. In the Add or Edit Administrator window, go to the Authentication pane.
3. Click Revoke.
4. In the message box, click OK to confirm.

Administrators Management Page 41

 Deleting an Administrator

Entering Administrator Properties

The Administrator Properties pane contains optional information, typically contact information or other
descriptive data. Administrators with applicable permissions (typically superusers) define the fields
("Defining Administrator Properties" on page 42) that show in the Administrator Properties pane.

To enter administrator properties information:

1. In SmartDomain Manager, create a new administrator or double-click an existing administrator.
2. In the Add or Edit Administrator window, go to the Administrator Properties pane.
3. Enter information in the property fields as necessary.

Deleting an Administrator
To delete an administrator:
1. In the SmartDomain Manager, go to the Administrators pane.
2. Right-click an existing administrator and then select Delete Administrator.
3. Click Yes in the confirmation window.

Defining Administrator Properties

The Administrator Properties pane includes optional information fields, typically contact information or
other descriptive data. Administrators, with applicable permissions, define the fields that show in the
Administrator Properties pane.
To define the fields that show in the Administrator Properties pane:
1. Select Multi-Domain Security Management Properties from the SmartDomain Manager menu.
2. Go to the Administrator Fields pane.
3. Do one or more of these actions:
 To add a new property field, click Add and then enter the field name in the pop-up window.
 To delete a property field, select an existing field and then click Remove.
 To change a property field name, click Edit and then enter a new field name.
 To change the display order of a property field, select a field and then click the Up or Down arrow to
move it.

Defining Administrator Groups

Administrator groups are related collections of administrator accounts. This lets you manage and do
operations on many administrators simultaneously.

Administrators Management Page 42

 Defining Administrator Groups

Creating a New Group

To create a new administrator selection group:
1. In the SmartDomain Manager, select Manage > Selection Groups > Administrator Groups.
2. In the Administrator Selection Groups window, click Add.

3. In the Add Group window, enter a unique group name.

Group names cannot contain spaces or special characters.
4. Select administrators from the Not in Group list and then click Add.
The administrators show in the In Group list.

Changing or Deleting a Group

To change an administrator selection group:
1. In the SmartDomain Manager, select Manage > Selection Groups > Administrator Groups.

Administrators Management Page 43

 Managing Administrator Account Expiration

2. In the Administrator Selection Groups window, select a group and then click Edit.

3. Select administrators from the Not in Group list and then click Add.
The administrators show in the In Group list.

To delete an administrator selection group:

1. In the SmartDomain Manager, select Manage > Selection Groups > Administrator Groups.
2. In the Administrator Selection Groups window, select a group and click Edit.
3. In the confirmation window, click OK.

Managing Administrator Account

Expiration
You can assign an expiration date to each administrator. After this expiration date, the administrator cannot
log in to the SmartConsole clients or do actions in the Security Management Server environment.

Note - Account expiration has no effect on operating system administrators.

Operating system administrators are different from administrators defined in
SmartDomain Manager and can continue access the command line.

SmartDomain Manager includes tools for managing expiration dates and warning administrators of
impending expirations.

Administrators Management Page 44

 Managing Administrator Account Expiration

Working with Expiration Warnings

There are different methods to give warnings that administrator accounts will expire in a short time or have
already expired. This section gives explanations for these warnings and procedures for correcting the issue.

Log In Warning
This warning message opens after you log in to the SmartDomain Manager if your administrator account is
about to expire.

Speak to the administrator responsible for managing your administrator account to update the expiration
date. If you have the applicable permissions, you can change the expiration date ("Configuring the
Expiration Date" on page 40) in your own account.
The administrator can disable this warning message by selecting the Do not show this again option. She
can re-enable the warning by selecting Enable administrator expiration warning from the SmartDomain
Manager Manage menu.

Using the Expired Accounts Window

The Expired Accounts window shows all administrator accounts that have expired or are near their
expiration date. If there are administrators in this condition, the Expired Accounts link shows in the
SmartDomain Manager status bar.

To use the Expired Accounts window, you must activate this feature ("Configuring Default Expiration
Settings" on page 46) in the Administrator Global Properties pane in the Multi-Domain Security
Management Properties window. By default, the Expired Accounts window is activated.
To open the Expired Accounts window, click the link.

These icons show the current status of each account.

Icon Description

Account is active.

Administrators Management Page 45

 Managing Administrator Account Expiration

Icon Description

Account will expire soon.

Account has expired.

Expiration warning ignored.

By default, the Expired Accounts window is enabled.

To disable the Expired Accounts window, select the Don't show this again option. Alternatively, you can
select Administrators from the Selection bar and then select Manage > Cancel Administrators
Expiration Warning from the menu.
To re-enable the Expired Accounts window, select Administrators from the Selection bar and then select
Manage > Enable Administrators Expiration Warning from the menu.
To change the expiration date from this window:
1. Select an administrator account and then click Update.
2. In the Update Expiration Date window, do one of these steps to change the expiration date:
 Select Expire at and then select an expiration date from the calendar control.
OR
 Select Never expires to prevent this administrator account from expiring.

To change administrator account settings, select an administrator and then click Edit.
To deactivate expiration warnings for one administrator account, select the account and then click Ignore.
To deactivate expiration warnings for all administrator accounts, do the procedure for setting default
expiration parameters.

Add or Change Administrator Window Warning

This warning shows in the administrator General Properties pane if the account is about to expire. Make
sure that the expiration date is correct and update if necessary.

Configuring Default Expiration Settings

The default expiration settings show when you define a new administrator account. These settings include:
 The default expiration date.
 The number of days before expiration that warnings show after log in.

Administrators Management Page 46

 Working with Permission Profiles

 The number of days before expiration that the administrator account shows in the Expired Accounts
window.
To configure the default expiration parameters:
1. In the SmartDomain Manager, select Manage > Multi-Domain Security Management Properties.
2. In the Multi-Domain Security Management Properties window, select Administrator Accounts.
3. In the Administrator Accounts window, set the expiration date using one of these options:
 Never Expires - Select if this administrator account does not expire.
 Expire at - Select and then click the arrow on the text box. Select the expiration date using the
calendar control.
 Expire after - Select and enter the number of days (from today) before this account expires.
4. Select Notify during login to show an expiration warning message when an administrator logs in. Enter
the number of days before expiration that a warning shows.
5. Select Show indication on status bar to activate the Expired Accounts link. This link opens the
Expired Accounts window.
6. Select Allow global and customer managers to create/edit permission profiles to let these
administrators create or change other administrator accounts.

Working with Permission Profiles

A permissions profile is a predefined set of SmartConsole administrative permissions that you assign to
administrators and Domains. This feature lets you manage complex, granular permissions for many
administrators with one definition. Permission profiles do not apply to SmartDomain Manager activities.
When you assign an administrator account to a domain, you must assign a permissions profile ("Assigning
Permission Profiles" on page 82). You can assign a predefined permissions profile or you can create a
unique, Domain-specific permissions profile for the administrator.
Administrators with applicable permissions can create and manage permissions profiles. By default, only
superusers can create or configure permissions profiles. You can change the global properties ("Configuring
Permissions" on page 48) to let global and Domain managers create and configure permission profiles for
their assigned Domains.

Administrators Management Page 47

 Working with Permission Profiles

Multi-Domain Security Management includes default permissions profiles:

 None_All_Profile - Administrators cannot use SmartConsole applications to see or configure settings.
 Read_Only_All_Profile - Administrators can use SmartConsole only to see information. They cannot
configure settings.
 Read_Write_All_Profile - Administrators can use SmartConsole applications to see and configure all
settings.
 Read_Write_All_Profile_no_dlp - Administrators can use SmartConsole applications to see and
configure all settings with the exception of DLP.
You can assign one of the default permissions profiles to any administrator and domain.

Permission Profiles and Domains

You can assign a different permissions profile to an administrator account for each Domain that he or she
manages. This lets you adapt an administrator's permissions to the requirements of each Domain in your
deployment. You cannot assign permissions profiles to superusers because they automatically have full
read/write permissions to all domains.
For example, global managers typically manage multiple Domains. To define permissions according to
Domain responsibilities, you can create permissions profiles that let a global manager do different actions in
specified Domains:
 For some Domains, a global manager has full permissions to see and configure all Security
Management Server features.
 For other Domains, a global manager can use SmartConsole clients to see but not to change the
Security Management Server configuration.
 For a confidential Domain, the global manager cannot see or configure anything. Only the Domain
manager has full permissions.
 For some Domains, the global manager has permissions that are unique to those Domains.
To manage these requirements, you can assign a different permissions profile to the global manager for
each Domain in your deployment. You assign the Domain manager to the confidential Domain and give her
a full permissions profile.

Configuring Permissions
This section includes procedures for creating, changing and deleting permission profiles. Administrators with
the applicable permissions can create, edit or delete permissions profiles.

Administrators Management Page 48

 Working with Permission Profiles

To create a new permissions profile:

1. In SmartDomain Manager, select Administrator in the Selection bar.
2. Select Manage > Manage Permissions Profiles.
3. In the Permissions Profile window, click New and then select Permissions Profile.
4. In the Permissions Profile Properties window, configure permissions profile settings.

Note - You can also create a new permissions profile while assigning a profile to an
administrator in a Domain.

To change an existing permissions profile:

1. In SmartDomain Manager, select Administrator in the Selection bar.
2. Select Manage > Manage Permissions Profiles.
3. In the Permissions Profile window, click Edit.
4. In the Permissions Profile Properties window, configure permissions profile settings.
To delete an existing permissions profile:
1. In SmartDomain Manager, select Administrator in the Selection bar.
2. In SmartDashboard, select Manage > Manage Permissions Profiles.
3. In the Permissions Profile window, click Delete.
4. Click Yes to confirm.
To configure permissions profile settings:

1. In the Allow access via section, select one of these options:

 Management Portal and SmartConsole Applications
 Management Portal only
2. In the Permissions section, select one of these options:
 Read/Write All - The administrator can see and configure all Security Management Server objects,
policies and features.
 Read only - The administrator can see, but not configure Security Management Server objects,
policies and features.
 Customized - You define permissions to see and configure each Security Management Server
object, policy and feature separately.

Administrators Management Page 49

 Working with Permission Profiles

Configuring Customized Permissions

If you select Customized Permissions, you can define permissions for each Security Management Server
resource (object, policy and feature) separately. The resources show on four different panes in the
Administrator Permission Configuration window.

Each pane contains a list of related resources.

To configure customized permissions:
1. In the Permissions section, select Customized and then click Edit.
2. Select a pane in the Administrator Permissions Configuration window:
 General - Security policy, blades and features
 Monitoring and Logging - Monitoring and logging options
 Events and Reports - SmartEvent and SmartReporter features
 Provisioning - SmartProvisioning features and scripting
3. Set permissions for the resources:
 To prevent the administrator from seeing or configuring a resource, clear its checkbox.
 To let the administrator see a resource (but not change it), select its checkbox and then select Read
only.
 To let the administrator see and configure a resource, select its checkbox and then select
Read/Write.
Notes:
 You cannot prevent administrators from seeing some resources. These resources have checkboxes with
a shaded background.
 Some resources do not have permission selections. You can only select or clear them.

Administrators Management Page 50

 Working with Permission Profiles

Managing Permission Profiles

By default, only Global and Domain superusers can create and configure permissions profiles. You can
optionally let Global and Domain managers create and configure permissions profiles. Administrators with
None permissions cannot manage permission profiles.
To let Global and Domain administrators manage permissions profiles:
1. Select Manage > Multi-Domain Security Management properties from the SmartDomain Manager
menu.
2. In the Multi-Domain Security Management Properties window, select Administrator Accounts.
3. In the Administrator Accounts pane, select the Allow Global and Domain Managers to create/edit
permissions profiles option.

To See the Latest Changes to Permissions Profiles

To see information about the latest changes to a permissions profile:
1. In the SmartDomain Manager, select Administrators (in the Selection Bar) > Manage > Permissions
Profiles.
2. Select a permissions profile.
3. In the Permissions Profiles window, click Actions > Last Modified.
The Last Modification window opens.

This window shows:

 Date of the last change
 Administrator who made the change
 GUI client used to make the change

Seeing Administrators Using a Permissions Profile

To see which administrators are using a permissions profile:
1. In SmartDomain Manager, select Administrators (in the Selection bar) > Manage > Manage
Permissions Profiles.
2. Select a permissions profile.
3. In the Permissions Profiles window, click Actions > Where used.
The Object Managers References window opens.

Administrators Management Page 51

 Showing Connected Administrators

Merging Identical Permissions Profiles

It is a security best practice to remove identical permissions profiles and to keep the number of permissions
profiles to a minimum. This makes the maintenance of permissions profiles easier.
Multi-Domain Security Management lets you find identical permissions profiles and merge them into one
profile.
To find and merge identical permissions profiles:
1. In the SmartDomain Manager, select Administrators.
2. Select Manage > Manage Permissions Profiles from the menu.
3. Select a permissions profile.
4. Click Actions and then select Find profiles identical to this.
5. Click Unify (or Unify to Default):
 If the selected profile or profiles are identical to a default profile, they automatically merge with the
default profile. Duplicate profiles are deleted.
 If the selected profile or profiles are not identical to a default profile, they automatically merge with
the selected profile. Duplicate profiles are deleted.
 If you select the Unify Permission Profiles Name option, enter a profile name (or accept the
default name). The selected profile or profiles merge with the name you entered. Duplicate profiles
are deleted.

Note - You cannot merge a default profile with an administrator-defined profile. If

you try to do this, an error message shows.

Showing Connected Administrators

In the Connected Administrators view, you can see all administrators currently connected to Multi-Domain
Security Management. To show connected administrators information, select Connected Administrators in
the SmartDomain Manager Selection bar.

This information shows in the Connected Administrators pane:

 Management - Type of GUI Client connected to the SmartDomain Manager.
 Domain - Domain that the administrator connects to.
 Administrator - Administrator name.
 Application - Type of GUI client that the administrator is using.
 GUI Client- GUI client IP address or DNS host name.
 Login Time - Date and time that the administrator logged in.

Administrators Management Page 52

 Showing Connected Administrators

 Database - Database status:

 Locked - The administrator is using SmartDashboard and has exclusive Read/Write access
permissions to the Domain Management Server. The database is locked.
 No Status - The administrator is using SmartDashboard with Read Only access permissions or is
using a different GUI client.
 Action Status - Status of requests to disconnect a GUI client:
 Disconnection Request - Disconnection request is being processed. This status shows only to the
user who is disconnecting.
 Disconnect on - Shows the date and time when the GUI client is to be disconnected.
 Cancellation Request - Request to cancel a disconnection request. The disconnection request can
occur up to 60 minutes from the current time. Administrators can only disconnect connections for
other administrators.

Administrators Management Page 53

Chapter 4
Global Policy Management
In This Chapter

Security Policies 54
Global SmartDashboard 56
Creating a Global Policy through Global SmartDashboard 58
Global IPS 59
Assigning Global Policy 63
Configuration 68

Security Policies
The Need for Global Policies
Besides security policies for a specific set of gateways, administrators need to create policies that apply to
all or to a group of Domains. This separation between different levels of policies, and different types of
policies, means that Domain-level security rules do not need to be reproduced throughout the entire Multi-
Domain Security Management environment.
Security policies can be created and privately maintained for each Domain. Global policies enforce security
for the entire Multi-Domain Security Management system or for a group of Domains.

Page 54
 Security Policies

Callouts Description
Step 1 Administrator creates or changes global policy

Step 2 Administrator assigns global policy to Domain

Step 3 Domain Management Server rule base inherits global policy rules
Step 4 Domain Management Server installs policy to Security Gateways
10 Network Operations Center
11 Multi-Domain Server
12 Security Gateway
A, B, C Domain networks

The Global Policy as a Template

Security policies can be created and privately maintained per Domain. Some security rules need to be
enforced for all Domains. Global policies can serve as security templates with rules that are applied to many
Domains, and their individualized security policies.
Types of Global Policies can be designed for groups of Domains with similar security needs. This eliminates
the need to recreate identical policies for each Domain. This feature greatly improves management
efficiency. A service provider may use Global Policy rules to provide Domains with access to common MSP
services but does not allow Domains to access private information about each other.
An MSP may provide several basic types of security policies. Rather than recreate the rule base for each
new Domain, they can create a Global Policy for banks, a different Global Policy for independent dentists
and therapists, and a Global Policy for small businesses, such as grocery stores, florists, gas stations or tax
accountants.
An enterprise may use a Global Policy to set corporate wide policies. For example, an airline company with
many branches and sales-offices, sales points and Domain check-in facilities may want to set rules for many
different types of standard access needs. Rather than painstakingly recreating the same rule or set of rules
for each branch, a global security policy can secure access across the board.

Global Policies and the Global Rule Base

Global policies are created using the global rule base, which contains a hierarchy of rules. In a Global
Policy, you define common (global) rules, which are given priority in the rule base. These rules can be
distributed (or assigned) to whichever Domains you choose. The Global Policy rule base is similar to the
management rule base, except that it includes a demarcation or a "place holder" for Domain-specific rules.
The placeholder signifies that all the rules before and after it are global rules. The rule base layout is
hierarchical: the most important global rules are highest up in the rule base. They take precedence over the
Domain rules. Global rules that are designated as being of lower priority than Domain rules appear below
the place holder.

Global Policy Management Page 55

 Global SmartDashboard

The rules of the Global Policy are not specific to a single policy of single Domain, but apply to all Domains
assigned the Global Policy.

Global rules can serve many uses. They can be used to rapidly implement defense against new cyber-
attacks or viruses. They can be used to prevent logging for specific types of traffic in order to reduce the
amount of information in log files. They can be used to set up rules for Domain Management Server
communication management, such as allowing additional GUI Clients to be implemented at Domain sites.
Only one set of objects is used for all the Global Policies. The Global Policies database contains this set of
objects, which can be used in any global rule in any Global Policy. The administrator creates these objects
using Global SmartDashboard. Global Object icons are displayed with a purple G. For example, a Global
Check Point Node has the icon.
Global policies can be assigned to one or more Domains. Once Global Policies are assigned to a Domain
Management Server, they become part of the Domain Management Server rule base. The entire Domain
Management Server rule base, including assigned global rules, can then be installed onto selected Security
Gateways.

Global SmartDashboard
Introduction to Global SmartDashboard
The Global SmartDashboard is used to maintain the Global Policy Rule Base. You use it to configure rules
and network objects at the Multi-Domain Security Management system level.
SmartDashboard differs from Global SmartDashboard in that it operates only at the Domain level and below.
After a Global Policy is assigned to a Domain, SmartDashboard for the Domain Management Server will
show global rules automatically inserted either above or below editable Domain rules. The Domain
administrator can create or edit Domain rules using SmartDashboard, and then install the policy onto the
Security Gateway.
When a Global Policy is assigned to a Domain, the global rules are read-only in the Domain
SmartDashboard. Domain administrators cannot edit global rules or Global Objects from SmartDashboard.

Global Services
Default services defined by Security Gateway are available for global use. Other services need to be
defined. To avoid collision, ensure that you name services with unique names, which should not be the
same as in the Domain Management Servers' databases.

Global Policy Management Page 56

 Global SmartDashboard

Dynamic Objects and Dynamic Global Objects

Dynamic objects are generic network items such as a host or server object that has no IP specified. The
administrator creates them in SmartDashboard, and uses them to create generic rules for Domain
gateways. At each gateway, the dynamic object can be translated into a specific local computer, host or
other network object, with an IP address.
Global rules may similarly use dynamic Global Objects, which are generic items (such as a web server) that
can be applied to any network. Global objects are defined through the Global SmartDashboard and
SmartDashboard are downloaded to the Domain Management Servers.
At the global level, an administrator defines dynamic Global Objects in addition to standard Global Objects
which are available in the Global SmartDashboard. Once a Global Policy is assigned to a Domain, the
dynamic global object is replaced by a corresponding Domain object. This makes it possible to create global
rules without requiring that the rule use specific network objects. This allows the administrator to create rules
that are "templates."
A dynamic global object serves as virtual place holder for a network element. The network element type can
be anything that the administrator designates, including gateways, hosts, or services, or even groups. A
dynamic global object is created in the Global SmartDashboard with the suffix _global (for example,
FTPserver_global). This object is applied to a global rule.

To "translate" the dynamic global object, the administrator creates an object in SmartDashboard with the
same name, but with an IP address and other details. The Domain database substitutes the dynamic global
object in the global rule with the local object from the Domain Management Server database. Alternatively,
the dynamic global object is replaced with a Domain Management Server dynamic object, and the object is
assigned an IP at the gateway level.
To understand how the dynamic global object is used, let us consider an example. An administrator creates
a global rule applying to a dynamic global object representing a generic ftp server. But instead of specifying
exactly which ftp servers and their IP addresses will be affected by the rule, the servers are represented by
a dynamic global object (FTPserver_global).
In each Domain Management Server, the Domain administrator will define a host object with the same
name. During the assignment of the Global Policy, the references to the global dynamic object in different
rules will be replaced by the reference to the local host object with the same name. The _global syntax
triggers the reference replacement mechanism.

Applying Global Rules to Gateways by Function

It is possible to create Security Rules in Global SmartDashboard that are installed on certain gateways or
groups of gateways and not others. Thus gateways with different functions on a single Domain Management
Server can receive different security rules designed for a specific function or environment. When installing
global policy to a number of similarly configured Domain Management Servers, the relevant global rules are
installed to all of the relevant gateways on each Domain Management Server.
This feature is particularly useful for enterprise deployments of Multi-Domain Security Management, where
Domain Management Servers typically represent geographic subdivisions of an enterprise. For example, an
enterprise deployment may have Domain Management Servers for business units in New York, Boston, and
London, and each Domain Management Server will be similarly configured, with a gateway (or gateways) to
protect a DMZ, and others to protect the perimeter. This capability allows an administrator to configure the
global policy so that certain global security rules are installed to DMZ gateways, wherever they exist, and
different rules are installed to the perimeter gateways.

Note - Global security rules can be installed on Security Gateways,

Edge gateways, SmartProvisioning Profiles, and Open Security
Extension (OSE) devices.

To install a specific security rule on a certain gateway or types of gateways:

1. Launch Global SmartDashboard for the relevant Global Policy.
2. In the Objects Tree, right-click Dynamic Objects and select New Dynamic Object.
3. Name the dynamic object, and add the suffix _global to the end of the name.

Global Policy Management Page 57

 Creating a Global Policy through Global SmartDashboard

4. On the Firewall tab, create rules to be installed on gateways with this function, and drag the dynamic
object you created into the Install On column for each rule.
5. Launch the SmartDashboard for each relevant Domain Management Server.
6. Create a group object with the name of the dynamic object you created, including the suffix _global.

Note - While you can name a gateway with the name of the global
Dynamic Object, it is recommended to create a group to preserve
future scalability (for instance, to include another gateway with this
function). It is not recommended to change the name of an existing
gateway to the dynamic object name.

7. Add all gateways on the Domain Management Server that you want to receive global security rules with
this target to the group.
8. Select File > Save.
9. From the SmartDomain Manager, re-assign the global policy to the relevant Domains.

Synchronizing the Global Policy Database

The Global Policy database is synchronized on all Multi-Domain Servers automatically, or manually,
depending on the settings. Global policies must be synchronized for the entire system, since they are
system-wide security templates, and the entire system uses the same Global Objects. Synchronization is
performed when the Global Policy is saved, or at a configurable interval.

Creating a Global Policy through Global

SmartDashboard
Global policies are created using the Global SmartDashboard. Domain policies are made using
SmartDashboard launched using the Domain Management Server. Let us consider an MSP that wants to
implement a rule which blocks unwanted services at Domain sites. The Multi-Domain Security Management
Superuser, Carol, wants to set up a rule which will allows Domain administrators discretion to decide which
computers are allowed to access the Internet.

Once she has created a Global Policy including this rule, she assigns/installs it for specific Domains and
their network gateways. Each Domain administrator must create a group object with the same name as in
the Domain Management Server database. This is done through SmartDashboard. In this way, local
administrators translate the dynamic global object into sets of network object from the local database.
For details about using SmartDashboard, refer to the R75.20 Security Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277). The differences between the
SmartDashboard and the Global SmartDashboard are as follows:

Feature Domain SmartDashboard Global SmartDashboard

Rule Base Local, applying to the Domain Global, applying to multiple networks
network only. of all Domains assigned this Global
Policy.

Consists of Domain Security Rules Consists of both Global Rules and a

and Global Rules (in Read Only place holder for Domain rules.
mode) if the Global Policy is
assigned to the Domain.

Is not associated with the Domain Automatically added to all of the

other security policies. assigned Domains' security policies.

Global Policy Management Page 58

 Global IPS

Each Domain policy is All the assigned Domains' policies

independent, with its own rules share the global rules

Network Objects Local, applying to this network Global, applying to multiple networks
only. of all Domains assigned this Global
Policy.

Global Properties Enabled. Disabled (manipulations is through the

Domain SmartDashboard).

Saving a Security Adds the security policy to the list Adds the Global Policy to the Global
Policy of Domain security policies Policies database (and displays it in
the Global Policies Tree of the
SmartDomain Manager).

Note - Global SmartDashboard cannot be used to create Connectra or

Security Gateway objects. Instead, use a SmartDashboard connected
to a specific Domain Management Server to create these objects.

Global IPS
Introduction to Global IPS
You can manage IPS protections for multiple Domains by including IPS profiles in Global Policies. You then
assign a global policy to each Domain Management Server. You can include multiple IPS Profiles in a global
policy. Administrators can assign any of the IPS profiles included in the global policy to specified gateways
managed by a Domain Management Server. Administrators can also make some limited changes to IPS
profiles using the Domain Management Server SmartDashboard.

Important - If manage an IPS Sensor using a global policy, you

must activate sensor management in the Global SmartDashboard.
To activate sensor management in Global
SmartDashboard:
1. Select Policy > Global Properties > IPS.
2. In the Global Properties pane, enable the Manage IPS-1
Sensors and IPS Software Blade option.

The global nature of Global IPS refers to the ability to set IPS Profiles for all subscribed Domains from the
Global SmartDashboard. However, the Domain Management Server administrator for each Domain can
assign different profiles to each gateway and modify the IPS protections in certain ways once they have
been installed. So in this case, the term global does not imply read only, as it does in the case of the Global
Security Policy.

Global Policy Management Page 59

 Global IPS

IPS in Global SmartDashboard

The Global IPS Policy is configured on the IPS tab in the Global SmartDashboard.

IPS protections available in the Global SmartDashboard are identical to the default settings and protections
for a Domain Management Server. Any changes made to the Global Profiles apply to all Domain
Management Servers subscribed to the IPS service.

Note - You must have an Enterprise Software Subscription to update

IPS protections. Enterprise Software Subscriptions are available for
purchase at the User Center (http://usercenter.checkpoint.com).

IPS Profiles
An IPS Profile is a complete set of configured IPS protections that can be applied to multiple gateways. On
the Domain Management Server, multiple IPS Profiles can be assigned to suit gateways that are exposed to
different types of threats.
Global SmartDashboard supports multiple IPS Profiles. Changes made to IPS protections for a Global
Profile are replicated when the Global Policy is assigned to Domain Management Servers that are
subscribed to the IPS Service.
For further details regarding IPS Profiles, See the R75.20 IPS Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12270).

Managing IPS Profiles

You manage IPS Profiles using the IPS tab in the Global SmartDashboard. Select Profiles from the
Navigation Tree to view all Profiles and make changes.

Creating a New IPS Profile

To create a new IPS Profile:
1. In SmartDashboard (Global or Domain Management Server), select the IPS tab.

Global Policy Management Page 60

 Global IPS

2. Select Profiles.
3. Select New and either Create New Profile or Clone Selected Profile (to clone a profile, one must be
selected).
4. Enter a Profile Name and Comment. Select the IPS mode (Prevent or Detect) and a Protection
Activation method.

Editing an IPS Profile

To edit an IPS Profile:
1. In SmartDashboard (Global or Domain Management Server), select the IPS tab.
2. Select Profiles.
3. Double-click a profile.
4. Edit parameters as required on any of the pages.
5. On the Networks Exceptions page, add and edit exception rules by clicking New or Edit.

Subscribing Domains to IPS Service

Any Domain that you want to include in the global IPS policy must be subscribed to the IPS service.
To subscribe an existing Domain to the IPS Service:
1. In the SmartDomain Manager, enable the Domain Contents Mode.
2. On the Selection Bar, select General.
3. Double-click a Domain name in the list.
4. In the Domain Configuration window, select the Assign Global Policy tab.

5. Enable the Subscribe Domain to IPS Service option.

Domains who subscribe to the IPS Service are automatically assigned to an Exclusive subscription. Once
Domains are subscribed to the IPS service using the global policy, any changes made to the Global IPS
Profiles are forwarded to the Domain Management Servers whenever Global Policy is assigned. See
Assigning Global Policy (on page 63) for details.

Note - Merge and Override IPS subscriptions are no longer supported

in Multi-Domain Security Management.

Global Policy Management Page 61

 Global IPS

Managing IPS from a Domain Management Server

After Domains are assigned Global Policy, the IPS Profiles configured on the Global Dashboard are
augmented to the local profiles list on the Domain Management Server. Domain administrators can assign
IPS Profiles to gateways and change these profiles in limited ways.
Protection settings for Global Profiles cannot be edited from the Domain Management Server. However,
exceptions can be defined for specific traffic in the IPS tab of SmartDashboard.
Once a Profile has been downloaded to a Domain Management Server, there will be a 'G' prefix at the
beginning of the Profile name and 'Global' appears in the activation column in the local SmartDashboard.
Any exceptions set globally for a specific Global Profile are indicated with a 'G' icon and cannot be changed
from the Domain Management Server.

Assigning IPS Profiles to Gateways

IPS policy will not be activated on any gateways until the gateway is assigned a Profile.
To assign an IPS Profile to a gateway:
1. Navigate to the Profile Assignment page in one of two ways:
a) From the gateway object:
 In the SmartDashboard of the Domain Management Server on which the gateway is managed,
right-click the gateway and select Edit.
 Select IPS from the navigation tree in the Check Point Gateway dialog box.
b) From the IPS tab:
 In the SmartDashboard of the Domain Management Server on which the gateway is managed,
select the IPS tab and Enforcing Gateways from the navigation tree.
 Select a gateway from the list and click Edit.
2. Select Assign Profile and select a profile from the list, then click OK.
3. If you do not want to apply IPS on the gateway, select Do not apply IPS on this gateway.
4. Select Policy > Install, and make sure the gateway is selected in the Advanced Security column.
5. Click OK to install policy and activate the assigned IPS Profile

Removing Global IPS from a Domain Management Server

To remove Global IPS from a Domain Management Server:
1. In the IPS tab of the Domain Management Server SmartDashboard, make sure that gateways on the
Domain Management Server are not using Global Profiles.
2. In the Global Policy page of the SmartDomain Manager, select a Domain, right-click, and select
Configure Domain.
3. In the Assign Global Policy tab, clear Subscribe to Domain IPS Service and click OK.
4. In the Global Policy page, select the Domain again, right-click, and select Reassign Global Policy.
Click OK to confirm.

Note - If you select Remove Global Policy, Global IPS will be removed
from the Domain Management Server regardless of the check box
setting.

Making Changes to an IPS Profile

Domain administrators can make exceptions to protections in a Profile and can override actions of a
protection. These changes are made from the IPS tab of the Domain Management Server SmartDashboard
by clicking Edit. See the R75.20 IPS Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12270) for more information on
creating exceptions and changing actions within protections.
If a Domain administrator makes changes to a profile, changes are saved in the Domain Management
Server local policy. If the Profile is later altered in the Global SmartDashboard, the Domain administrator's
changes will not be affected when Global Policy is reinstalled on the Domain Management Server.

Global Policy Management Page 62

 Assigning Global Policy

Managing Global IPS Sensors

You can manage IPS sensors globally in a Multi-Domain Security Management deployment.

Assigning Global Policy

Global Policy, which includes the Global Security Policy and Global IPS, should be assigned to Domains
when it is first configured, and whenever you want to implement a change. All Global Policy assign
operations are performed from the Global Policies - Security Policies and IPS view.

Assigning the First Global Policy

To assign a global policy for the first time:
1. From the SmartDomain Manager Global Policies view, select a Domain.
2. To select local policies that use the global policy, click Customize Global Policy Assignment.
The Select Policies that will receive Global Policy window opens.

To assign the global policy to a local policy:

a) Select the local policy in the Do not assign on list.
b) Click Assign.
The local policy moves to the Assign on list.
To remove the global policy from a local policy:
a) Select the local policy in the Assign on list.
b) Click Remove.
The local policy moves to the Do not assign on list.

Note - To configure a Domain for IPS, see Subscribing Domains to

IPS Service (on page 61).

Assigning Global Policies to VPN Communities

When assigning and/or reassigning global polices to VPN Communities, you should perform the following
procedure to ensure that all participating gateway domains update each other correctly.
To assign global policies to VPN Communities:
1. Assign global policies to Domains.

Global Policy Management Page 63

 Assigning Global Policy

2. Using the Domain Management Server SmartDashboard for active Domains, install policies and/or
databases as required.
3. Reassign the global policy and install the most recent policy on all gateways.

Re-assigning Global Policies

Whenever you make changes to a global policy, you must re-assign it to the appropriate Domain
Management Servers. This ensures that global policy changes are reflected in individual Domain networks.

Automatic Gateway Policy Installation

When reassigning a global policy to Domain Management Servers, you can automatically re-install the last
policy installed on individual Domain Management Server gateways. This option ensures that changes
made to the global policy are correctly updated at the gateway level.
The term 'last policy installed' on a gateway refers to the most recent version of the last policy installed on
that gateway using SmartDashboard.

Important - You cannot reassign global policies to any gateway on which

a policy was never installed (such as a new gateway). Automatic policy
installation will fail if no policy was previously installed on that gateway.
To ensure that policy installation on a gateway succeeds when re-
assigning a global policy, you must first install a policy on that gateway
using the Domain Management Server SmartDashboard.

Re-assigning Global Policy to one Domain

To re-assign a Global Policy to an individual Domain Management Server:
Important Exception - If you reassign a global policy to a Domain
that has one or more gateways with no policy installed, global policy
installation succeeds on those gateways with an installed policy. The
new global policy does not install on gateways with no installed
policy. This behavior occurs even when the Install Security Policy
if it can be installed on all Security Gateways option is enabled.
This can result in some gateways in a Domain enforcing the new
global policy, while others continue to enforce the old (or no) global
policy.

1. From the Global Policy page in the SmartDomain Manager, right-click a Domain and select
Reassign/Install Global Policy.

Global Policy Management Page 64

 Assigning Global Policy

2. In the Reassign/Install Global Policy window, enable the Reassign Global Policy option.

3. To automatically install policies on Domain gateways, select one or more gateways from the list.
4. Click OK to finish.

Re-assigning Global Policies to Multiple Domains

You can also reassign Global Policies to multiple Domains at the same time.

Important Exception - If you reassign a global policy to a Domain

containing one or more gateways with no installed policy, global
policy installation succeeds on those gateways with an installed
policy. The new global policy does not install on gateways with no
installed policy. This occurs even when the Install Security Policy
if it can be installed on all Security Gateways option is enabled.
This can result in some gateways in a Domain enforcing the new
global policy, while others continue to enforce the old (or no) global
policy.

To reassign a policy to multiple Domains,

1. From the Manage menu, select Reassign Global Policy and IPS to Domains.
2. Select the Domains to receive this global policy.
3. Enable the Install last Policy on all gateways of assigned Domains option, if you wish to
automatically re-install the last policy installed on all gateways belonging to the selected Domains.

Global Policy Management Page 65

 Assigning Global Policy

4. Enable the Install last IPS Sensor Policy on all IPS-1 Sensors of assigned Domains option, if you
wish to automatically re-install the last policy on all IPS-1 sensors belonging to the selected Domain.

Considerations for Global Policy Assignment

Introduction
When assigning a Global Policy to one or more Domains, Global Objects are copied to the database of the
Domain Management Server. Whether all the Global Objects in the database are copied, or only those
related to the Global Policy, can be configured for each Domain in the Domain Configuration window,
(which can be accessed by selecting Manage > Configure when selecting a Domain in the General-
Domain Contents view).
Rules belonging to the Global Policy package being assigned are added above and below the rules inside
ALL local policies defined in that Domain Management Server database.
When issuing the "install policy" command for Domain Management Server gateways, the gateways will
receive the most updated Domain Management Server policy containing the latest updates from the Global
Policy. Changes may be made to a Global Policy, after which the Global Policy is reassigned to one of more
Domains. When a Domain Management Server then installs the updated policy to the Domain gateways,
any modifications to global and local objects/ rules are updated on the selected gateways.
The assign and install procedure are two different processes. The administrator can re-assign a Global
Policy without installing a local policy to Domain gateways.

Assigning Policy for the First Time

Once you create a Domain internal network, you will want to create a policy for the Domain. The first step
may be creating a Global Policy template for general use by different types of Domain. This allows you a
certain amount of flexibility in how you manage security policy assignment.
Global policies are designed in Global SmartDashboard, but the assign/install procedure is handled through
the SmartDomain Manager. The SmartDomain Manager provides a Global Policy Mode which gives you a
few options to handle the procedure of assigning Global Policies. The Global Policy is assigned to the
Domain Management Server.

When You Change a Global Policy

If you change the Global Policy, you must reassign it to all Domains using this policy, and reinstall it onto the
Domain gateways.
Re-install a Domain policy to gateways when:
 You have made changes to a Global Policy and reassigned it to the Domain Management Server,
without installing the updated policy to the Domain gateways or,

Global Policy Management Page 66

 Assigning Global Policy

 When you have made changes to the Domain network policy.

If you have network load considerations, rather than install the gateways all at once, you may prefer to
perform the procedure in stages. You can re-install a current policy to Domains' gateways using the Install
Last Policy command or to IPS-1 Sensors by selecting the Install last IPS Sensor Policy on all IPS-1
Sensors of assigned Domains option. You can also install on selected gateways by right clicking a
Domain and selecting Reassign/Install Global Policy.

Assigning a Different Global Policy

To assign a different Global Policy to a Domain, use the same procedure as for initially assigning a Global
Policy to a Domain. The Global Policy is overwritten when a new one is assigned.

Global Object Transfer Method

During Domain configuration, you define for each Domain how the Global Policy database will transfer
objects during global security policy assignment (this is located in the Add Domain Wizard — Assign
Global Policy tab). When Global Policies are assigned to Domain Management Servers, two methods can
be used to transfer all the information to the Domain Management Server database from the Global Policy
database.
It is possible to assign all Global Objects when assigning the Global Policy to a Domain Management
Server. Or it is possible to assign only objects required by the rule base of the Global Policy assigned to the
Domain Management Server. This includes objects directly or indirectly referenced by rules, such as
network objects contained in groups. Indirectly references objects will also be copied to the Domain
Management Server database, and the administrator will see them in both group and individually.
You can decide to change settings later, but be careful when changing settings. Consider the following
scenario: a Domain assigns a Global Policy and transfers all the Global Objects. All objects are copied to
the global database. When a Global Policy is re-assigned with just those objects relevant to the Global
Policy assigned, extraneous objects not used by the Global Policy will be removed from the Domain
configuration database. However, if these objects are used by a Domain network security rules or objects,
the assignment operation will terminate (an error message lists the objects that prevented the operation
from proceeding).

Viewing the Status of Global Policy Assignments

You can view global policy assignments from the SmartDomain Manager while in the Security Policies and
IPS mode in the Global Policies view.

In this window, each Domain is displayed under the Global Security Policy to which it is assigned, or under
the category No Global Policy. The time and date at which the Global Policy was assigned to each Domain
is reported, and a status indicator shows whether that assignment is the most up-to-date version of the
Global Policy.
When a change is made in Global SmartDashboard, either to a Global Security Policy or to the Global IPS,
the change will be reflected in the Global Policy state of each Domain assigned the relevant Policy. (A green
check mark indicates that the Policy is up-to-date, while a red exclamation mark indicates that since the
Policy was assigned, it has changed, and should be reassigned.)

Global Policy Management Page 67

 Configuration

Global Policy History File

Each Domain log directory includes a history file (named gpolicy.log) which maintains a summary of all
actions taken by the Global SmartDashboard that affect the Domain. It records all actions taken, including
assigning Global Policies to a Domain Management Server and installation on a remote gateway. The file
includes time, operations performed, Global Objects added, and problems. To access this file, see Viewing
the Domain Global Policy History File (on page 70).

Configuration
Assigning or Installing a Global Policy
To assign, reassign, install or remove policies for Domains, you must be a Superuser (either a Domain
Superuser or a Multi-Domain Security Management Superuser. All these actions are performed in the
SmartDomain Manager, using the Global Policies view.
You cannot assign a Global Policy to a Domain if a Read/Write SmartDashboard is logged in to the Domain
Management Server. First, close SmartDashboard and then assign the Global Policy. You can, however,
assign a Global Policy to a Domain if there is a Read Only SmartDashboard logged in to the Domain
Management Server. The changes won't be displayed in SmartDashboard until it is disconnected from and
then reconnected to the Domain Management Server.

Assign to Many Domains: How to Assign/Install from a Global Policy

Object
To Assign/Install from a Global Policy Object
Use the following method to create a Global Policy, then assign it to several Domains at once. You can also
install a policy to all Domain gateways at the same time. If a Domain already has a different Global Policy, it
is overwritten.
1. Select the desired Global Policy. Right-click the Global Policy and choose Assign/Install Global Policy
from the options menu. Select the Global Policy Name of the Global Policy you want to install (for
example, Standard_Global_Policy).
2. Select the Domains to which you want to assign this Global Policy from the Unassigned to selected
Policy list. To install the policy on all the gateways of the Domains to which the policy is assigned,
check Install Policy on assigned Domains.
 To install a policy on specific gateways, perform the assign/install operation using the Domain object
and select the specific gateways on which to install the policy.
3. Click OK. A Global Policy Assignment progress window lets you follow each step of the procedure, as
the Global Policy is enforced on the selected Domain Management Servers. You can track installation
attempts using the History file.

Assign to One Domain: Assign/Install from a Domain Object

To Assign/Install from a Domain Object:
Select a Domain that does not have a Global Policy, and assign one of the Global Policies you have
created. This method gives you more control over the installation procedure for particular Domain gateways.
For Domains that already have a Global Policy, the option will be to Reassign/Install Global Policy.
1. Select a Domain, then choose Manage > Assign/Install Global Policy..., or right-click the Domain and
select Assign/Install Global Policy...
2. The Assign/Install Global Policy window lets you select a policy to be installed. Select one or more
gateways. A policy must already have been installed on the gateways, or the operation will not work.
Click OK.
3. The Global Policy is assigned to the Domain Management Server and the Domain policy is re-installed
on the selected gateways.

Global Policy Management Page 68

 Configuration

Reassigning/Installing a Global Policy on Domains

Once a Domain has been assigned a Global Policy, it is possible to update the policy by re-assigning it.

To Reassign/Install a Global Policy for a Specific Domain who already has

been Assigned a Global Policy
When performing a Reassign/Install the user does not choose the policy. The policy is already selected.
You can also re-install the Domain policy to the Domains' gateways at the same time, but note that this is for
all the gateways at once and will only work if there is already a Domain policy resident on the gateway.
1. Select a Domain, then choose Manage > Reassign/Install Global Policy..., or right-click the Domain
and select Reassign/Install Global Policy...
2. The Reassign/Install Global Policy window will display the policy currently installed.
3. Select the specific gateways for which to re-install the policy. Click OK. The Global Policy is assigned to
the Domain Management Server and the resident Domain policy is re-installed on the selected
gateways.

To Reassign/Install a Global Policy for Multiple Domains

1. Right-click a Global Policy and select Reassign/Install Global Policy from the options menu.
2. In the Reassign/Install Global Policy window, select on or more Domains.
3. Enable the Install last Policy on all gateways of assigned Domains option, if you wish to
automatically reinstall the last policy installed on all gateways belonging to the selected Domains.
4. Enable the Install last IPS Sensor Policy on all IPS-1 Sensors of assigned Domains option, if you
wish to automatically re-install the last policy on all IPS-1 sensors belonging to the selected Domain.

Reinstalling a Domain Policy on Domain Gateways

The Install Last Policy window allows you to select a group of Domains and re-install policies onto their
gateways. You can use this method only if the selected gateways already have a policy installed.
To Reinstall a Domain Policy on Domain gateways:
1. From the Manage menu, click Reassign Global Policy and IPS to Domains.
(Or click the Reassign Global Policy toolbar icon.)
2. In the Install Last Policy window, select the Domains to re-assign this global policy.
 Click Install last Policy on all gateways of assigned Domains, to automatically re-install the last
policy installed on all gateways belonging to the selected Domains.

Global Policy Management Page 69

 Configuration

 Click Install last IPS Sensor Policy on all IPS-1 Sensors of assigned Domains, to automatically
re-install the last policy on all IPS-1 sensors belonging to the selected Domain.

The policy is installed on all gateways for selected Domains.

Remove a Global Policy from Multiple Domains

1. Select the Global Policy and choose Manage > Remove Global Policy from Domains..., or right-click
the policy and select Remove Global Policy from Domains... from the right-click menu.
2. Check Domains in the Assigned to selected Policy list. To remove the policy from all Domains, click
Select All. Domains from which the Global Policy has been removed are automatically assigned to the
No Global Policy group.

Remove a Global Policy from a Single Domain

To remove a Global Policy from only single Domain:
1. Select the Domain and right-click and choose Manage > Remove Global Policy, or choose Remove
Global Policy from the Manage.
2. You are asked whether you are sure you want to remove this Domain from the Global Policy. Click Yes
to confirm. The Domain is automatically assigned to No_Global_Policy.

Viewing the Domain Global Policy History File

To view the Domain history file, select a Domain, right-click and choose View History File..., or from the
Manage, select View History File....

Setting Policy Management Options

These options control system behavior when assigning global policies to Domain Management Servers and
installing local policies on Domain network objects.
You can limit the number of Domains on which you do policy operations at the same time. This limit helps
you prevent network congestion and excessive resource consumption during these operations. For
example, if there are 5 Domains in your deployment and the defined maximum is 2, policy operations run in
this sequence:
1. The policy operation runs on the first two Domain Management Servers.
2. The policy operation runs on the third and fourth Domain Management Servers.

Global Policy Management Page 70

 Configuration

3. The policy operation runs on the last Domain Management Server.

You can also define what occurs if policy installation is not successful on some network objects or Security
Cluster members, but is successful on others. These options can make sure that all network objects and
Security Cluster members enforce the correct policy.

Important Exception - If you assign a global policy to a Domain Management

Server where one or more Security Gateways do not have an installed policy:
 The local policy installation succeeds on those Security Gateways with an
installed policy.
 The global policy does not install on Security Gateways with no installed
policy.
 Some Security Gateways in this Domain will enforce the new local policy,
while others enforce the old (or no) local policy.
This problem occurs if you select the Install Security Policy only if it can be
installed on all Security Gateways option.

To configure policy management options:

1. From the Manage menu, select Multi-Domain Security Management Properties.
2. In the Multi-Domain Security Management Properties window, select Administrator Global
Properties.
3. Set the maximum number of domains on which you can do policy operations at the same time.
4. Define what behavior occurs when policy installation fails on some gateways and is successful on
others:
Selected - Policy does not install on gateways unless it successfully installs on all gateways.
Cleared (Default) - Policy installs successfully on some gateways, but not on others.
5. Define what behavior occurs when policy installation fails on some Security Cluster members but is
successful on others:
Selected (Default) - The policy does not install on members unless it successfully installs on all
members.
Cleared - The policy installs successfully on some members, but not on others.

Global Names Format

The Manage > Multi-Domain Security Management Properties menu > Global Names Format window
allows the user to define a template for Gateway Global Names, that consists of the original name of the
gateway, the name of the Domain and other details. When enabling the gateways for Global Use, an
automatic suggestion for an appropriate name will be offered, based on this template.
The properties are:
 Global Name - You can use the default name. The default format is g<GATEWAY>_of_<Domain>,
where the gateway name and the Domain are the variables. For example, a template defined as
g<GATEWAY>_of_<Domain> for gateway MyGateway of Domain MyDomain, will result in the
suggested name gMyGateway_of_MyDomain.
The global name should be self explanatory and easy to understand and therefore the template must
consist of the Domain name and the gateway's original name. The Administrator can later choose to
override the template and create a Global Name which can be any unique legitimate string.
 VPN Domains - The additional configurable part of the template is the suffix for the VPN domain object.
The template for the domain object contains the Global Name and the suffix. For example, if the defined
suffix template is _Domain, the name of the VPN Domain will be
gMyGateway_of_MyDomain_Domain.

Global Policy Management Page 71

Chapter 5
Domain Management
This chapter includes procedures for creating and configuring Multi-Domain Security Management objects.

In This Chapter

Defining a New Domain 72

Configuring Existing Domains 80
Configuring Domain Selection Groups 85

Defining a New Domain

This section includes procedures for using the Add Domain Wizard to create new domains.

Configuration Settings

Running the Wizard 72

Configuring General Properties 74
Domain Properties 74
Assigning a Global Policy 74
Assigning Administrators 75
Assign GUI Clients 77
Version and Blade Updates 77
Defining your First Domain Management Servers 78
Configuring Domain Management Servers 79

Running the Wizard

This wizard contains several windows that let you configure Domain settings. You can use a simplified
procedure or customize the procedure by selecting additional settings groups.
If you choose the Simplified option, you can configure any of the other settings at a later time.
To run the Add Domain wizard:
1. In the SmartDomain Manager, click General in the Selection bar.
2. Select the Domain Contents view.
3. In the Domain Contents pane, right-click Multi-Domain Security Management.
4. Select New Domain from the Options menu. The Domain Contents wizard opens.

Page 72
 Defining a New Domain

5. In the Configure Domain Creation Mode window, select one of these options:

 Simplified Domain Creation - Select this option to define these basic Domain settings:
 General Definitions - Enter a unique Domain name.
 Domain Assigned GUI Clients - Select one or more GUI clients that are authorized to manage
this Domain.
 First Domain Management Server - Define the first Domain Management Server included in
this Domain.
If you use the Simplified method, these default values are assigned automatically:
 QoS: Deactivated
 Domain Properties: All fields are empty
 Administrators: Only Superusers are assigned to this Domain
 Version and Blade Updates: None
 Customized Domain Creation - Select this option to configure any of these additional settings
groups:
 Domain Properties - Enter contact and other user-defined information.
 Global Policy - Assign all Global Objects or assign only those Global Objects used in the
currently assigned Global Policy. You can also subscribe to Domain level IPS services.
 Administrators - Select one or more administrators authorized to manage the Domain.
 Version and Blade Updates - Activate version and blade updates for the Domain.
Select settings groups to include in the wizard, or clear settings groups to remove from the wizard.
 Don't Show Again - Automatically use these wizard settings when creating a new Domain. You can
also configure this property on the Global Policies tab in the Multi-Domain Server window.

Domain Management Page 73

 Defining a New Domain

Configuring General Properties

In the General Properties window, enter a unique Domain name. You can optionally enable Check Point
QoS.

Note - If you want to enable Check Point QoS, you must use
Customized Domain Creation. This option is not available if you use
the Simplified mode.

Domain Properties
You can enter information in Domain Properties fields. These fields typically contain contact information or
other descriptive data about the Domain. Superusers can define the fields that show in the Administrator
Properties window.

Assigning a Global Policy

Domain Management Page 74

 Defining a New Domain

This window only shows in the Customized Domain Creation wizard option. If you are using the
Simplified option, you can define these properties later.

To assign a Global Policy:

1. Select one of these configuration settings:
 Assign all Global Objects - Assigns all global objects to this Domain.
 Assign only Global Objects that are used in the assigned Global Policy - Assigns only those
Global Objects required by the Domain Global Policy.
2. Select one or more of these options:
 Subscribe Domain to IPS service - Adds the global IPS profiles to the Domain IPS profiles list. IPS
profiles defined for individual Domains are not affected.
 Create a database version - If activated, saves a snapshot of settings before assigning a Global
Policy. This allows you to go back to an earlier state.

Assigning Administrators
Superusers are automatically assigned to all Domains with full read/write privileges. You cannot remove or
assign them, nor can you change their permission profiles.
You assign global manager and domain manager administrator accounts to specified Domains. You assign
a permissions profile to administrators while assigning them to the new Domain. These administrators can
manage the Domain according to their administrator type and permissions profile.

Domain Management Page 75

 Defining a New Domain

You can only assign administrators to new domains if you use the Customized Domain Creation wizard
option. If you use the Simplified wizard option, only superusers are assigned to the new Domain. You can
add more administrators later.

To assign a permissions profile to a new Domain:

1. Select one or more administrators.
2. Click Add to move the selected administrators from the Not Assigned list to the Assigned list.
3. In the Assign Permissions Profile to Domain window, select a permissions profile.

You can create a new permissions profile or see an existing permissions profile from this window:
 To create a new permissions profile ("Configuring Permissions" on page 48), click Configuration > Add
New Permissions Profile.
 To see an existing permission profile, click Configuration > View Permissions Profile.
You can also do these actions in the Domain Assigned Administrators window:
 To select all administrator accounts in a group, click Select by Group.
 To remove administrators from the Assigned list, select them and then click Remove.
 To add a new administrator account, click New Admin. The Add Administrator window opens.

Domain Management Page 76

 Defining a New Domain

Assign GUI Clients

In this window you can assign GUI client computers authorized to manage the specified Domain. GUI
Clients are computers running the SmartConsole and SmartDomain Manager clients. GUI clients shown in
the Assigned list can get access to the specified Domain.

To assign a GUI client to a Domain, select it in the Not Assigned list and then click Add.
Click New GUI Client to define new GUI client. The Add GUI Client window opens.

Version and Blade Updates

The Version & Blade Updates window lets administrators manage new features and Software Blades
without doing a full management upgrade. Upgrades can include new features or Software Blades. These
are typically available as hotfixes or minor releases. Install version and blade updates on each Multi-Domain
Server and then activate them using the SmartDomain Manager.
Only new versions or blades and those that have not been installed show in this window.
To install and activate version and blade updates:
1. Install the update on your Multi-Domain Servers.
2. Run mdsstop and then run mdsstart to restart the Multi-Domain Servers.
When restarting multiple Multi-Domain Servers, do so at the same time to prevent plug-in-mismatch
errors.
3. Activate the updates on your Domains:
a) In the SmartDomain Manager, select Version & Blade Updates on the Selection Bar.
b) Select one or more Domains.
c) Right-click the selected Domains and then select Activate Update on Domains.
4. Activate and configure new features or blades using SmartDashboard for each Domain Management
Server.

Getting here - With General selected and Domain Contents view open:
Manage > New Domain > Create Domain wizard

Domain Management Page 77

 Defining a New Domain

This window is only included in the Customized Domain Creation wizard option.
Activating or Deactivating Updates for a Domain

 Updates installed on Multi-Domain Servers, but not yet activated, are shown in the Not Activated list.
 To activate an update, select it and click Add. The update moves to the Activated list.
 To deactivate an update, select it and click Remove. The update moves to the Not Activated list.

Defining your First Domain Management Servers

In this window, you can define one Domain Management Server or two Domain Management Servers for
High Availability.
This window is only included in the Customized Domain Creation wizard option. You can add Domain
Management Servers at a later time.

To create Domain Management Servers:

Select one of these options:
 Yes - Define Domain Management Servers now. Select an option to define one or two Domain
Management Servers.
 No - Define your Domain Management Servers later.
Note - If you create two Domain Management Servers at this time,
they will start automatically. You can only have two Domain
Management Servers for one Domain if there is more than one Multi-
Domain Server.

Domain Management Page 78

 Defining a New Domain

Configuring Domain Management Servers

Domain Management Servers share one Multi-Domain Server physical interface by using their own routable
virtual IP addresses. The Multi-Domain Server physical IP address must also be routable and not hidden by
virtual IP addresses.
You define a range of virtual addresses for automatic assignment to Domain Management Servers during
the definition process. When creating a new Domain Management Server, the system assigns it an IP
address from this range. Alternatively, you can manually assign a virtual IP address for a new Domain
Management Server. You must make sure that your routing tables include these assigned IP addresses.
You can retrieve an IP address using the Get Automatic IP Address button. If you have already defined
resolvable domain names (by using the DNS or by editing the /etc/hosts file) for your Domain
Management Servers, click Resolve by Name to get the IP address.

 To automatically define a Domain Management Server, select the Create Empty Domain Management
Server option.
 To import a Domain Management Server that you saved using the mdscmd migrate management
command, click Import from and then select the applicable database file.
Optional: To add a license to this Domain Management Server:
1. Click Add License and select one of these options:
Add License Information Manually
a) Click Manually.
b) In the email message that you received from Check Point, select the entire license string (starting
with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard.
c) In the Add License window, click Paste License to paste the license details you have saved on the
clipboard into the Add License window.
d) Click Calculate to display your Validation Code. Compare this value with the validation code that
you received in your email. If validation fails, contact the Check Point licensing center, providing
them with both the validation code contained in the email and the one displayed in this window.
Import a License File
a) Click Fetch From File.
b) In the Open window, browse to and double-click the desired license file.

Domain Management Page 79

 Configuring Existing Domains

From License Repository

a) Click From License Repository.
This option is only available if you have valid, unattached licenses in the repository.
b) In the Select Domain License select, click a Domain Management Server license.
The license automatically attaches to the Domain Management Server and the window closes.

Configuring Existing Domains

This section includes procedures for changing existing Domain definitions.
To configure an existing Domain:
1. Double click the Domain in any General view.
The Domain Configuration window opens.
2. Click a tab to define settings for that category.

Defining General Properties

In the general tab can change the Domain name and enable the QoS feature.
To configure general properties:
1. Click the General tab.
2. If necessary, enter a new Domain name.
3. Select to Enable QoS or clear to disable it.

Defining Domain Properties

You can enter information in Domain Properties fields. These fields typically contain contact information or
other descriptive data about the Domain. Superusers can define the fields that show in the Administrator
Properties window.

Assign Global Policy Tab

To assign a Global Policy, define these configuration settings:

Domain Management Page 80

 Configuring Existing Domains

Assigning Administrators
In this window, you assign administrators to, or remove administrators from Domains. Administrators
assigned to a Domain can manage that Domain according to their permissions. Superusers are
automatically assigned to new Domains with full read/write permissions. You cannot remove them or change
their permissions.

Assigning Domains to an Administrator

Using the Administrators pane to assign multiple administrators to a Domain:
1. Select Administrators in the SmartDomain Manager Selection bar.
2. Click the Toggle View icon so that the Domains per Administrator pane shows.
3. In the Domains per Administrator pane, right-click a domain and then select Assign Administrators.
4. In the Assign Do one or more of these tasks:
 Select one or more administrators and then click Add to move selected administrators from the Not
Assigned list to the Assigned list. When you add an administrator to the Assigned list, the Assign
Permissions Profile ("Working with Permission Profiles" on page 47) window opens.
 Select one or more administrators and then click Remove to remove selected administrators from
the Assigned list.
 Click New Admin to define a new administrator. The Add Administrator window opens.
 Click Permissions to change an administrator's permissions. The Permissions window opens.
 Click Select by Group to assign or remove members of a specified group.

Assigning Administrators to a Domain

You can assign and remove administrators to a Domain using one of these procedures:
Using the Domain tab:
1. Select the administrators tab.
2. Do one or more of these tasks:

.
 Select one or more administrators and then click Add to move selected administrators from the Not
Assigned list to the Assigned list. When you add an administrator to the Assigned list, the Assign
Permissions Profile ("Working with Permission Profiles" on page 47) window opens.
 Select one or more administrators and then click Remove to remove selected administrators from
the Assigned list.

Domain Management Page 81

 Configuring Existing Domains

 Click New Admin to define a new administrator. The Add Administrator window opens.
 Click Permissions to change an administrator's permissions. The Permissions window opens.
 Click Select by Group to assign or remove members of a specified group.
Using the Administrators pane to assign multiple administrators to a domain:
1. Select Administrators in the SmartDomain Manager Selection bar.
2. Click the Toggle View icon so that the Administrators per Domain pane shows.
3. In the Administrators per Domain pane, right-click a domain and then select Assign Administrators.
4. In the Assign Do one or more of these tasks:

 Select one or more administrators and then click Add to move selected administrators from the Not
Assigned list to the Assigned list. When you add an administrator to the Assigned list, the Assign
Permissions Profile ("Working with Permission Profiles" on page 47) window opens.
 Select one or more administrators and then click Remove to remove selected administrators from
the Assigned list.
 Click New Admin to define a new administrator. The Add Administrator window opens.
 Click Permissions to change an administrator's permissions. The Permissions window opens.
 Click Select by Group to assign or remove members of a specified group.

Assigning Permission Profiles

A permissions profile is a predefined set of SmartConsole administrative permissions that you assign to
administrators and Domains. This feature lets you manage complex, granular permissions for many
administrators with one definition. Permission profiles do not apply to SmartDomain Manager activities.
When you assign an administrator account to a domain, you must assign a permissions profile ("Assigning
Permission Profiles" on page 82). You can assign a predefined permissions profile or you can create a
unique, Domain-specific permissions profile for the administrator.
Administrators with applicable permissions can create and manage permissions profiles. By default, only
superusers can create or configure permissions profiles. You can change the global properties ("Configuring
Permissions" on page 48) to let global and Domain managers create and configure permission profiles for
their assigned Domains.
Multi-Domain Security Management includes default permissions profiles:
 None_All_Profile - Administrators cannot use SmartConsole applications to see or configure settings.
 Read_Only_All_Profile - Administrators can use SmartConsole only to see information. They cannot
configure settings.
 Read_Write_All_Profile - Administrators can use SmartConsole applications to see and configure all
settings.
 Read_Write_All_Profile_no_dlp - Administrators can use SmartConsole applications to see and
configure all settings with the exception of DLP.
You can assign one of the default permissions profiles to any administrator and domain.

Domain Management Page 82

 Configuring Existing Domains

To assign a permissions profile:

1. Select a profile from the Permissions Profile list.
2. In the Assign Permissions Profile to Domain window, select a permissions profile form the list.
You can also do these actions here:
 Click Configuration > Add New Permissions Profile to create a new permissions profile.
 Click Configuration > Add Domain Specific Permissions Profile to create a unique permissions
profile for the selected administrator and Domain. This option only shows for superusers and the
permissions profile name is assigned automatically.
 Click Configuration > View Permissions Profile to see the selected permissions profile definition.

Defining GUI Clients

To create a new GUI client:
1. Select a GUI clients view.
2. Right-click the Multi-Domain Security Management root and select New GUI client from the Options
menu.

3. Select the Type of the GUI client from the drop-down list. Choose one of the following:
 Any - Generic GUI client type that lets any client computer connect to Domain Management
Servers. You can only have one GUI client of the 'Any' type in the your deployment. The name must
be AnyHost. This option is useful for system testing but is less secure.
 Name - Identify the GUI client by resolving the specified Name.
 IP Address - Identify the GUI client by a specified IP Address.
 IP Address Range - Identify the GUI client by a specified IP Address Range. Any machine whose
IP address is within this specified range can connect to Domain Management Servers.
 Domain - Identify the GUI client by a specified Domain. Any client located in the specified Domain
can connect to the Domain Management Servers
4. Enter a Name for the new GUI client (If the Type is Any, AnyHost is specified as the name). The name
cannot contain spaces or special characters.
5. Enter information required for some GUI client types:
 IP Address - Either type in the IP address of the GUI client in dot format (10.33.10.2), or click Get
Address to resolve it by name.
 IP Address Range - Specify the first and the last IP addresses in the IP address range.
 Domain - Specify the applicable Domain.

Domain Management Page 83

 Configuring Existing Domains

6. Select GUI client to let this GUI client access the Multi-Domain Server and all domains in your
deployment. Clear (default) to define this client as a Domain-level GUI client.

Version & Blade Updates

The Version & Blade Updates window lets administrators manage new features and Software Blades
without doing a full management upgrade. Upgrades can include new features or Software Blades. These
are typically available as hotfixes or minor releases. Install version and blade updates on each Multi-Domain
Server and then activate them using the SmartDomain Manager.
Only new versions or blades and those that have not been installed show in this window.
To install and activate version and blade updates:
1. Install the update on your Multi-Domain Servers.
2. Run mdsstop and then run mdsstart to restart the Multi-Domain Servers.
When restarting multiple Multi-Domain Servers, do so at the same time to prevent plug-in-mismatch
errors.
3. Activate the updates on your Domains:
a) In the SmartDomain Manager, select Version & Blade Updates on the Selection Bar.
b) Select one or more Domains.
c) Right-click the selected Domains and then select Activate Update on Domains.
4. Activate and configure new features or blades using SmartDashboard for each Domain Management
Server.

Getting here - With General selected and Domain Contents view open:
Manage > New Domain > Create Domain wizard

Activating or Deactivating Updates for a Domain

 Updates installed on Multi-Domain Servers, but not yet activated, are shown in the Not Activated list.
 To activate an update, select it and click Add. The update moves to the Activated list.
 To deactivate an update, select it and click Remove. The update moves to the Not Activated list.

Domain Management Page 84

 Configuring Domain Selection Groups

Configuring Domain Selection Groups

To create a Domain selection group:
1. In any SmartDomain Manager View, select Manage > Selection Groups > Domain Groups.
2. Click Add to add a group. The Domain selection Groups window opens.

3. In the Add Group window, enter a group name.

4. Select Domains from the Not in Group list and click Add. The Domains in this group now show in the In
Group list.

Domain Management Page 85

Chapter 6
VPN in Multi-Domain Security
Management
In This Chapter

Overview 86
VPN Connectivity 86
Global VPN Communities 87
Configuring Global VPN Communities 90

Overview
Branch offices need to connect with other branch offices. Partner sites also need to establish local and
remote communication. Once connectivity has been established, the connections must be secure and have
high levels of privacy, authentication, and integrity.
Only legitimate traffic must be allowed to enter a Domain internal network, and traffic must be inspected for
potentially harmful content. Inside a Domain network, different levels of access must be defined so that
sensitive data is only available to the right people.

Authentication Between Gateways

Before gateways can exchange encryption keys and build VPN tunnels, they authenticate each other.
Gateways authenticate sending one of these credential types:
 Certificates. Each gateway presents a certificate which contains identifying information of the gateway
itself, and the gateway's public key, both of which are signed by the Domain Management Server trusted
CA.
 Pre-shared secret. A pre-shared secret is shared a pair of Security Gateways. Each gateway must
prove that it knows the pre-shared secret. The pre-shared secret can be any combination of letters and
numbers.
Certificates are the preferred means and considered more secure. The Domain Management Server Internal
CA automatically gives a certificate to each gateway it manages, so it is also more convenient to use this
type of authentication.

VPN Connectivity
These trusted entities create VPN trust in a Multi-Domain Security Management deployment:
 Certificates issued by a Domain Management Server Internal Certificate Authority (ICA).
 External third party Certificate Authority servers (using OPSEC connectivity).
 Pre-shared secrets.
The Domain Management Server ICA issues certificates used by Domain Security Gateways to create SIC
trust. The primary Multi-Domain Server issues certificates to authenticate administrators.

Page 86
 Global VPN Communities

The procedure for establishing Global VPN Communities automates part of the step-by-step process of
establishing Externally Managed gateways for each Security Management Server and exchanging
certificates manually.

Global VPN Communities

Sometimes Domains need to establish VPN between gateways that are managed by different Domain
Management Servers. This might happen, for example, in large enterprises that have created different
Domain Management Servers to manage corporate networks in different cities or countries. Or, an MSP
deployment may require communication between partners, managed as different Domains.
Cross-Domain VPN is handled by establishing Global VPN Communities. This community is similar to the
regular VPN community with the exception that it can deal with gateways managed by different Domain
Management Servers. An administrator creates a VPN connection between Domain gateways using the
Domain Management Server SmartDashboard. A Global VPN Community however is defined at the Multi-
Domain Security Management level, using SmartDomain Manager and Global SmartDashboard.
Multi-Domain Security Management utilizes its knowledge about different Domain network environments to
ease the definition of VPN for environments run by different Domain Management Servers. In the
standalone model, cross-Domain VPN is established by creating gateways that are defined as externally
managed gateway objects. Then certificates and network information are imported into each gateway's
Security Management Server databases.
In Multi-Domain Security Management, during the Global VPN Community setup, the Multi-Domain Server
automatically exports relevant ICA information (such as the CA certificate) for each Domain Management
Server, so that both sides can trust the other's ICA.

Gateway Global Names

You can configure an existing Domain Security Gateway as a global gateway. This action imports the
gateway into the global policy database, making it accessible by all other Domain Management Servers in
your deployment.
Different Domains may coincidentally contain gateways using the same name. Each global gateway object
must have its own unique Global Name. To resolve this issue, the Global Names Template automatically
assigns a unique name for each global Security Gateway. The default global name format is g<Security
Gateway name>_of_<Domain name>.
For example:
 Security Gateway name = MyGateway
 Domain name = MyDomain
 Global name = gMyGateway_of_MyDomain

Changing the Global Name Template

You can change the format of names generated by the global name template. To do so:
1. In the SmartDomain Manager, select Multi-Domain Security Management Properties from the
Management menu.

VPN in Multi-Domain Security Management Page 87

 Global VPN Communities

2. Select the Global Names Format tab.

3. Enter a format string in the Global Name Format field. You can use the Variables button to insert
variables for gateway names and Domain names. The format string cannot contain spaces or special
characters.
4. Optionally, enter a suffix format. We recommend that the suffix be preceded by the underscore
character.

Note - Make sure that your format string will always generate a
unique name for global gateways.

Global or Neighbor VPN Gateway

For Global VPN Communities, VPN tunnels are created between gateways in neighboring Domains. This is
analogous to externally managed VPN gateways in a Security Management deployment.
A neighboring gateway supports certificates issued by the other Domain CA. Both gateways need to trust
the other's CA.

VPN Domains in Global VPN

The administrator defines each Domain gateway using SmartDashboard. When defining if the gateway is a
VPN gateway, the administrator specifies whether the VPN Domain is to be based on the network's topology
or a specific address range.
This type of network information is managed at the individual Domain network level. The information resides
in the Domain Management Server Domain network information and is centralized in the Domain
Management Server database. For VPN between a single Security Gateways, the VPN domain is flexible
and can be defined by the Domain administrator.
Domain Management Server databases would have to maintain complete data on all other Domain
networks, which could also be a security breach. Instead, Multi-Domain Security Management computes
address ranges from those specified in VPN gateway properties. It uses this list as the base for the VPN
domain of a particular gateway from another Domain network.

Access Control at the Network Boundary

Check Point Security Gateway provides secure access control through its granular understanding of all
underlying services and applications traveling on the network. Stateful Inspection technology provides full
application-layer awareness, and comprehensive access control for more than 150 pre-defined applications,
services and protocols as well as the ability to specify and define custom services.

VPN in Multi-Domain Security Management Page 88

 Global VPN Communities

Stateful Inspection extracts state-related information required for security decisions from all application
layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts.
Access Control and Global VPN Communities
Configuring gateways for a Domain Global VPN Community does not create a de facto access control policy
between the gateways. The fact that two gateways belong to the same VPN community does not mean the
gateways have access to each other.
The configuration of the gateways into a Global VPN Community means that if these gateways are allowed
to communicate using an access control policy, then that communication is encrypted. Access control is
configured in the security policy rule base.
Using the VPN column of the security policy rule base, it is possible to create access control rules that apply
only to members of a VPN community, for example:

Source Destination VPN Service Action

Any Any Community_A HTTP Accept

If all conditions of the rule are met, the rule is matched and the connection allowed.

Access Control in Global VPN

Access control for global communities is the same as for a single Domain VPN community.
 If the 'Accept all encrypted connections' setting is active, the applicable implied VPN rules appear in
the Domain Management Server policy.
 The community shows in the 'VPN' tab of a rule.
Information about access control for VPN communities is available in the R75.20 VPN Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12285).

Joining a Gateway to a Global VPN Community

There are several steps necessary to join a Domain gateway to a Global VPN Community. First, each
Domain gateway must be enabled for global use. Then a VPN Community must be defined in Global
SmartDashboard, including the global gateway objects representing participating Domains' gateways.
Lastly, a Global Policy must be assigned to participating Domains' Domain Management Servers, and
installed on the Domain gateway, for each Domain and gateway participating in the VPN Community. All
gateways participating in the Global VPN Community must employ a Simplified VPN policy. The global
policy itself may be either neutral or Simplified.
When assigning a global policy to one or more Domains, global objects are copied to the database of the
Domain Management Server. Whether all the global objects in the database are copied, or only those
related to the global policy, is configurable per Domain using the Domain Configuration window. Rules
belonging to the global policy package being assigned are being added above and below the rules inside all
local policies defined in that Domain Management Server database.
For more information about global policies, see Global Policy Management (on page 54).

Considerations
When using the "install policy" command for Domain Management Server gateways, they receive the latest
Domain Management Server policy, including the most recent Global Policy. Changes may be made to a
global policy, after which the global policy is reassigned to one of more Domains. When a Domain
Management Server then installs the updated policy to the Domain gateways, any modifications to global
and local objects/ rules are updated on the selected gateways.
The assign and install procedure are two different processes. The administrator can re-assign a global
policy without installing a local policy to Domain gateways.
During the re-assign operation, gateways that participate in Global VPN Communities are provided the CA
certificate for other Domains participating in the community. Certificates are automatically installed in the
certificate database of the Domain Management Server assigned a global policy.

VPN in Multi-Domain Security Management Page 89

 Configuring Global VPN Communities

For each participating Domain, other than the Domain Management Server Domain, a global "CA Server"
object is created in the Domain Management Server database, representing the certificate authority of the
peer Domain. The existence of this object allows for authentication by 'Matching Criteria' to work. If by
chance the certificate of the peer Domain has already been imported manually into the database, the
'Matching Criteria' references the existing certificate.

Configuring Global VPN Communities

Enabling a Domain Gateway to Join a Global VPN
Community
You must close the Global SmartDashboard and SmartDashboard (if they are open in Read/Write mode), in
order to perform the Enable for Global Use operation. If they are open in Read Only mode, they can
remain open.
The procedure to join a Global VPN Community is described below.

Step 1 - In the SmartDomain Manager

Repeat this step for all gateways that are to participate in the Global VPN Community.
1. In the General View - Domain Contents Mode (or Network Objects Mode) right click a Domain
gateway and select Enable for Global Use (or Manage > Enable for Global Use). You will be required
to provide a Global Name for the gateway.
A global gateway object and a VPN Domain object are created for the Domain gateway in the Global
Database.
2. Enabling clusters: The user can enable a VPN cluster for global use in the same way that a Domain
gateway is enabled. The cluster is exported to the Global Policy as a global gateway object.

Step 2 - In Global SmartDashboard

1. Define a Global Site-to-Site VPN Community.
2. Add the global gateway objects, defined in step 1, as participating gateways in this community.
3. Define global rules as needed for the new Global VPN Community, the global gateway objects, and the
External Domains.

Step 3 - In the SmartDomain Manager

In the Global Policies View, assign and install the Global Policy to Domains and selected Domain
gateways. The Global Policies View has two modes which allow slightly different activities, the Security
Policies Mode and the VPN Communities Mode.
Different SmartDomain Manager views allow you to perform this step in slightly different ways. You can
assign the policy to one Domain at a time, for greater load management. Or you can assign the policy to all
the Domains at once, if load management is not an issue.

To assign to one Domain at a time

Through the Security Policies Mode, select a global policy. Then choose Reassign/Install Global
Policy... from the Manage menu, or right-click the Domain and select Reassign/Install Global
Policy.... Select the Domain gateways to which the policy should be installed. The policy is assigned to
the Domain Management Server database, then to the selected Domain gateways.
or
Use the VPN Communities Mode, but the procedure is much the same. Right click a Domain, then
select Reassign/Install Global Policy... from the Manage menu, or select Reassign/Install Global
Policy... from the mouse menu.
or
To assign to many Domains at one time
The procedure is through the Security Policies Mode, similar to the above. Select a Global Policy and
right click, then select Manage > Assign/Install Global Policy or Reassign/Install Global Policy..., or
right-click and select Assign/Install Global Policy...

VPN in Multi-Domain Security Management Page 90

 Configuring Global VPN Communities

This operation assigns the policy to all Domains selected, then installs the policy to the Domains'
gateways, in one go. It does not allow you to select specific gateways to which to install the policy. If
chosen, the policy will be installed to all of the gateways for the selected Domains. Assigning the policy
to many Domains and all their gateways may take some time. Use this option with caution.
You can now create security rules regarding VPN using SmartDashboard for a Domain Management
Server. Gateways which are external to a Domain but are part of the Global VPN Community, will
appear as global externally managed gateway objects in the Domain Management Server
SmartDashboard.
The Domain own participating gateways will appear as they usually do. It is not necessary to define
authentication for the external global gateway objects. Matching criteria are automatically defined for the
global gateway objects referring to the other Domain Management Server Certificate Authority.
A Domain can be assigned a Global Policy which references a Global VPN Community, in which,
however, none of the Domain gateways participate. If this happens, the Domain Management Server
database will have an empty community (without community members).

VPN in Multi-Domain Security Management Page 91

Chapter 7
High Availability
In This Chapter

Overview 92
Multi-Domain Server High Availability 92
Domain Management Server High Availability 98
Configuration 102
Failure Recovery 105

Overview
Multi-Domain Security Management High Availability gives uninterrupted management redundancy for all
Domains. Multi-Domain Security Management High Availability operates at these levels:
 Multi-Domain Server High Availability - Multiple Multi-Domain Servers are, by default, automatically
synchronized with each other. You can connect to any Multi-Domain Server to do Domain management
tasks. One Multi-Domain Server is designated as the Active Multi-Domain Server. Other Multi-Domain
Servers are designated as Standby Multi-Domain Servers.
You can only do Global policy and global object management tasks using the active Multi-Domain
Server. In the event that the active Multi-Domain Server is unavailable, you must change one of the
standby Multi-Domain Servers to active.
 Domain Management Server High Availability - Multiple Domain Management Servers give
Active/Standby redundancy for Domain management. One Domain Management Server for each
Domain is Active. The other, fully synchronized Domain Management Servers for that Domain, are
standbys. In the event that the Active Domain Management Server becomes unavailable, you must
change one of the standby Domain Management Servers to active.
You can also use ClusterXL to give High Availability redundancy to your Domain Security Gateways. You
use SmartDashboard to configure and manage Security Gateway High Availability for Domain Management
Servers.

Note - The current version supports multiple Domain Management Servers for
each Domain.

Multi-Domain Server High Availability

Multiple Multi-Domain Server Deployments
You can create multiple backup Multi-Domain Servers on different computers. A Multi-Domain Server can
host either active or standby Domain Management Servers.

Page 92
 Multi-Domain Server High Availability

By default, when changes are made to Domain Management Servers, the system can automatically
synchronize the active Domain Management Server with the standby Domain Management Servers.
Alternatively, you can configure Domain Management Server synchronization to occur at specified events,
such as every time a Domain policy is saved, or when it is installed onto one or more Domain gateways.
You can also synchronize Domain Management Servers manually.

Callout Table
Callouts Description
A Domain A
B Domain B

1 Active Domain Management Servers

2 Primary Multi-Domain Server

3 Mirror Multi-Domain Server

4 Mirror Domain Management Servers

5 Security Gateways

Multi-Domain Server Status

When initially deploying a Multi-Domain Servers, the first Multi-Domain Server that you define becomes the
Primary Multi-Domain Server. All subsequent Multi-Domain Servers are known as Secondary Multi-Domain
Servers. There is no functional difference between a Primary and a Secondary Multi-Domain Server. You
cannot, however, delete the Primary Multi-Domain Server.
By default, the Primary Multi-Domain Server is also the Active Multi-Domain Server. All other Multi-Domain
Servers are Standby. This distinction is important, because certain tasks can only be done on the active
Multi-Domain Server.
 You must use the active Multi-Domain Server to open the Global SmartDashboard with Read/Write
permissions.
 Only the active Multi-Domain Server can operate as the Multi-Domain Server Internal Certificate
Authority (ICA).

High Availability Page 93

 Multi-Domain Server High Availability

You can select another Multi-Domain Server to be the Active Multi-Domain Server. This is useful if the
current active Multi-Domain Server is unavailable. You can see the status of Multi-Domain Servers in the
High Availability - Multi-Domain Server Contents view.
To change a Multi-Domain Server from Standby to Active:
1. In the SmartDomain Manager Selection Bar, select High Availability.
2. Right-click a standby Multi-Domain Server and select Change Over from the Options menu.

Multi-Domain Server Clock Synchronization

All Multi-Domain Server system clocks must be synchronized. This is because the database synchronization
method uses the time that transactions are recorded to determine the most recent action.
The transaction times are recorded using UTC (Universal Time Coordinated) on Multi-Domain Servers
system clocks. You can synchronize Multi-Domain Server clocks using synchronization utilities. We strongly
recommend that you update system clocks frequently to compensate for clock drift. Database
synchronization requires that the Multi-Domain Server clocks be synchronized to the nearest second.
Whenever a new Multi-Domain Server is defined, it must receive a certificate and communication must be
established. The Multi-Domain Server also needs to be synchronized with the other Multi-Domain Servers.
The SmartDomain Manager guides the user through the stages of performing this initial synchronization.

The Multi-Domain Server Databases

The Multi-Domain Server hosts these databases:
 Domain Management Server databases
 Multi-Domain Security Management System database
 Global objects database
The content and synchronization method of each database is described below.

Multi-Domain Security Management System Database

The Multi-Domain Security Management system database contains data objects that define Multi-Domain
Servers, Domains, Domain Management Servers, Security Gateways, licenses, administrators, GUI clients,
and Global Policies. This database is automatically synchronized between Multi-Domain Servers.

High Availability Page 94

 Multi-Domain Server High Availability

This database architecture and automatic synchronization lets administrators use different Multi-Domain
Servers to do their management tasks. Changes made to one Multi-Domain Server are synchronized
automatically to all other Multi-Domain Servers.
If one Multi-Domain Server is down or disconnected from other Multi-Domain Servers, you can continue to
use any other Multi-Domain Servers that are online. Once the Multi-Domain Server reconnects, it will
synchronize automatically.

ICA Database for Multi-Domain Servers

This database holds certificates for Multi-Domain Servers, administrators and CRLs (certificate revocation
lists). The Multi-Domain Server ICA is used for secure communication with other Multi-Domain Servers. This
database is synchronized whenever the Global Policy database is synchronized. Only the Active Multi-
Domain Server can issue and revoke certificates for other Multi-Domain Servers. When a Standby Multi-
Domain Server becomes Active, its ICA also becomes "Active."

Domain Management Server Databases

Each Domain Management Server includes the following data:
1. Domain network objects
2. Domain Security Gateway definitions
3. Domain Security Policies
4. Domain Blade and feature configuration
5. Domain Certificate Authority (CA)
6. Other Domain-specific settings

How Synchronization Works

Multi-Domain Server Database Synchronization
By default, Multi-Domain Server database synchronization occurs automatically whenever an object is
changed. The Multi-Domain Server databases are synchronized for the specific object change. For example,
if you add a new administrator to the system, all Multi-Domain Servers will be updated with this information.

Callout Description

1 Multi-Domain Servers

2 System databases

3 Synchronization path

High Availability Page 95

 Multi-Domain Server High Availability

Multi-Domain Server ICA Database Synchronization

When a new Multi-Domain Server is added to the deployment, the active Multi-Domain Server ICA must
issue it a certificate. If a new administrator is added to the system, the Multi-Domain Server ICA may issue a
certificate to the new administrator, depending on the administrator's authentication method. The Multi-
Domain Server ICA database is updated. If there is more than one Multi-Domain Server in the system, the
Multi-Domain Server ICA databases must be synchronized to reflect these additions.

Global Policies Database Synchronization

Global Policies data synchronization occurs either when you save the global policy or after a specified
event. See Automatic Synchronization for Global Policies Databases (on page 103) for details. Unlike the
system database synchronization, which is per object, the entire contents of the Global Policies database
are synchronized.

Domain Management Server Database Synchronization

Domain Management Server database synchronization occurs for each Domain separately. Domain
Management Servers for each Domain are synchronized when a Domain policy is saved, or at another
defined event (for details about synchronization settings, see Automatic Domain Management Server
Synchronization (on page 104)). The entire contents of the Domain Management Server database are
synchronized.
Different Domains may have different synchronization settings. This means that different Domain
Management Servers synchronize according to the specific settings for that Domain only. When information
is changed or updated for a Domain, all Domain Management Servers must receive the new information.
For example, if a gateway is added to a Domain network, and the gateway receives a certificate from the
Domain ICA, this information must be synchronized between all of the Domain Management Servers.

Full Synchronization Between Multi-Domain Servers

All synchronizations tasks occur according to specified synchronization settings or conditions, even if they
occur on the same platforms.

High Availability Page 96

 Multi-Domain Server High Availability

Callout Table
Callouts Description
A Primary Multi-Domain Server
B Secondary Multi-Domain Server
1 Active Domain Management Server
2 Standby Domain Management Server
3 Domain Management Server high availability
4 Multi-Domain Server database high availability

Configuring Synchronization
Using SmartDomain Manager to Synchronize Multi-Domain Servers
High Availability is managed using the SmartDomain Manager High Availability View. You can perform all
management High Availability tasks and view the status of these actions after a configurable delay.

The Sync Status displays synchronization statuses for Multi-Domain Servers and Domain Management
Servers. Synchronization takes a while to update the status. The default is 5 minutes. Statuses are as
follows:
 Unknown — No information has been received about this Domain Management Server/Multi-Domain
Server (see footnote (on page 98)) synchronization status. This is a temporary status that shows until
the initial synchronization is completed.
 Never synced — This Domain Management Server/Multi-Domain Server has never been synchronized
with the other Domain Management Server/Multi-Domain Server to which the SmartDomain Manager is
connected.
 Synchronized — This Domain Management Server/Multi-Domain Server (see footnote (on page 98)) is
synchronized with the other Domain Management Server/Multi-Domain Server to which the
SmartDomain Manager is connected.
 Lagging — The data of this Domain Management Server/Multi-Domain Server (see footnote (on page
98)) is less updated than the data of the other Domain Management Server/Multi-Domain Server to
which the SmartDomain Manager is connected.

High Availability Page 97

 Domain Management Server High Availability

 Advanced —The data of this Domain Management Server/Multi-Domain Server (see footnote (on page
98)) is more updated than the data of the other Domain Management Server/Multi-Domain Server to
which the SmartDomain Manager is connected.
 Collision — The data of this Domain Management Server/Multi-Domain Server (see footnote (on page
98)) conflicts with the data of the other Domain Management Server/Multi-Domain Server to which the
SmartDomain Manager is connected.
Footnote
Multi-Domain Server synchronization status is relevant for the Global Policies database. The ICA database
is synchronized automatically when new certificates are created for administrators, Multi-Domain Servers or
Multi-Domain Log Servers. When the database contents change as a result of operations in the Global
SmartDashboard, synchronization occurs during the next Global Policies database synchronization.

Domain Management Server High

Availability
Domain Management Server High Availability gives redundancy for a Domain network. At any given time,
one Domain Management Server is active, while any one or more Domain Management Servers for the
same Domain are in the standby mode. Data synchronization between these Domain Management Servers
greatly improves fault tolerance and lets administrators seamlessly activate a standby Domain Management
Server as needed. Active Domain Management Server and standby Domain Management Servers must be
hosted on different Multi-Domain Servers.

Note - Redundant Multi-Domain Servers may use different operating

systems. All Multi-Domain Servers, however, must use the same Multi-
Domain Security Management version.

You can create all redundant Domain Management Servers at the same time, or add additional Domain
Management Servers at a later time. Once the Domain Management Servers have been initialized and
synchronized, there is no functional difference between them.
You do not have to assign all active or all standby Domain Management Servers to the same Multi-Domain
Server. A Multi-Domain Server can host a mixture of active and standby Domain Management Servers,
allowing you to distribute the traffic load.

High Availability Page 98

 Domain Management Server High Availability

Callouts Description
A Primary Domain

B Secondary Domain
1 Active Domain Management Server
2 Primary Multi-Domain Server
3 Secondary Multi-Domain Server
4 Standby Domain Management Server
5 Security Gateways

You make security policy changes using the active Domain Management Server using the Domain
Management Server SmartDashboard. By default, standby Domain Management Servers are automatically
synchronized with the active Domain Management Server. You can optionally configure the system to use
manual synchronization.

Active Versus Standby

All management operations such as editing and installing the Security Policy and modifying users and
objects, are done using the Active Domain Management Server. If the active Domain Management Server is
unavailable, you must change one of the Standby Domain Management Servers to active.
Standby Domain Management Servers are synchronized to the Active Domain Management Server, and
therefore, are kept up to date with all changes in the databases and Security Policy. Gateways can fetch the
Security Policy and retrieve a Certificate Revocation List (CRL) from any Domain Management Server.
The terms "Active" and "Standby" are not the same as the terms "Primary Domain Management Server" and
"Secondary Domain Management Server," which have to do with the chronological order of creation. Either
Domain Management Server can be set up to be Active or Standby. Initially, the Primary Domain
Management Server (the first one created) is the Active one, but later on the administrator can manually
change this as needed.

Adding a Secondary Domain Management Server

When you add a secondary Domain Management Server, the system does these tasks automatically:
1. Creates duplicate Domain Management Servers on another Multi-Domain Server.
2. Copies the Certificate Authority (CA) files from the primary Domain Management Server to the
secondary Domain Management Servers.
3. Starts the secondary Domain Management Server.
4. Exchanges the activation key between the Domain Management Servers.
5. Initializes SIC communication between the Domain Management Servers.
6. Synchronizes the secondary Domain Management Server with the primary Domain Management
Server. At this stage, both Domain Management Servers are running (if the primary Domain
Management Server is down, the system will automatically try to start it).
If the operation fails at stage 3 or 4, the administrator can complete these stages manually.
See Mirroring Domain Management Servers with mdscmd (on page 104) for instructions on mirroring
Domain Management Servers using the CLI.

Domain Management Server Backup Using a Security

Management Server
You can use a Security Management Server to backup Domain Management Servers in a high availability
deployment. This Security Management Server can operate as an Active or Standby management.

High Availability Page 99

 Domain Management Server High Availability

You can only backup one Domain Management Server to a Security Management Server. If you need to
backup multiple Domain Management Servers, you must back each one to a different Security Management
Server.
For example:
 A backup Security Management Server is the standby management server and the Domain
Management Server is the active management server. If the Domain Management Server is
unavailable, the Security Management Server becomes the Active management.
 The Domain Management Server operates as the standby management and the backup Security
Management Server is the Active management. If the backup Security Management Server is
unavailable, the Domain Management Server becomes the Active management.
In either case, you must change one Domain Management Server to active to assign a global policy.

Note - A backup Security Management Server cannot be installed on

Windows or IPSO platforms.

You must define GUI clients and administrators locally on the Security Management Server. The backup
process cannot export this data from a Domain Management Server to a Security Management Server.

High Availability Page 100

 Domain Management Server High Availability

Callout Table
Callouts Description
A Primary Multi-Domain Server
B Secondary Multi-Domain Server
C Security Management Server used for Domain Management Server backup
1 Active Domain Management Server
2 Standby Domain Management Server
3 Domain Management Server high availability
4 Multi-Domain Server database high availability
5 Domain Management Server high availability to Security Management
Server backup

Creating a Backup Security Management Server

To create a backup Security Management Server from a fresh installation:
1. Do a fresh Security Management Server installation, defining the Security Management Server as a
secondary Security Management Server.
2. Use cpconfig to configure the following:
a) Select an activation key that will be used to establish SIC trust between the Security Management
Server and Domain Management Server.
b) Define GUI Clients and Administrators.
3. In the Domain Management Server SmartDashboard, create a network object that will represent the
secondary backup Security Management Server.
a) Select Manage > Network Objects > Check Point > New > Host
b) In the Check Point Host window, check Secondary Management Station under Check Point
Products. This automatically selects Log Server as well.
4. From the object created in step 3 establish secure communication with the secondary backup Security
Management Server.
5. From SmartDashboard access the Policy menu, select Management High Availability and press the
Synchronize button.
To setup a backup Security Management Server from an existing Security Management
Server:
1. Migrate the existing Security Management Server to the Domain Management Server. See "Upgrading
Multi-Domain Security Management" in the R75.20 Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12269).
2. Perform a fresh Security Management Server installation as a secondary Security Management Server
on an existing or new machine.
3. Using cpconfig to select an activation key that will be used to establish secure internal communication
(SIC) between the Domain Management Server and Security Management.
4. Create a network object in the Domain Management Server that will represent the secondary backup
Security Management Server.
a) Select Manage > Network Objects > Check Point > New > Host
b) In the Check Point Host window, check Secondary Management Station under Check Point
Products. This automatically selects Log Server as well.

High Availability Page 101

 Configuration

5. From the object created in step 4 establish secure communication with the secondary backup Security
Management Server.
6. From SmartDashboard access the Policy menu, select Management High Availability and press the
Synchronize button.

Configuration
Adding another Multi-Domain Server
These steps are described in greater detail in the section Creating a Primary Multi-Domain Server (on page
28).
1. Synchronize the system clock of the new Multi-Domain Server computer with all other Multi-Domain
Servers computers' system clocks.
2. Run the Multi-Domain Server installation script to install the Multi-Domain Server.
3. When prompted if this is a primary Multi-Domain Server, enter No.
4. During the configuration phase, add a Multi-Domain Server license, and enter the SIC Activation Key.
This Activation Key is required to send the SIC certificate to the new Multi-Domain Server from the
primary Multi-Domain Server.
5. In the SmartDomain Manager connected to the first Multi-Domain Server, define a new Multi-Domain
Server. Assign it the IP address of the Leading Interface you selected for it in the configuration phase.
Send the new Multi-Domain Server a certificate by the Initialize Communication option. Use the same
Activation Key you entered in the configuration of the new Multi-Domain Server.
6. Do an "Initial synchronization" for this Multi-Domain Server when prompted. Your new Multi-Domain
Server is now ready for use.

Creating a Mirror of an Existing Multi-Domain Server

Mirroring an existing Multi-Domain Server creates an exact duplicate that Multi-Domain Server.
To mirror an existing Multi-Domain Server:
1. Set up route tables.
2. Synchronize the system clock of the computer on which you will install the Multi-Domain Server with all
other Multi-Domain Servers.
3. Install and create a new Multi-Domain Server. Define the new Multi-Domain Server using the
SmartDomain Manager.
4. Do an initial synchronization. See Initializing Synchronization (see "First Multi-Domain Server
Synchronization" on page 103).
5. To complete the synchronization, run this command:
mdscmd miirrormanagement <-s source Multi-Domain Server>
<-t target Multi-Domain Server> [-m Multi-Domain Server -u
user -p password]
-s source_mds stands for the primary Multi-Domain Server
name
-t target_mds stands for the mirror Multi-Domain Server name
-m Multi-Domain Server stands for another Multi-Domain
Server logged into to perform this action, and -u user -p
password are the login user name and password. Note that -m,
-u and -p are optional, but if used, must be used together.
This command synchronizes the data of all Domain Management
Servers maintained by the source Multi-Domain Server. In
fact, a duplicate (Mirror) Domain Management Server will be
created for each Domain Management Server in the original
Multi-Domain Server. For further details, review this
command in Commands and Utilities (on page 135).

High Availability Page 102

 Configuration

First Multi-Domain Server Synchronization

This step can be performed in the Multi-Domain Server Configuration window while creating the Multi-
Domain Server. Or it can be done later after the Multi-Domain Server is created, through the SmartDomain
Manager High Availability View, as follows:
1. Verify that the Multi-Domain Server Sync Status is Never synced.
2. Ensure that SIC has been established between the Multi-Domain Servers.
3. Right-click the Multi-Domain Server, then select Initialize Synchronization, or select Initialize
Synchronization from the Manage menu. The Status Report window is displayed, showing whether
synchronization initialization succeeded or failed.

Restarting Multi-Domain Server Synchronization

If you have already started Multi-Domain Server synchronization and it failed to complete successfully, you
can restart the synchronization using the High Availability View - Multi-Domain Server Contents mode.
You can either select a single Multi-Domain Server and synchronize it with the Multi-Domain Server you
logged into, or select a group of Multi-Domain Servers and synchronize all of them with each other.

To Synchronize a Single Multi-Domain Server with Another Multi-Domain

Server
1. Select the Multi-Domain Server you want to synchronize with the Multi-Domain Server you logged into.
Check that its Sync Status is other than Never synced or Unknown.
2. Right-click the Multi-Domain Server and select Synchronize, or select Synchronize from the Manage
menu.

To Synchronize a Group of Multi-Domain Servers

Choose Select and Synchronize from the Manage menu. The Multi-Domain Server Synchronization
window is displayed, in which you to select which Multi-Domain Servers are to be synchronized.

Selecting a Different Multi-Domain Server to be the Active

Multi-Domain Server
If the Multi-Domain Server status is Standby, you can use the Change Over command to change its status
to Active. Once you change the status there is a delay (by default 5 minutes) until the status is updated.

To Change the Active Multi-Domain Server

1. Male sure that you are not logged into the Global SmartDashboard (except in Read-only mode).
2. Select the Multi-Domain Server you want to make Active.
3. Select Change Over from the Manage menu.
4. The status will be changed to Active. The statuses of all other Multi-Domain Server in the system will be
Standby.

Automatic Synchronization for Global Policies Databases

The Global Policies database synchronization method is selected in the Global SmartDashboard (Policy >
Global properties > Management High Availability menu).
The following options are available:
On Save - after the Save operation in the Global SmartDashboard, the database is synchronized to other
Multi-Domain Servers.
Scheduled - you can select a scheduled synchronization (for example, once a day at a certain time). Use
local time for the scheduled event.

High Availability Page 103

 Configuration

On Save and Scheduled can be selected simultaneously, or none of the options can be selected.

Add a Secondary Domain Management Server

Add a Domain Management Server through the SmartDomain Manager. A Domain must have at least one
Domain Management Server before a secondary Domain Management Server can be added to it. The
secondary Domain Management Server must be created on a different Multi-Domain Server. Ensure that
the primary Domain Management Server SmartDashboard is closed.
To add a secondary Domain Management Server:
1. In the SmartDomain Manager Domain View, select a Domain, then select Add Domain Management
Server or Domain Log Server from the Manage menu, or right-click the Domain and select Add
Domain Management Server or Add Domain Log Server.
2. You are required to complete the fields shown. Enter a name for the Domain Management Server which
does not contain any spaces. Select a Multi-Domain Server to host this Domain Management Server.
3. Enter the license information.

Mirroring Domain Management Servers with mdscmd

Use the mdscmd miirrormanagement command to mirror all Domain Management Servers on one Multi-
Domain Server to another Multi-Domain Server. In the current version, the new mirror Domain Management
Servers will be created even for Domains that already have two or more Domain Management Servers.
If you want to limit mirror Domain Management Server creation to Domains that have only one Domain
Management Server (or any other number of Domain Management Servers), use the new -c flag. The full
command syntax is:
mdscmd miirrormanagement -s <source_server> -t
<target_server> [-c <max_total_number>] [-m Security
Management Server
server -u user -p password]
where <max_total_number> is the maximum resulting total number of Domain Management Servers
per Domain.
For example, to mirror Domain Management Servers only for Domains that have only one Domain
Management Server, run:
mdscmd miirrormanagement -s FirstServer -t SecondServer -c
2

Automatic Domain Management Server Synchronization

When you create a secondary Domain Management Server it automatically synchronizes with the active
Domain Management Server database. To keep these two Domain Management Servers regularly
synchronized, we recommend that you configure automatic synchronization using SmartDashboard. You
can select the synchronization method from the Policy > Management High Availability menu. For
detailed instructions on synchronizing management stations, see ("High Availability" on page 92).

Synchronize ClusterXL Gateways

The gateway synchronization feature provides the mechanism for synchronizing the states of two Security
Gateways. High Availability for Security Gateways is described in the R75.20 ClusterXL Administration
Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12265). High Availability for
encrypted connections is described in the R75.20 Virtual Private Networks Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12285).

High Availability Page 104

 Failure Recovery

Failure Recovery
Multi-Domain Security Management includes capabilities that enable recovery in many cases of a failed
Multi-Domain Server in a High Availability deployment. Specifically, in the case of a failed Multi-Domain
Server, you can promote a secondary Domain Management Server to become a primary Domain
Management Server.

Note - Domain Management Server promotion in other cases is not

supported.

Recovery with a Functioning Multi-Domain Server

Do this procedure to recover from a functioning Multi-Domain Server.

Connecting to a Remaining Multi-Domain Server

To connect to a remaining Multi-Domain Server:
1. Make sure that all remaining Multi-Domain Servers and Multi-Domain Log Servers are running.
2. Connect to a remaining Multi-Domain Server using the SmartDomain Manager.
3. If there is no remaining Multi-Domain Server that is active, make one active. In the High Availability -
Multi-Domain Server Contents view of the SmartDomain Manager for a Multi-Domain Server, Change
Over that Multi-Domain Server from Standby to Active.
4. On each remaining Multi-Domain Server and on Multi-Domain Log Server, run these lines:
mdsenv
cp $MDSDIR/conf/mdsdb/Domains.C
$MDSDIR/conf/mdsdb/Domains.C.prepromote
5. In the General - Multi-Domain Server Contents view of the SmartDomain Manager, delete the failed
Multi-Domain Server.
If the failed Multi-Domain Server was the primary Multi-Domain Server, the SmartDomain Manager will
by default not allow you to delete the Multi-Domain Server. In this case, first run the following command
on a remaining Multi-Domain Server:
enable_mds_deletion <name>
where <name> is the name of the failed primary Multi-Domain Server. Then delete the failed Multi-
Domain Server in the SmartDomain Manager.

Note - Deleting the Multi-Domain Server causes all of its Domain

Management Servers, many network objects, and Global Policy
assignments to disappear from the SmartDomain Manager as well.
Objects that are still relevant will be automatically restored after the
next step.

6. On each remaining Multi-Domain Server and on each remaining Multi-Domain Log Server, run the
following commands:
Multi-Domain Serverstop
mv $MDSDIR/conf/mdsdb/cp-deleted.C
$MDSDIR/conf/mdsdb/cp-deleted.C.prepromote
cp $MDSDIR/conf/mdsdb/Domains.C
$MDSDIR/conf/mdsdb/Domains.C.afterpromote
cp $MDSDIR/conf/mdsdb/Domains.C.prepromote
$MDSDIR/conf/mdsdb/Domains.C
Multi-Domain Serverstart
Relevant network objects and Global Policy assignments are automatically restored in the SmartDomain
Manager.

High Availability Page 105

 Failure Recovery

Resetting Domain Management Servers

To reset Domain Management Servers:
For each Domain whose primary Domain Management Server was on the failed Multi-Domain Server,
perform the following:
1. Choose a Domain Management Server to be made primary. If the Domain Management Server is
standby, first make it active by opening SmartDashboard for it. SmartDashboard prompts you to change
the Domain Management Server status to Active. Close SmartDashboard.
2. Change the active Domain Management Server from secondary to primary by setting the Multi-Domain
Server environment to the specified Domain Management Server. To do so:
a) Run mdsenv <Domain Management Server name>.
b) Run promote_util.
3. In SmartDashboard for the promoted Domain Management Server, locate (with Where Used) and
remove all uses of the failed Domain Management Server, and the failed Domain Management Server
itself. Save the policy.
4. Synchronize the Domain Management Servers manually, if necessary, and re-assign Global Policies
and install policies on all gateways.
5. If the promoted Domain Management Server is using an HA Domain Management Server license,
replace it with a regular Domain Management Server license.

Restoring the High Availability Deployment

To restore your High Availability deployment:
1. Install a new secondary Multi-Domain Server.

Important - The newly promoted secondary Multi-Domain Server

must NOT use the same name as the failed Multi-Domain Server.

2. Mirror Domain Management Servers onto the new Multi-Domain Server as required.

Recovery from Failure of the Only Multi-Domain Server

If your deployment had only one Multi-Domain Server, and it has failed, your deployment is no longer
manageable from the SmartDomain Manager. Therefore, you need to completely recreate the Multi-Domain
Security Management deployment.

Recreating the Multi-Domain Security Management Deployment

To recreate the Multi-Domain Security Management Deployment:
For each Domain whose primary Domain Management Server was on the failed Multi-Domain Server,
perform the following:
1. Choose a Domain Management Server to be made primary. If the Domain Management Server is
standby, first make it active by opening SmartDashboard for it. SmartDashboard prompts you to change
the Domain Management Server status to Active. Close SmartDashboard.
2. Change the active Domain Management Server from secondary to primary by setting the Multi-Domain
Server environment to the specified Domain Management Server. To do so:
a) Run mdsenv <Domain Management Server name>.
b) Run promote_util.
3. Install a new Primary Multi-Domain Server, and additional Multi-Domain Servers according to your
deployment's needs.
4. Migrate the Multi-Domain Security Management environment from the old deployment to the new one.
For detailed instructions, refer to these sections in the Gradual Upgrade section in the Installation and
Upgrade guide (http://supportcontent.checkpoint.com/documentation_download?ID=11648). For the
migration process, use the primary Domain Management Server as the source for each Domain.

High Availability Page 106

 Failure Recovery

As part of the migration process, in SmartDashboard for the new Domain Management Server, make
sure to locate (with Where Used) and to remove all uses of the old deployment's Domain Management
Servers (except the primary Domain Management Server used for migration), and these Domain
Management Server objects themselves. Save the policy.
The Gradual Upgrade process includes migrating Global Policies. Afterwards, remember to re-assign
Global Policies and install policies on all gateways.
5. Mirror new secondary Domain Management Servers according to your needs.

High Availability Page 107

Chapter 8
Logging in Multi-Domain Security
Management
In This Chapter

Logging Domain Activity 108

Exporting Logs 109
Logging Configuration 111

Logging Domain Activity

Logs are generated for different events occur and stored for future reference. Multi-Domain Security
Management logs are generated by Domain network gateways, Domain Management Servers and the
Multi-Domain Server. The Security Policy installed on each Security Gateway controls which events
generate log entries. For more information about configuring logs see the R75.20 Security Management
Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12277).
You can be stored locally on Security Gateways. The recommended deployment for large organizations to
use dedicated servers. In this scenario, the gateway sends logs to a log server that collects and stores
them. In Multi-Domain Security Management deployments the Domain Management Server operates as the
default log server.
It is recommended that you deploy dedicated Log servers under either of the following circumstances:
 If your deployment has heavy logging traffic.
 If the Multi-Domain Server or the Domain Management Server has heavy network traffic.
By default, each domain has its own log server, called a Domain Log Server. You can host a Domain Log
Server on any Multi-Domain Server machine, as long as that Multi-Domain Server does not contain another
Domain Management Server or Domain Log Server belonging to the same Domain.
You can also define a log server that saves log files for multiple Domains. This is known as a Multi-Domain
Log Server. You can define one or more Multi-Domain Servers as dedicated Multi-Domain Log Server that
do not host any Domain Management Servers. This is a cost-effective solution for deployments with heavy
log traffic.
Logging can be deployed for a single Domain by:
 Enabling local logging on the Domain network gateway. Refer to the R75.20 Security Management
Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12277) to find
out when to use local logging.
 Logging data to the Domain Management Server (the default setting).
 Logging to a Log server set up on a dedicated machine for the Domain.
 Logging to a Domain Log Server.
It is possible to have a combined logging setup, with the following two components:
 Domain Log Servers extracting information from the Multi-Domain Security Management environment,
 A Log server in the Domain network receiving records.
In this case, logs are then maintained both in the Multi-Domain Security Management environment and in
the Domain network environment.

Page 108
 Exporting Logs

The table below shows the similarities and differences between Domain Management Servers and Domain
Log Servers:

Domain Management Domain Log Server Multi-Domain Log

Server Server
Function Manages the Security Collects logs from Collects logs from
Policy, the User and selected gateways selected gateways
Object Database for the
Domain Check Point and
OPSEC gateways

Installed on... Multi-Domain Server Multi-Domain Log A dedicated machine

Server

Location Multi-Domain Security Multi-Domain Security Domain Site

Management Management

Max. No. per Domain 2 Unlimited Unlimited

Launches Application SmartDashboard SmartDashboard (Read SmartDashboard (Read

Only) Only)
SmartUpdate
SmartView Tracker SmartView Tracker
SmartView Tracker
SmartView Monitor SmartView Monitor
SmartView Monitor
SmartProvisioning

Note - Multi-Domain Security Management supports SmartReporter

Reports. A SmartReporter server is installed on a different machine
and then configured in the Multi-Domain Security Management
environment.

Exporting Logs
There are several ways and formats in which a log file can be exported:
Format Environment Export to... Event

simple text file Domain or Multi- file any time

Domain Security
Management

database Domain or Multi- external Oracle manual one-time

Domain Security database event
Management

database Multi-Domain external Oracle daily event

Security database
Management

Log Export to Text

Export logs to a text file at any given time using SmartView Tracker. For more information, see the
SmartView Tracker chapter of the R75.20 Security Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277).

Logging in Multi-Domain Security Management Page 109

 Exporting Logs

Manual Log Export to Oracle Database

Export logs manually to an external Oracle Database at any given time.

Automatic Log Export to Oracle Database

You can export Check Point and OPSEC logs to Oracle commercial relational databases. To do this, you
must configure the Multi-Domain Server to support log exports (see Configuring a Multi-Domain Server to
Enable Log Export (on page 112)). Logs can automatically be exported once a day at a scheduled time.
Logs exports can only be done on log files that are not currently open and Active. The automatic log export
will not take place in the following cases:
 The Multi-Domain Server, Domain Management Server or Domain Log Server is down at the scheduled
log export time.
 The latest log file has not been closed and all previous logs were already exported.

Log Files
For each Domain Log Server, an Active log file, the fw.log file, is created. Logged data is stored to this file
for a scheduled period or until it reaches a certain size limit, after which the fw.log file is saved with a new
extension, say fw.log.109, and a new file is opened (this process is also known as log "switching"). Once
a log file is closed, it is possible to export the file, automatically or manually.

Export Profiles
Automatic log exports are performed according to a Log Export Profile. This profile defines log export
parameters, such as the schedule and the log fields to be exported. Each Domain Management Server and
Domain Log Server can be assigned a Log Export Profile. The same log profile can be applied to a number
of Domain Management Servers and Domain Log Servers that share the same logging needs.
Logs exports are performed on log files that are not currently open. The file must be inactive and not yet
exported.

Choosing Fields to Export

As part of the Log Export Profile, a Multi-Domain Security Management Superuser designates a list of
log fields to export. You can set Default fields to automatically be included in each new Log Export Profile,
or modify the fields selection as needed. If you need to define a new profile that is similar to an existing
Profile, you can duplicate an existing profile and modify its properties as needed.

Log Forwarding
It is possible to use SmartView Tracker to forward a log file from one Multi-Domain Log Server to another
computer. For more information, see the SmartView Tracker documentation in the R75.20 Security
Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277).

Cross Domain Logging

By default, each Security Gateway managed by a Domain Management Server can send its logs either to
the Domain Management Server (primary or secondary) or to a Log server (a physical machine or a Domain
Log Server hosted on a Multi-Domain Log Server). When using Log servers or Domain Log Servers, the
Security Gateways can send logs only to Log servers defined in the same management Domain (i.e.,
belonging to the same Domain).
If required, a manual workaround can allow cross-Domain (cross-Domain) logging. The workaround is
recommended in very limited cases, as it has scalability restrictions, and its setup requires manual
intervention in the SIC (Secure Internal Communications) authentication process.
The procedure for setting this up is detailed in SecureKnowledge; see SK12882.

Logging in Multi-Domain Security Management Page 110

 Logging Configuration

Logging Configuration
The following section outlines the configuration issues that are involved with logging in Multi-Domain
Security Management.

Setting Up Logging
1. To create a Multi-Domain Log Server, follow the same procedure that is done for creating a
SmartDomain Manager. See Provisioning Multi-Domain Security Management (on page 24).
2. Using the SmartDomain Manager, create one or more Domain Log Servers per Domain. Each must be
on a different Multi-Domain Server.
Remember to enable communication between the Multi-Domain Security Management network and the
Domain gateways. Add appropriate rules permitting the Domain Log Servers to communicate from the
Multi-Domain Security Management network with the Domain gateways, and install the policy on the
relevant gateways.
3. Setup each relevant gateway to the send its logs to the new Domain Log Server.
4. Synchronize the new Domain Log Server database with the Domain Management Server database
using the "install-database" operation. This must be done so that logs are properly processed. See
Synchronizing the Domain Log Server Database with the Domain Management Server Database (on
page 112).
5. Configure the Multi-Domain Server for the log exporting procedure. See Configuring a Multi-Domain
Server to Enable Log Export (on page 112).
6. If you want to enable automatic log exporting, create a Log Export Profile and assign it to the Domain
Log Servers and Domain Management Servers. See Configuring Log Export Profiles (on page 112), and
Choosing Log Export Fields (on page 113).
If you experience any difficulty, consult the Troubleshooting section. See Log Export Troubleshooting (on
page 113).

Working with Domain Log Servers

Add a Domain Log Server
Domain Log Servers can be added through the SmartDomain Manager. Note the following:
 A Domain must have at least one Domain Management Server before a Domain Log Server can be
added to it.
 Each Domain Log Server created for the same Domain must be deployed on a different Multi-Domain
Server.
 A Domain Log Server and Domain Management Server cannot be installed on the same Multi-Domain
Server.
To add the new Domain Log Server:
1. In the SmartDomain Manager Domain View, select a Domain, then select Add Domain Log Server
from the Manage menu, or right-click the Domain and select Add Domain Log Server.
2. You are required to enter values for the displayed fields.
 Enter a name for the Domain Log Server.
 Select a Multi-Domain Server on host this Domain Log Server.
3. Assign a virtual IP address to the Domain Log Server. Configuration details for creating Virtual IPs and
installing licensing are similar to those of the Domain Management Server (see "Deployment Planning"
on page 20).
4. Next, fill in the license information, if required.

Starting or Stopping a Domain Log Server

To start or stop a Domain Log Server from the SmartDomain Manager General View:
1. Select the Domain Log Server.

Logging in Multi-Domain Security Management Page 111

 Logging Configuration

2. Do one of the following:

 Choose Manage > Start Domain Management/Start Domain Log Server or Stop Domain
Management/Stop Domain Log Server as appropriate, or
 Select Start or Stop from the toolbar.
The run status of the Domain Log Server will change accordingly, and the change will be reflected in the
Status column.
An alternative way to start or stop a Domain Log Server is from the Multi-Domain Server command line, by
using the mdsstart_customer and mdsstop_customer commands.

Deleting a Domain Log Server

Before deleting a Domain Log Server, make sure to stop it. Select it in the SmartDomain Manager Domain
Log Server from the options menu.

Setting up Domain Gateway to Send Logs to the Domain

Log Server
Logs are not automatically forwarded to new a Domain Log Server. You must manually setup each relevant
gateway to send its logs to the new Domain Log Server.
To set up Domain gateways to send logs to the Domain Log Server:
1. Launch SmartDashboard for the Domain Management Server and double-click the gateway object to
display its Check Point Gateway window.
2. Display the Additional Logging page (under Logs and Masters) and check Forward log files to
Security Management Server. The Security Management Servers drop-down list is enabled.
3. Select the new Domain Log Server from the Security Management Server drop-down list and click OK.

Synchronizing the Domain Log Server Database with the

Domain Management Server Database
To process logs properly, the Domain Log Server database should be synchronized with the Domain
Management Server database.
To process logs to synchronize the Domain Log Server Database with the Domain
Management Server Database:
1. In SmartDashboard, select Policy > Install Database. The Install Database window is displayed.
2. Under Install Database on, check the Domain Log Server you have created and click OK. The Install
Users Database status window is displayed. From this window you can follow the progress of the
installation.

Configuring a Multi-Domain Server to Enable Log Export

To configure a Multi-Domain Server to Enable Log Export:
1. Stop the Multi-Domain Server processes.
2. Install and configure the Oracle Client.
3. Define the environment variable ORACLE_HOME according to the installation.
4. Add $ORACLE_HOME/lib to the $LD_LIBRARY_PATH.
5. Add $ORACLE_HOME/bin to the $PATH.
6. Restart the Multi-Domain Server processes.

Configuring Log Export Profiles

The first time you perform a Log Export, a log field table is created in the external database. The table is
structured according to the log fields settings defined in the Log Export Profile. The table's naming

Logging in Multi-Domain Security Management Page 112

 Logging Configuration

convention is <Domain Management Server Name>_<Domain Name>_CPLogs. For example, for

DMS1 of Domain1, the table will be named DMS1_Domain1_CPLogs.
To configure Log Export profiles:
1. Select Manage > Log Export > Profiles... from the menu.
2. To view the Domain Management Servers and Domain Log Servers assigned a selected profile, click
Show Assigned. To remove a specific Domain Management Server or Domain Log Server, click
Remove.
3. In the General tab, specify basic export parameters, such as the Oracle server receiving the logs, the
name and password of the administrator managing that Oracle server, the schedule etc.
4. In the Log Fields tab, select the fields to be exported. Some fields are checked by default. Change
these settings as needed.
If you modify this list (for example, changing a field's length), once the data is exported, the list details
will become incompatible with the target table and future Log Exports will fail. To avoid this, rename the
current table.
Next time you perform a Log Export, the process will create a new table using the original table's name.
5. In the Assign tab, specify which Domain Management Servers and Domain Log Servers are assigned
this profile.
6. To find the profile assigned to a specific Domain Management Server or Domain Log Server, click Find
in the Log Export Profiles window. The window will either display the Log Export Profile's name, or
indicate that no profile has been assigned.

Choosing Log Export Fields

Use the Log Export Fields window to determine which log fields are exported. You can add, edit and delete
fields as needed. Default fields can be selected in this window, to be automatically included in each new
Log Export Profile.
Be aware that changing or removing log export fields affects all profiles using these fields.
To choose Log Export fields:
1. Select Manage > Log Export > Fields... from the menu.
2. Use the Add, Edit and Delete buttons to create a list of fields according to the logging data you want to
export.
The Name of the field is as it appears in the Log File. The Exported Name is the name you give to the
field you want to appear in the exported Oracle table. The Exported Name should follow Oracle naming
restrictions.
Enter a Type, and Length. Check Export by default to have a field selected by default for all new Log
Export Profiles.
3. These select fields to automatically include in each new Log Export Profile, check Export by default in
the Add Log Export Field window (or double-click an existing field). You can later modify this selection
as needed.

Log Export Troubleshooting

Log Export troubleshooting suggestions are shown below:

Error Message What to do

No connection with Domain Verify the following:

Management Server.
 The Domain Management Server is running properly.
 The Domain Management Server has a valid license.
Configuration file not found. Update the Log Export Profile using the SmartDomain
Manager.

No data to export. Run two commands:

 mdsenv <domain_management_server_name>
 fw lslogs -e.

Logging in Multi-Domain Security Management Page 113

 Logging Configuration

Error Message What to do

Failed to load dll. The external database's client is not configured properly.
Proceed as follows:
1. Stop the Multi-Domain Server.
2. Prepare your system for the Log Export process (see
Configuring a Multi-Domain Server to Enable Log
Export (on page 112)).
3. Start the Multi-Domain Server.

Failed to connect to the Verify the following:

external database.
 The external database is accessible and running
properly.
 The external database's client is configured correctly.
 The administrator name and password specified in the
Log Export Profile can indeed be used to login to the
database.
 The Oracle Client and the SmartDomain Manager use
the same Oracle server name.
Failed to create table in Verify the following:
database.
 The administrator has been assigned the appropriate
permissions.
 The exported log field names conform to the external
database's naming conventions.
Failed to read Check Point Verify the following:
logs.
 The Domain Management Server is running properly.
 The Domain Management Server has a valid license.
Failed to write to external Verify that the external database's table structure (e.g. the
database. log field names and the columns' width) conforms to its
definition in the Log Fields tab of the Log Export Profile
window.
If the two are incompatible, rename the table.

Using SmartReporter
SmartReporter can now produce both Log Based reports and Express reports for gateways managed by
Domain Management Servers. Use SmartReporter to create selected reports for specified Domains and
gateways. Reports can be scheduled at any time, and can be sent by email or uploaded to an FTP site.
SmartReporter needs to be properly configured to work with Multi-Domain Security Management, see the
"Getting Started" chapter of the R75.20 SmartReporter Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277) for further details.

Logging in Multi-Domain Security Management Page 114

Chapter 9
Monitoring
In This Chapter

Overview 115
Monitoring Components in the Multi-Domain Security Management System 116
Verifying Component Status 117
Monitoring Issues for Different Components and Features 119
Using SmartConsole 123

Overview
The SmartDomain Manager supports monitoring and maintenance activities. It has a variety of
SmartDomain Manager views that can be used by administrators to confirm that the system is running
smoothly and that management activities are being successfully performed.
By default, management activities receive system confirmation within five minutes. Once confirmation has
been received, Administrators can use status indicators to determine if management activities were
performed successfully. The following status checks can be executed:
Components Status Check

Gateways Are they responding?

Domain Management Servers Are they started or stopped?

Domain Log Servers

High Availability Which Multi-Domain Server or Domain Management

Server is Active?
Which Multi-Domain Server or Domain Management
Server is Standby?

Global Policies Which Global Policies are available

When were the Global Policies assigned?
Was the Global Policy Assign operation a success?

Local Policies Which Policy is installed on the gateway?

Global VPN Communities What Global VPN Communities are available?

Are the peer Policies updated?

Administrators Which Administrators are currently logged on?

GUI Clients Which GUI Clients are in use?

If a status check reveals that management activities were not successful, you can use the SmartDomain
Manager views such as the Critical Notification window to yield further information for troubleshooting
purposes.

Page 115
 Monitoring Components in the Multi-Domain Security Management System

It is also possible to use the SmartView Console clients (such as SmartView Tracker and SmartView
Monitor) for monitoring, tracking and troubleshooting purposes.

Monitoring Components in the Multi-

Domain Security Management System
The SmartDomain Manager General View provides a Domain Contents mode which lets you see at a
glance all the components of the system, including Domains, Domain Management Servers and their
network gateways.

The Domain Contents mode is divided into 2 sections or panes. The far right pane gives a statistical
breakdown, or summary of the components in the system depending on what you have selected in the left
pane.
For example, if you select the Multi-Domain Security Management root, a summary of Multi-Domain
Security Management root Domain-related statistics is displayed: the number of Domains, Domain
Management Servers, gateways, Administrators and GUI Clients in the system. Another example, if you
select a Domain in the left pane, Domain Properties are displayed, including: user-defined free field
information (e.g. Contact Person), entered in the Properties tab of the Domain Configuration window.
The left pane provides a view of all the Domains in the system, their Domain Management Servers and
gateways. Information displayed in this pane includes:
 The Multi-Domain Server which contains the Domain Management Server and Domain Log Server.
 The IP addresses of all the components in the system
 Whether the component is Active or Standby (for High Availability).
 Whether the component has been enabled for global use, in this case the global name is displayed.

Exporting the List Pane's Information to an External File

You can save List Pane information to an external file (such as an Excel sheet) for future examination by
selecting Manage > Export to File.

Working with the List Pane

You can change the way that the Network Objects mode List Pane looks in order to focus on specific
components or networks in the system.

Monitoring Page 116

 Verifying Component Status

Filtering
To focus on a specific group of objects that share a certain common denominator (such as their IP address
range, Domain name or the Multi-Domain Server they are installed on), filter any of the List pane's columns
by right-clicking the column heading and selecting Column Filter... from the displayed menu. Additionally:
 To view existing filters, select View > Filter Details.
 To clear all filters, select View > Clear All.

Showing and Hiding Selected List Pane Columns

You can set the List pane to display only the columns you are interested in and hide all others. To hide a
specific column, right-click its header and choose Hide Column from the menu. To hide or show more than
one column at a time, select View > Show/Hide Columns.

Verifying Component Status

Verify that all system components (Security Gateways, UTM-1 Edge appliances, Domain Log Servers,
Domain Management Servers, Multi-Domain Servers) are in the Started status. Use the SmartDomain
Manager General < Network Objects view to examine how system components are operating.

The Network Objects mode shows general and status information for all components in the system. This
information is displayed in the upper part of the window, or the List pane.
In the Network Objects mode List Pane you can right-click or double-click on a component and execute a
command. For example, you can start, stop, configure or update a selected component. Additionally you can
launch any of the SmartView Console clients and take advantage of their facilities. For example, if a Domain
gateway is behaving sluggishly, launch SmartView Monitor and/or SmartView Tracker from the said gateway
to check what activities are taking place at the gateway so as to determine the root of the sluggishness.
Status symbols in the List pane include:

Monitoring Page 117

 Verifying Component Status

Status Applies to... Description

All objects Displayed from the time the SmartDomain

Manager starts running until the time the first
status is received. This takes no more than 30
seconds.

Multi-Domain The object has been started.

Server/Domain
Management
Server/Domain Log
Server

Multi-Domain The object has been stopped.

Server/Domain
Management
Server/Domain Log
Server

Multi-Domain The object has been disconnected.

Server

Gateway An application is installed on this gateway and is

responding to status update requests from the
Security Management Server.

Gateway At least one of the applications installed on this

gateway is not running properly.

Gateway There is either no application installed on this

gateway, or the application is installed, but cannot
be reached.

Gateway A status has been received from the server, but

the system does not recognize it.

N/A Clusters Cluster objects report the status N/A (Not

Available). However the status of each member of
the cluster is displayed.

Viewing Status Details

To get more details about a network component, select it in and choose Get Status Details... from the
Manage menu. The Status Details window provides hardware, policy and/or run status details according to
the selected object. Status details include:
Object Status Details Available

Multi-Domain  Version
Server
 Operating System
 CPU
 Memory
 Disk

Monitoring Page 118

 Monitoring Issues for Different Components and Features

Gateway  Policy name and installation time

 Interface table
 Encryption and description
 Virtual and real memory
 CPU
 Disk
Application  Run status
 Policy name

Locating Components with Problems

The Critical Notifications Pane; which is the lower pane in the Network Objects mode, focuses on
components which need critical attention. If a component stops or disconnects, this is displayed in the
Critical Notifications pane.
The following types of statuses appear in the Critical Notifications Pane:

Status Applies to... Description

Multi-Domain The object has been stopped.

Server/Domain
Management
Server/Domain Log
Server

Multi-Domain Server The object has been disconnected.

Gateway At least one of the applications installed

on this gateway is not running properly.

Gateway There is either no application installed on

this gateway, or the application is
installed, but cannot be reached.

For each object, the name, status and time of status update is displayed.

Monitoring Issues for Different

Components and Features
In this section you will find specific information about different Multi-Domain Security Management elements
and the status issues that are raised for each one individually.

Monitoring Page 119

 Monitoring Issues for Different Components and Features

Multi-Domain Server
Multi-Domain Servers are managed using their own special view, SmartDomain Manager General View -
Multi-Domain Server Contents mode, for administrator convenience. Only Multi-Domain Security
Management Superuser administrator can use the Multi-Domain Server Contents mode. Other
administrators can use the General > Network Objects view.

For a granular view of Multi-Domain Server activity, the Multi-Domain Security Management Superuser
administrator can launch in Audit mode. In SmartView Tracker you can see:
 the management activity logs generated by the administrator
 the time the log was generated
 the GUI Client source
 the administrator performing the actions, and changes to network objects.
The Multi-Domain Security Management Superuser administrator can also start, stop, add or delete a
Multi-Domain Server.

Global Policies
Domain network systems operate according to the behavior specified in their Security and Global Policy
rules. To see how Global Policies have been applied to Domains in the Multi-Domain Security Management
system, use the Global Policies View - Security Policies mode. This mode displays:
 the Global Policies in the system,
 the Domains and Domain Management Servers that are assigned to these policies,
 the time when the assignment took place,
 the last time that the global policy was modified,

Monitoring Page 120

 Monitoring Issues for Different Components and Features

 the status of the assignment operation (whether or not it was successful).

Domain Policies
Checking a Domain Management Server Policy
A Domain Management Server policy may or may not contain global rules, depending on whether a global
policy was assigned to the Domain. Use the Global Policies View - Security Policies mode to check:
 if a Domain Management Server has been assigned a global policy,
 which Global Policy was assigned,
 the time of the assignment,
 the time that the Global Policy was last changed,
 whether the assignment operation was successful.
You can also use the SmartDomain Manager General View - Network Objects mode to see which Domain
policy is assigned to a Domain Management Server.

Gateway Policies
Checking a Gateway's Current Policy
To see which policy is installed on a specific gateway, you can use the General View - Network Objects
mode. For each gateway the following information is displayed:
 the Policy Name,
 the Gateway Local Installation Time,
 the local date and time when the policy was installed.
If there are problems with the gateway, they will be displayed in the Critical Notifications Pane, which
focuses on components that need attention.

High Availability
Multi-Domain Security Management implements High Availability on the following levels:
 The gateway level.
 The Domain Management Server level - multiple Domain Management Servers are supported, as well
as an optional backup Security Management Server.

Monitoring Page 121

 Monitoring Issues for Different Components and Features

 The Multi-Domain Server level.

Domain Management Server and Multi-Domain Server High Availability are managed through the
SmartDomain Manager High Availability View. The administrator can do all management activities relating
to Multi-Domain Server High Availability through this view, and examine the status of these actions.
In the High Availability - Multi-Domain Server Contents mode, the following information is displayed:
 Multi-Domain Servers Active/Standby (login) status,
 Sync Status. This status displays synchronization statuses for Multi-Domain Servers and Domain
Management Servers. Synchronization can take time to update the status. These are the status
indicators:
 Unknown, no information has been received about this Domain Management Server
synchronization status.
 Never synced, this Domain Management Server has never been synchronized with the other
Domain Management Server.
 Synchronized, this Domain Management Server is synchronized with the other Domain
Management Server.
 Lagging, the data of this Domain Management Server is less updated than the data of the other
Domain Management Server.
 Advanced, the data of this Domain Management Server is more updated than the data of the other
Domain Management Server.
 Collision, the data of this Domain Management Server conflicts with the data of the other Domain
Management Server.

Global VPN Communities

The Global Policies - VPN Communities mode is dedicated to Global VPN Communities. This view shows
which Global VPN Communities exist in the system.

After the Global VPN Communities are defined in the Global SmartDashboard, the Global Policies View -
VPN Communities mode displays the configuration update status for each community, and the Domains
and gateways that participate in the community.

Monitoring Page 122

 Using SmartConsole

GUI Clients
To see which GUI Clients have been assigned for use, and to which Multi-Domain Servers or Domain
environments they are connected, use the GUI Clients View. In this view information is displayed by default
in a Domain per GUI Client hierarchy, in other words where you can see the GUI Clients and the Domains
assigned to each. You can manage these entities by right-clicking on the GUI Client and selecting to assign
Domains to it. This view can be toggled so that the hierarchy is reversed, in other words where you can see
GUI Clients per Domain. Similarly, by right-clicking on a Domain you can select to assign GUI Clients to it.

Using SmartConsole
Log Tracking
The Multi-Domain Security Management system uses either Domain Management Servers or Domain Log
Servers to gather information about Domain gateways' activities. Domain Management Servers and Domain
Log Servers can gather detailed log information from Security Gateways, UTM-1 Edge appliances, and
many OPSEC-certified security applications. This information can then be accessed using the
SmartConsole Clients.

Tracking Logs using SmartView Tracker

All administrator activity using SmartConsole Client applications, such as SmartDashboard, is logged in
audit logs. These logs can be monitored using SmartView Tracker, which can dramatically reduce the time
needed to troubleshoot configuration errors.

Monitoring Page 123

 Using SmartConsole

The graphical SmartView Tracker uses the logging data on the server to provide real-time visual tracking,
monitoring, and accounting information for all connections including VPN remote user sessions.
Administrators can perform searches or filter log records to quickly locate and track events of interest. To
use SmartView Tracker, in the SmartDomain Manager, select a Domain Management Server, then right
click and choose Launch Application > SmartView Tracker.

If there is an attack or other suspicious network activity, administrators can use SmartView Tracker to
temporarily or permanently terminate connections from specific IP addresses. For more information about
using SmartView Tracker, see the R75.20 Security Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277).

Real-Time Network Monitoring with SmartView Monitor

SmartView Monitor is an easy-to-use monitoring tool that allows you to inspect network traffic and
connectivity. In addition, it provides real-time information about the performance and security state of both
gateway and VPN operations.

Monitoring Page 124

 Using SmartConsole

Monitoring the Status of a Domain Management Server

To use SmartView Monitor, select a Domain Management Server from any view, then right click and choose
Launch Application > SmartView Monitor.

If your network experiences problems such as sluggishness, loss of data or security related problems, it is
important to immediately identify these phenomena. SmartView Monitor provides a real-time monitoring tool
designed to help administrators find the cause of these problems, when and why they occur, and how to fix
them. Use SmartView Monitor to examine traffic, requested services, and network load in the Domain
network. For more information, see the R75.20 SmartView Monitor Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12282).

Check Point System Counters

SmartView Tracker uses Check Point System Counters to collect information about the status, activities,
hardware and software usage of different Check Point products in real time. System Counters are used to
plot graphs and to view reports of current or archived data collected by Counter Logs.

Traffic Flow and Virtual Link Monitoring

Traffic flow can be monitored per service or network object. SmartView Monitor also enables monitoring
based on a variety of parameters, for example the QoS Policy rules installed on an interface, etc.
Compliance to a Service Level Agreement (SLA) can be monitored, and alerts can be generated. Traffic can
be monitored between two Check Point Security Gateways or two QoS gateways for real time analysis of
bandwidth and latency.

Blocking Suspicious Connections

Suspicious Activity rules are security rules that enable the administrator to instantly block suspicious
connections not restricted by the currently enforced Security Policy.

Using Thresholds
SmartView Monitor can be used to configure predefined actions that are triggered when certain changes in
status occur. For instance, a rule can be defined to send an email to a certain address if the load on a
gateway's CPU surpasses a threshold that you set.

Monitoring Page 125

 Using SmartConsole

By default the engine responsible for triggering the events is disabled for Domain Management Servers, but
it can be enabled per Domain Management Server by running the following commands from the root shell of
the Multi-Domain Server machine:
1. Change to the Domain Management Server environment with the command mdsenv <Domain
Management Server Name>
2. cpstat_monitor &
After running this command, thresholds are monitored until the Domain Management Server is stopped.
To permanently enable this functionality for a specific Domain Management Server, you must modify the
value of the registry key that sets whether the cpstat_monitor process auto-starts whenever the Domain
Management Server is started. You can do so by running the following command from the Domain
Management Server environment:
cpprod_util CPPROD_SetValue Multi-Domain Security Management RunCpstatMonitor
1 1 1

Note - To revert to the registry's original setting, enter the following on

the Multi-Domain Server in the Domain Management Server
environment:
cpprod_util CPPROD_SetValue Multi-Domain Security
Management RunCpstatMonitor 1 0 1

SmartReporter Reports
The SmartReporter delivers a user-friendly solution for auditing traffic and generating detailed or
summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for events logged by
Domain Management Server-managed gateways that are running SmartView Monitor. SmartReporter
produces reports for these gateways.
See the R75.20 SmartReporter Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12281) to understand how to generate
SmartReporter Reports.

Monitoring Page 126

Chapter 10
Architecture and Processes
In This Chapter

Packages in Multi-Domain Server Installation 127

Multi-Domain Server File System 128
Processes 129
Multi-Domain Server Configuration Databases 131
Connectivity Between Different Processes 132
Issues Relating to Different Platforms 134

Packages in Multi-Domain Server

Installation
Multi-Domain Server installation consists of the following packages:

Package Description
CPCON62CMP- Check Point Connectra CM Compatibility Package
R75.20

CPEdgecmp-R75.20 Check Point UTM-1 Edge Compatibility Package

CPPIconnectra- Check Point Connectra Version or Blade update

R75.20

CPmds-R75.20 Check Point Multi-Domain Server

CPsuite-R75.20 Check Point Security Gateway

CPvsxngxcmp- Check Point Power VSX

R75.20

On Linux and SecurePlatform, package names contain the suffix "-00". For example, the full name of
CPsuite-75.20 package for these platforms is CPsuite-R75.20-00.
All of these packages have pre-defined dependencies between them. Under no circumstances should these
packages be manually removed.

Important - Manually removing a package has negative implications

on the Multi-Domain Server.

Page 127
 Multi-Domain Server File System

Multi-Domain Server File System

Multi-Domain Server Directories on /opt and /var File
Systems
Multi-Domain Server Installation creates subdirectories under /opt and /var/opt directories.

Subdirectory Description
CPInstLog Contains installation and upgrade log files.

CPsuite- Contains the installation of the CPsuite-R75.20 package.

R75.20

CPshrd-R75.20 Contains information from the CPsuite-R75.20 package.

CPshared Exists for compatibility with previous versions.

CPEdgecmp Contains the installation of the CPEdgecmp package.

CPngcmp- Contains the installation of the CPngcmp-R75.20 package.

R75.20

CPmds-R75.20 Contains the installation of the CPmds-R75.20 package.

This is the list of subdirectories created under /opt:

Subdirectory Description
CPsuite- Contains configuration, state and log files for Check Point Security
R75.20 Gateway management.

CPshrd-R75.20 Contains the configuration of Check Point SVN Foundation, a well as

the registry files.

CPEdgecmp- Contains configuration files for the CPEdgecmp package.

R75.20

CPngcmp- Contains configuration files for the CPngcmp-R75.20 package.

R75.20

CPmds-R75.20 Contains configuration of the Multi-Domain Server, Multi-Domain

Server-level logs and configuration/state/log files of Domain
databases.

Structure of Domain Management Server Directory Trees

On Multi-Domain Servers, the Domain Management Server directories can be found under
/var/opt/CPmds-R75.20/Domains directory. For each Domain Management Server residing on the
server, there is a different directory under this path. Each Domain Management Server directory contains
the following subdirectories:
Subdirectory Description
CPsuite- Contains the configuration, state and log files of this Domain, as well
R75.20 as links to the shared binaries and library files.

Architecture and Processes Page 128

 Processes

Subdirectory Description
CPshrd- Contains the configuration for the SVN Foundation for the Domain
R75.20 owning this Domain Management Server, as well as links to shared
binaries and library files.

CPEdgecmp Contains configuration files of the CPEdgecmp package for the

Domain owning this Domain Management Server, as well as links to
shared binaries and library files.

CPngcmp- Contains configuration files of the CPngcmp-R75.20 package for the

R75.20 Domain owning this Domain Management Server, as well as links to
shared binaries and library files.

Check Point Registry

Information related to the installation and versioning issues of different components that is requested by
different Check Point processes, is centrally stored in a registry file.
The registry is stored in $CPDIR/registry/HKLM_registry.data (where the value of CPDIR
environment variable is different whether you are in the Multi-Domain Server environment or whether you
are in different Domain Management Server environments. This means that there are different registry files
for the Multi-Domain Server and for the Domain Management Servers.

Automatic Start of Multi-Domain Server Processes, Files

in /etc/rc3.d, /etc/init.d
The script for the automatic start of Multi-Domain Server processes upon boot can be found in
/etc/init.d. The name of the file is firewall1. A link to this file appears in /etc/rc3.d directory
under the name S95firewall1.

Processes
Environment Variables
Different Multi-Domain Server processes require standard environment variables to be defined. The
variables have the following functionality, they:
 Point to the installation directories of different components.
 Contain management IP addresses.
 Hold data important for correct initialization and operation of the processes.
Additionally, specific environment variables control certain parameters of different functions of Multi-Domain
Server.
Multi-Domain Server installation contains shell scripts for C-Shell and for Bourne Shell, which define the
necessary environment variables:
 The C-Shell version is /opt/CPshrd-R75.20/tmp/.CPprofile.csh
 The Bourne Shell version is /opt/CPshrd-R75.20/tmp/.CPprofile.sh
Sourcing these files (or in other words, using "source" command in C-Shell or "." command in Bourne
Shell) will define the environment necessary for the Multi-Domain Server processes to run.

Architecture and Processes Page 129

 Processes

Standard Check Point Environment Variables

Variable Description
FWDIR Location of Check Point Security Gateway
binary/configuration/library files.
 In the Multi-Domain Server environment, this environment
variable is equal to MDSDIR
 In Domain Management Server environment, it contains
/opt/CPmds-R75.20/Domains/<Domain Management
Server Name>/CPsuite-R75.20/fw1
CPDIR Location of Check Point SVN Foundation binary/configuration/library
files. It points to different directories in Multi-Domain Server and
Domain Management Server environments.

MDSDIR Location of the Multi-Domain Server installation. In Multi-Domain

Security Management the path is /opt/CPmds-R75.20

SUROOT Points to the location of SmartUpdate packages

Parameters/Thresholds for Different Multi-Domain Server functions

Logging Cache Size
By default, the Domain Management Server reserves 1MB memory for log caching on the Management. In
very intensive logging systems it is possible to raise the cache size. This requires more memory, but boosts
the performance. To change the cache size, set:
LOGDB_CACHE_SIZE variable to the desired size in Kilobytes. For example, to set the cache to 4MB enter:
setenv LOGDB_CACHE_SIZE 4096 (in C-Shell syntax)
Additional environment variables controlling such mechanism as statuses collection mechanism (like
MSP_SPACING_REG_CMAS_FOR_STATUSES) or connection retries (like MSP_RETRY_INTERVAL) are
described later in this chapter.

Multi-Domain Server Level Processes

Each Multi-Domain Server Level process has one instance on every Multi-Domain Server/Multi-Domain Log
Server machine, when the Multi-Domain Server/Multi-Domain Log Server is running. The following
processes run on the Multi-Domain Server level.
Process Description
cpd SVN Foundation infrastructure process.

cpca The Certificate Authority manager process. This process doesn't run
on a Multi-Domain Log Server or Multi-Domain Server.

fwd Audit Log server process.

fwm Multi- Multi-Domain Server main process.

Domain Server

For proper operation of the Multi-Domain Server all four processes must be running, unless dealing with
configurations where cpca shouldn't be running.

Domain Management Server Level Processes

Each one of these processes has a different instance for each running Domain Management Server. The
following processes run on the Domain Management Server level:

Architecture and Processes Page 130

 Multi-Domain Server Configuration Databases

Process Description
cpd SVN Foundation infrastructure process.

cpca The Certificate Authority manager process. This process doesn't

run on log servers and Multi-Domain Servers.

fwd Log server process.

fwm Security Management Server main process.

status_proxy Status collection of SmartLSM Security Gateways. This process

runs only on Domain Management Servers that are activated for
Large Scale Management.

sms Manages communication (status collection, logs collection, policy

update, configuration update) with UTM-1 Edge gateways. This
process runs only on Domain Management Servers that manage
UTM-1 Edge devices.

For proper operation of the Domain Management Server, at least cpd, cpca, fwd and fwm must be
running, unless dealing with configurations where cpca shouldn't be running. Other processes are required
only for Domain Management Servers using specific functionality for which these processes are responsible.

Multi-Domain Server Configuration

Databases
The Multi-Domain Server environment contains a number of configuration databases, as opposed to a
single Security Management Server, that contains only one.
Each Multi-Domain Server contains:
 One Global Database (located in /var/opt/CPmds-R75.20/conf directory)
 One Multi-Domain Server Database (located in /var/opt/CPmds-R75.20/conf/mdsdb directory)
 A number of Domain Management Server databases.
Each Domain Management Server database is located in /var/opt/CPmds-R75.20/Domains/<Domain
Management Server Name>/CPsuite-R75.20/fw1/conf directory.

Global Policy Database

This database contains the definitions of global objects and global Security Policies. It can be viewed and
edited using Global SmartDashboard client.
When the Assign Global Policy operation is invoked, the objects and policies defined in Global Policy
database are copied to Domain Management Server databases, where they can be seen and used by
SmartDashboard. These objects are editable only from Global SmartDashboard, Domain Management
Server databases will contain read-only copies.

Multi-Domain Server Database

This database contains two kinds of objects:
 Multi-Domain Server-level management objects – such as like administrators, Domains, Multi-Domain
Servers and Domain Management Servers. These objects are defined either using the SmartDomain
Manager or the Multi-Domain Server Command Line utilities.
 Domain Management Server-level Check Point objects – in order to display all Domains' network objects
in SmartDomain Manager, these are centrally collected in Multi-Domain Server Database. Each time the

Architecture and Processes Page 131

 Connectivity Between Different Processes

object is updated in SmartDashboard, the changes are automatically updated in Multi-Domain Server
Database as well.

Domain Management Server Database

This database contains:
 Definitions of objects and policies created and edited by SmartDashboard, when connecting to the
Domain Management Server.
 Global Objects (in read-only mode) copied by the Assign Global Policy operation.
 SmartLSM Security Gateways definitions made by SmartProvisioning.
Different Domain Management Servers residing on the same Multi-Domain Server have different databases.

Connectivity Between Different Processes

Multi-Domain Server Connection to Domain Management
Servers
The main Multi-Domain Server process (fwm Multi-Domain Server) looks for Domain Management
Servers which are up and can be reached, but with which it has no CPMI connections. This connection is
used for collecting statuses on the Domain Management Server and its gateways, and for receiving changes
in objects that are relevant to the Multi-Domain Server/SmartDomain Manager system.
Normally, a special task wakes up every 120 seconds and searches for "Domain Management Server
connection candidates". If the task has found connection candidates previously, then by default it wakes up
after only 90 seconds. This shorter interval boosts Domain Management Servers connections upon Multi-
Domain Server startup.
You can change the values of the default intervals:
 To change the Domain Management Server connection candidates search interval, set the
MSP_RETRY_INTERVAL variable to the desired number of seconds.
 To change the status collection interval, set the MSP_RETRY_INIT_INTERVAL variable to the desired
number of seconds.
Note - Changing these values (especially
MSP_RETRY_INIT_INTERVAL) makes the Multi-Domain Server-
Domain Management Server connections faster during Multi-Domain
Server startup, but may overload the connection if the value is set too
low.

By default this task attempts to reconnect the Multi-Domain Server to no more than five Domain
Management Servers per iteration. So, a system with 50 Domain Management Servers requires 10 iteration
(of 90 seconds each, by default), so connecting to all the Domain Management Servers could take up to 15
minutes.
To change the maximum number of Domain Management Servers to which the Multi-Domain Server can
connect per cycle, set the MSP_RETRY_INIT_INTERVAL variable to the desired value.

Note - Raising this value makes the Multi-Domain Server connect to

all Domain Management Servers faster during startup, but may
overload if it is set too low.

Status Collection
Status collection begins when a SmartDomain Manager connects to a Multi-Domain Server. The Multi-
Domain Server sends all Domain Management Servers a request to start collecting statuses. The Multi-

Architecture and Processes Page 132

 Connectivity Between Different Processes

Domain Server contacts the Domain Management Servers one by one, spacing these requests by one
second, thus preventing the Multi-Domain Server load from peaking when multiple statuses arrive. You can
change this default spacing and set the required spacing in milliseconds, with the environment variable
MSP_SPACING_REG_CMAS_FOR_STATUSES.

Changing the Status Collection Cycle

The default status collection cycle takes 300 seconds, i.e. each system entity is monitored once every 5
minutes. This value can be changed per Multi-Domain Server in the SmartDomain Manager as follows:
1. In the General View, display the Multi-Domain Server Contents Mode. Choose and double click a
Multi-Domain Server. The Configure Multi-Domain Server - General window opens.
2. Under Status Checking Interval, specify the desired number of seconds in the Set to field (this value is
saved in the $MDSDIR/tmp/status_interval.dat file).
Once the Status Checking Interval is set in the SmartDomain Manager, it is effective immediately, with no
need to restart the Multi-Domain Server. The higher you raise this value, the longer it takes to detect a
change in a gateway's status.

Collection of Changes in Objects

Check Point objects defined in Domain Management Server databases are copied to the Multi-Domain
Server database and presented in the Network Objects view of the SmartDomain Manager. Every time one
of these objects is updated by SmartDashboard that is connected to the Domain Active Domain
Management Server, this change is immediately propagated to the Multi-Domain Server database of the
Multi-Domain Server hosting the Active Domain Management Server. From there it is distributed to the other
Multi-Domain Servers participating in the High Availability environment.

Connection Between Multi-Domain Servers

Whenever Multi-Domain Servers and Multi-Domain Log Servers are connected in a High Availability
deployment, they keep a constant network connection open between them. This connection is used to
distribute:
 The status of Domain Management Servers and gateways between the Multi-Domain Servers.
 The status of administrators connected to Multi-Domain Servers.
 Latest updates of the objects propagated from Domain Management Servers.

Large Scale Management Processes

The Status Proxy process runs for each Domain Management Server that is enabled for Large Scale
Management, and is constantly connected to the Domain Management Server to which it belongs. This
process, amongst other functions, updates the Domain Management Server configuration database with
such details as the last known IP address of the Dynamic IP address SmartLSM Security Gateway, as well
as, the gateway status.

UTM-1 Edge Processes

The SMS process runs for each Domain Management Server that manages UTM-1 Edge devices, and is
constantly connected to the Domain Management Server to which it belongs. UTM-1 Edge devices can be
created either using SmartDashboard or using SmartProvisioning (where they are defined as UTM-1 Edge
SmartLSM Security Gateways).

Reporting Server Processes

When the SmartReporter Blade for Multi-Domain Security Management is used, the SmartReporter server
maintains a connection to the Multi-Domain Server. Whenever reports are generated, another component
called SmartReporter Generator opens a connection to the Multi-Domain Server as well.

Architecture and Processes Page 133

 Issues Relating to Different Platforms

Issues Relating to Different Platforms

The Multi-Domain Server supports the following platforms:
 Check Point SecurePlatform
 RedHat Enterprise Linux
 Solaris

High Availability Scenarios

When creating High Availability environments with:
 a number of Multi-Domain Servers
 a number of Multi-Domain Log Servers
Multi-Domain Servers connected to a single environment can run on different platforms (for example, one
Multi-Domain Server can be installed on Solaris and another on RedHat Enterprise Linux or SecurePlatform.

Migration Between Platforms

Use the existing Multi-Domain Security Management migration tools to move configuration databases (such
as the Global Policies databases or the Domain Management Server databases) between different Multi-
Domain Security Management platforms:

Action Use Script/Command Comment

Migrate the migrate_global_policies Run this script without any

Global Policies script parameters in order to see its
Database usage. The files required before
executing this script are specified in
the script's usage. The specified
files should be copied manually to
the destination Multi-Domain
Server.

Export a Domain migrate export script This script exports the

Management comprehensive database files into
Server, Security one .tgz file on the source machine
Management, or that can be imported to a different
Global Policy Multi-Domain Server machine
database from
one machine to
another.

Migrate the Use any one of:

Domain
Management  Import Domain
Server into the Management Server
destination command from the
environment. SmartDomain Manager
 cma_migrate script
 mdscmd
migratemanagement
utility

Architecture and Processes Page 134

Chapter 11
Commands and Utilities
In This Chapter

Cross-Domain Management Server Search 135

P1Shell 137
Command Line Reference 141

Cross-Domain Management Server Search

Overview
The Cross-Domain Management Server Search feature enables searching across multiple Domain
Management Server databases for defined network objects (including groups, dynamic objects and Global
objects) and for rules (including Global and implied rules) that contain or affect a specified object.
Cross-Domain Management Server Search is a powerful tool for analyzing the functioning of network
components in the context of a Multi-Domain Security Management environment. The search function is
similar to SmartDashboard's Where Used.

Searching
You can access Cross-Domain Management Server search from the General - Domain Contents or from
the General - Network Objects view of the SmartDomain Manager.
To open the Cross-Domain Management Server search window, select Cross-Domain Management
Server Search from the Manage menu, or click the Cross-Domain Management Server Search icon.
Select a query, what you want to search for, and the Domain or Domains to search in. The following queries
are available:
Specified Object query:
 Find network objects by exact name - finds objects defined in the Domain Management Server
database, where the object's name exactly matches the query entry.
 Find network objects by partial name - finds objects defined in the Domain Management Server
database, where the object's name contains the query entry.
 Find network objects by IP address - finds objects defined in the Domain Management Server
database, where the object's IP address matches the query entry.
Results for object queries include object and Domain information.
 Find Policy rules that use a global object - the query entry is a global object name. The query finds
rules in the Domain Management Server policies, where the global object is part of the rule definition.
This includes cases where the global object is not explicit in the rule definition, but is included in some
object (such as a group or cluster) that appears in the rule.
Results include Domain, policy and rule information, and the specific rule column where the global
object appears. The first Results column, Object Name, indicates the relevant object as defined in the
rule. This object may be one that includes, but is not identical to, the query entry.
 Find Policy rules that use a global object explicitly - this query is the same as the previous query,
except that the results are limited to rules where the global object is explicit. Rules where the global

Page 135
 Cross-Domain Management Server Search

object is merely included in some object (such as a group or cluster) that appears in the rule are
excluded.
Results include Domain, policy and rule information, and the specific rule column where the global
object appears. Two additional Results columns are:
Last in Cell? - indicates whether the object is the sole object in its rule column, so that removing it
would cause the cell content to become Any.
Is Removable? - indicates whether an object is not a non-deletable object.
 Find network objects that use a global object explicitly- the query entry is the name of a global
object. The query finds network objects (such as groups or clusters), defined in the Domain
Management Server database, that contain the global object explicitly.
Results include object and Domain information.
The Object Name Results column indicates the relevant object as defined in the rule. This object may
be one that includes, but is not identical to, the query entry.
Is Removable? - Shows if you can delete the object.

Copying Search Results

You can copy search results to use them in other applications.
To copy search results to the clipboard, right-click in the Results pane and select Copy. The copied results
are in Comma Separated Values (CSV) text format.

Performing a Search in CLI

You can do a cross-Domain Management Server search using the CLI. The search results will be sent to
standard output in Comma Separated Values (CSV) format.
The command syntax is:
mdscmd runcrossdomainquery <find_in> <query_type> <entry_type> <entry>
where <find_in> is one of the following parameters:

Parameter Description
-f <filename> Searches in Domains listed in file <filename>.

-list <list> Searches in Domains in <list>. <list> should be Domain names

separated by commas (e.g. domain1, domain2).

-all Searches in all Domains.

<query_type> refers to one of the following parameters:

Parameter SmartDomain Manager version of the query

query_network_o One of the Specified Object queries (according to <entry_type>)
bj

query_rulebase Find Policy rules that use a global object

whereused_rules Find Policy rules that use a global object explicitly

whereused_objs Find network objects that use a global object explicitly

<entry_type> refers to one of the following parameters:

Parameter Description
-n Specifies that <entry> is the full object name. Available for all values
of <query type>.

Commands and Utilities Page 136

 P1Shell

Parameter Description
-c Specifies that <entry> is a partial object name. Available only for
query_network_obj.

-i Specifies that <entry> is an IP address. Available only for

query_network_obj.

<entry> refers to the query entry.

Example
To search Domain Management Servers for all Domains for objects containing 'my_gw' in their names:
mdscmd runcrossdomainquery -all query_network_obj -n my_gw

P1Shell
Overview
P1Shell is a command line shell that allows administrators to run Multi-Domain Security Management CLI
commands on the Multi-Domain Server, in both Multi-Domain Server and Domain Management Server
environments, without root permissions. P1Shell authorizes users who are recognized by the Multi-Domain
Server as Multi-Domain Security Management Superusers or Domain Superusers. Lower level Multi-Domain
Security Management administrators must use the SmartDomain Manager (unless they have root
permissions).
P1Shell can be defined as the default login shell for Multi-Domain Security Management users, or it can be
manually started in the CLI.
Because Multi-Domain Security Management authentication is provided by the Multi-Domain Server, Multi-
Domain Server processes must be running for an administrator to be authorized for P1Shell. However,
starting Multi-Domain Server processes should not be available to non-Multi-Domain Security Management
administrators, so a password is required for Multi-Domain Serverstart. The Start-Multi-Domain Server
password can be set in mdsconfig, and should be given to Multi-Domain Security Management
administrators.
P1Shell maintains a connection with the Multi-Domain Server. P1Shell may be disconnected from the Multi-
Domain Server by a SmartDomain Manager user (from the Connected Administrators view of the
SmartDomain Manager), but as soon as P1Shell processes a command, P1Shell will reconnect to the Multi-
Domain Server. The P1Shell user will be notified neither of the disconnecting nor of reconnecting. The
SmartDomain Manager Connected Administrators view will display the reconnected P1Shell user only when
the view is refreshed.

Note - P1Shell settings and commands are defined in configuration

files that should not be changed. Any change to P1Shell configuration
files will block P1Shell. If that happens, restore the files to their original
versions to enable access to P1Shell.

Starting P1Shell
To work in P1Shell, it must first be enabled. To enable P1Shell, run:
mdsconfig
and select P1Shell.
To start P1Shell, if it is not your default login shell, run:
p1shell

Commands and Utilities Page 137

 P1Shell

If the Multi-Domain Server is not running, you will be prompted for the Start-Multi-Domain Server password
to authorize starting the Multi-Domain Server. Then, you will be prompted to enter your Multi-Domain
Security Management user name and password to authorize you for P1Shell.

File Constraints for P1Shell Commands

For security reasons, commands that run in P1Shell can read files only from within a defined input directory.
Commands can write only to a defined output directory.

Note - The mds_backup command is an exception to this rule. The

output of the backup is created at the path: /var/opt/<Multi-
Domain Server>_backups/<timestamp>, where <timestamp> is
the time that the backup started.

Upon starting, P1Shell defines both input and output directories as the user's home directory. They can be
changed for the work session, only within the home directory. Change the directories with the following
commands:
set_inputdir <path>
set_outputdir <path>
where <path> is an existing directory, defined relative to the user's home directory.
To view existing input and output directories, enter:
display_io_dirs
Filenames appearing in commands cannot be paths (/ will be considered an illegal character) and must be
located in the defined input or output directory.

Note - For security reasons, the output directory cannot be soft linked.

Multi-Domain Security Management Shell Commands

P1Shell includes both general Multi-Domain Security Management commands and its own Native
P1Shell commands. For more information, see Native P1Shell Commands (on page 140).
To view a list of available Multi-Domain Security Management commands, enter help or ? . When the
logged-in user is a Domain Superuser, commands that are available only to Multi-Domain Security
Management Superusers, not to Domain Superusers, will not appear in the list.

General Multi-Domain Security Management Commands

Available commands are listed below. For further command details see the R75.20 Command Line Interface
Reference Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12264).
Commands indicated as Limited are available only to Multi-Domain Security Management Superusers, not
to Domain Superusers. All other listed commands are available to both Multi-Domain Security Management
Superusers and to Domain Superusers.
Any commands listed in the Not Supported column are not currently supported in P1Shell. If the Available
Command Options column says All, it should be understood as: All commands are available, except for
those in the Not Supported column.

Command Limited ? Not Available Command Options

Supported
cpca_dbutil print; convert; d2u;
get_crl_mode

Commands and Utilities Page 138

 P1Shell

Command Limited ? Not Available Command Options

Supported
cpd_admin For Multi-Domain Security Management
Superuser: All; for Domain Superuser:
debug on; list; ver

cpinfo All

cplic All with these commands specific to Multi-

Domain Security Management:
cplic print shows all Domain Management
Server and Multi-Domain Server licenses.
cplic print -D shows only Domain
Management Server licenses.

CPperfmon hw; mdsconfig; procmem; monitor;

off; summary

cppkg add; setroot; del; print;

getroot; get

cpprod_util Limited All

cprinstall get; verify; install; transfer;

uninstall; boot; cprestart;
cpstart; cpstop; show; snapshot;
revert; delete

cprlic All

cpstat All

cpstat_monitor All

cpvinfo All

cpwd_admin list

dbedit All

dbver -help; -s; -c; -u; -w; -m; -p

enable_mds_deletion Limited

fw fetch; log; For Multi-Domain Security Management

fetchlogs; Superuser: All
monitor;
for Domain Superuser: logswitch;
stat; tab;
debug fwd; debug fwm
mergefiles

fwm dbimport; For Multi-Domain Security Management

logexport Superuser: All
for Domain Superuser: load; dbload;
ver; unload; logexport; Multi-
Domain Server recalc_lics;
Multi-Domain Server fwmconnect;
Multi-Domain Server
rebuild_global_communities_statu
s

Commands and Utilities Page 139

 P1Shell

Command Limited ? Not Available Command Options

Supported
LSMcli cpinstall; All
snapshot;
delete;
revert

mds_backup Limited All

mds_user_expdate All

mdscmd Limited migrateman All

agement

mdsconfig Limited All

mdsenv All

mdsquerydb All

Multi-Domain Limited All

Serverstart

Multi-Domain All
Serverstart_custome
r

Multi-Domain All
Serverstat

Multi-Domain Limited All

Serverstop

Multi-Domain All
Serverstop_customer

promote_util All

sam_alert All

Native P1Shell Commands

Besides enabling Multi-Domain Security Management commands, P1Shell implements the following shell
commands:

Command Description

help [<command>] Displays the command's help text, or (without arguments) lists
available commands.

Idle [<minutes>] Sets idle time before automatic logout to <minutes>, or

(without arguments) displays current idle time (default is 10
minutes).

exit Exits P1Shell.

? [<command>] Same as help.

set_outputdir <path> Sets the output directory to be <path>, where <path> is

relative to the user's home directory.

Commands and Utilities Page 140

 Command Line Reference

Command Description

set_inputdir <path> Sets the input directory to be <path>, where <path> is relative
to the user's home directory.

display_io_dirs Displays the input and output directories.

copy_logfiles - Copies the process's debug log files according to the

<process_name> [<-l>] environment context (Domain Management Server/Multi-Domain
Server) to the output directory. <process_name> is one of:
fwm, fwd, cpd, cpca. If -l is used, only the most recent log
file is copied.

run <batch_file> Runs a batch of Multi-Domain Server commands in sequence.

The batch file must be in the defined input directory.

scroll [on | off] Sets output scrolling on or off, or displays current scroll setting.
Scrolling is similar to the 'more' command.

Audit Logging
P1Shell logs audits in two different ways.
P1Shell saves all audits to a text file:
$Multi-Domain Server_SYSTEM/p1shell/log/p1shell_cmd_audit.log
In addition, P1Shell sends audits to the Multi-Domain Server to be logged. These audits can be viewed in
SmartView Tracker. If the Multi-Domain Server is not running at the time as the audited event, and the Multi-
Domain Server later starts during the same P1Shell session, the audit is then sent to the Multi-Domain
Server. If the Multi-Domain Server is down from the time of the event until the end of the P1Shell session,
the Multi-Domain Server does not receive the audit.

Command Line Reference

cma_migrate
Description This command imports an existing Security Management Server or Domain Management
Server into a Multi-Domain Server so that it will become one of its Domain Management Servers. If the
imported Security Management or Domain Management Server is of a version earlier than the Multi-Domain
Server to which it is being imported, then the Upgrade process is performed as part of the import.
It is recommended that you run cma_migrate to import Domain Management Server or Security
Management server database files created using the export_database tool.
Bear in mind that the source and target platforms may be different. The platform of the source management
to be imported can be Solaris, Linux, Windows, SecurePlatform or IPSO.
Usage cma_migrate <source management directory path> <target Domain Management
Server FWDIR directory>
Syntax

Argument Description
source database directory The root of the original source database
path directory; the FWDIR directory, or a
copy of it.

Commands and Utilities Page 141

 Command Line Reference

Argument Description
target Domain Management The directory of the Domain
Server FWDIR directory Management Server that you are
migrating to.
The target Domain Management Server
cannot ever have been started before
running cma_migrate. There is no
need to stop the Multi-Domain Server
before running cma_migrate

CPperfmon - Solaris only

CPperfmon is a performance monitoring utility. Call it with specific arguments to initiate or interrupt various
performance monitoring processes.

CPperfmon hw - Solaris only

In this mode the performance monitoring tool collects hardware configuration information and either displays
it to the user or stores it to the repository. There are three possible parameter configurations for the
execution of the "hw" mode. Without any arguments, the command displays hardware information to the
user (to screen).
Usage CPperfmon hw
CPperfmon hw store
CPperfmon hw store=/new_path/new_sub_path
Syntax

Argument Description
store Stores the collected hardware
information in the default repository
($MDSDIR/log/pmrepository).
The generated file name contains a
timestamp, and its extension is
.hardware. For instance, the file
0207111112.hardware was
generated at 07/11/2002
(DD/MM/YYYY) at 11:11 (local time).
Using this convention the user can
"record" the changes in the hardware
configuration by executing
"CPperfmon hw store" command
after every change.

store=/new_path/new_sub_pat If the intended repository directory is

h different from the default one, the
argument
"store=/new_path/new_sub_path
" should be added. The default
repository base path is $MDSDIR/log,
under which the performance monitor
creates "pmrepository" subdirectory
where it stores all of the data files.

Further Info. To list system swap configuration, run:

/usr/sbin/swap -l
To view swap status, run:
/usr/sbin/swap -s

Commands and Utilities Page 142

 Command Line Reference

Output
System Configuration: Sun Microsystems sun4u Sun Ultra 5/10 UPA/PCI
(UltraSPARC-IIi 360MHz)
System clock frequency: 90 MHz
Memory size: 256 Megabytes
========================= CPUs =========================
Run Ecache CPU CPU
Brd CPU Gateway MHz MB Impl. Mask
--- --- ------- ----- ------ ------ ----
0 0 0 360 0.2 12 9.1

========================= IO Cards =========================

Bus# Freq
Brd Type MHz Slot Name Model
--- ---- ---- ---- --------------------------------
0 PCI-1 33 1 ebus
0 PCI-1 33 1 network-SUNW,hme
0 PCI-1 33 2 SUNW,m64B ATY,GT-C
0 PCI-1 33 3 ide-pci1095,646

No failures found in System

===========================
swapfile dev swaplo blocks free
/dev/dsk/c0t0d0s1 136,9 16 1049312 740912
total: 204864k bytes allocated + 14664k reserved = 219528k used, 483560k
available

CPperfmon procmem - Solaris only

Description Use the performance monitoring tool in this mode to schedule Multi-Domain Server
processes memory monitoring. This mode consists of periodic sampling of address space maps of all
running Multi-Domain Server and Domain Management Server processes. The user must provide sampling
frequency (number of samples per single day). When scheduling sampling process, CPperfmon creates
crontab entries with equal gap between them, i.e. if the requested frequency is twice a day, then two
executions will be scheduled, one at 24:00 and one at 12:00. Address space maps sampling process (when
initiated by cron) iterates through all of the defined Domain Management Servers and collects information.
Usage CPperfmon procmem <frequency>
CPperfmon procmem <frequency> store= /new_path/new_sub_path
CPperfmon procmem off
Syntax

Argument Description
frequency For continuous monitoring, specify how
often to store data.

store Store to the repository. If the intended

repository directory is different from the
default one, the argument
"store=/new_path/new_sub_path"
should be added. The default repository
base path is $MDSDIR/log, under
which the performance monitor creates
"pmrepository" subdirectory where it
stores all of the data files.

off De-schedules all of the scheduled

periodic tasks.

Example CPperfmon procmem 4 store=/tmp/mdsmon

Commands and Utilities Page 143

 Command Line Reference

Schedule Multi-Domain Server processes memory monitoring to run 4 times a day and store the results in
/tmp/mdsmon/pmrepository.

CPperfmon monitor - Solaris only

Description Use the performance monitoring tool in this mode to schedule Multi-Domain Server
processes memory monitoring. This mode consists of periodic sampling of system virtual memory statistics,
system paging activity, Active processes statistics and connected clients statistics. Parameters which
change frequently are sampled every 30 seconds, while other parameters are sampled every 30 minutes.
Usage CPperfmon monitor <duration>
CPperfmon monitor <duration> store=/new_path/new_sub_path
CPperfmon monitor off
Syntax

Argument Description
duration Duration of monitoring.

monitor off De-schedules all of the scheduled

monitoring processes. Removes
crontab entries for low frequency
processes, terminates high frequency
monitoring processes.

store Store to the repository. If the intended

repository directory is different from the
default one, the argument
"store=/new_path/new_sub_path
" should be added. The default
repository base path is $MDSDIR/log,
under which the performance monitor
creates "pmrepository" subdirectory
where it stores all of the data files.

Example CPperfmon monitor 3

Schedule system performance monitoring to run for 3 hours and use the default repository directory.

CPperfmon mdsconfig - Solaris only

Description Collects statistics and information about the user's Multi-Domain Server and Domain
Management Server databases. The information is either displayed to screen or stored in the repository.
The user can record the changes in various configuration databases by occasionally executing the
"CPperfmon mdsconfig store" command.
Usage CPperfmon mdsconfig
CPperfmon mdsconfig store
CPperfmon mdsconfig store=/new_path/new_sub_path
Syntax

Argument Description
store Path of the CPPerfmon repository. The default
repository base path is $MDSDIR/log, under which
the performance monitor creates "pmrepository"
subdirectory where it stores all of the data files.

Commands and Utilities Page 144

 Command Line Reference

Argument Description
store=/new_path/new_sub_path Stores the collected databases information in the
specified repository (creates a pmrepository
subdirectory if necessary). The generated file name
contains a timestamp, and has extension .mdsconf.
For example, the file 0207111112.mdsconf was
generated at 07/11/2002 (DD/MM/YYYY) at 11:11
(local time).

Additional Information:
Collected parameters are:
 Size of Domain Management Server objects_5_0.C file.
 Size of Domain Management Server rulebases_5_0.fws file.
 Number of network objects in Domain Management Server objects_5_0.C file.
 Number of gateways with firewall installed among the defined network objects.
 Number of rule bases and number of rules in every rule base.
Output:
**********************************************
Domain: b52-1

Network Objects: 8
Gateways With Firewall Installed: 2
Objects Database Size: 337296
Rules Database Size: 11369

No. of Rules Rulebase Name

-----------------------------------------
3 Exceptional
2 Standard
-----------------------------------------
5 2

**********************************************

CPperfmon summary - Solaris only

Description This mode collects data from the "mdsconfig" mode. It displays it to screen if no argument
is provided. Otherwise it stores data to the repository, with a short summary of hardware configuration, and
a time stamp both in local time and in UTC. Record the changes in various configuration databases by
executing CPperfmon mdsconfig store command every once in a while.
Usage CPperfmon summary
CPperfmon summary store
CPperfmon summary store=/new_path/new_sub_path
Syntax

Argument Description
store Path to the repository file. The default
repository base path is $MDSDIR/log,
under which the performance monitor
creates "pmrepository" subdirectory
where it stores all of the data files.

Commands and Utilities Page 145

 Command Line Reference

Argument Description
store=/new_path/new_sub_pa Stores the collected databases
th information in the specified repository
(creates the pmrepository
subdirectory when necessary). The
generated file name contains a
timestamp and extension .mdsconf.

Output Following is a sample output:

Date: Thu Jul 11 15:12:31 IDT 2002
GMT Date: Thu Jul 11 12:12:31 GMT 2002
Sun Microsystems sun4u Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi
360MHz 256 Megabytes
/dev/dsk/c0t0d0s1 136,9 16 1049312 741040

Domain Rulebase Objects Network Gateways Rules Rulebases

Managem Size Size Objects
ent
Server
Name
b52-1 11369 337296 8 2 5 2
b52-2 20 317520 5 0 0 0

CPperfmon off - Solaris only

Description Use this utility to de-schedule all of the currently scheduled monitoring processes. It is
equivalent to calling CPperfmon monitor off and CPperfmon procmem off together.

CPperfPack
Description This utility is used to package the performance monitor repository into single compressed
file in order to send it to Check Point technical personnel.
Usage CPperfPack [store=<your store>] [target=<your target>]
Syntax

Argument Description
store Path to the repository file. The default
repository base path is $MDSDIR/log.

target CPperfPack compresses the

performance monitor repository and
saves it in .tar.gz file in the target
directory ($MDSDIR/tmp unless specified
otherwise). The extension is ".tar.gz".
Example: the file
CPperfMon0207111718.tar.gz was
generated at 07/11/2002
(DD/MM/YYYY) at 17:18 (local time).
If the performance monitor repository
does not reside in the default path
($MDSDIR/log) the user must provide
base path of the repository (the path
containing the pmrepository
directory).

Example CPperfPack store

store=$MDSDIR/log and saves the compressed file in $MDSDIR/tmp.

Commands and Utilities Page 146

 Command Line Reference

cpmiquerybin
Description cpmiquerybin utility is the binary core of the Database Query Tool.
(For the Database Query Tool, see mdsquerydb (on page 160).)
This command-line CPMI client connects to the specified database, executes a query and displays results
as either a collection of FW-1 Sets or tab-delimited list of requested fields from each retrieved object. The
target database of the query tool depends on the environment settings of the shell being used by the user.
Whenever the user desires to access one of Multi-Domain Server databases, he/she should execute the
mdsenv command, in order to define the environment variables necessary for database connection. In
order to connect to a database of a certain Domain Management Server, the user should execute mdsenv
command providing Domain Management Server name or IP address as a first parameter. (See also
mdsenv (on page 159).)

Note - A MISSING_ATTR string is displayed when the user specifies

an attribute name that does not exist in one of the objects in query
result. The MISSING_ATTR string indicates that that attribute is
missing.

Exit Code
0 when query succeeds, 1 if query fails, or query syntax is bad.
Usage cpmiquerybin <query_result_type> <database> <table> <query> [-a
<attributes_list>]
Syntax

Argument Description
query_result_type Requested format of the query result. Possible values:
 attr – display values of specified (with –a
parameter) field of each retrieved object
 object – display FW-1 sets containing data of
each retrieved object.
database Name of the database to connect to, in quotes. For
instance, "mdsdb" or "".

table Table to retrieve the data from, for instance,

network_objects

query Empty query ("") or a query specifying objects range for

retrieval, for instance name='a*'.

-a attributes_list If query_result_type was specified "attr", this

field should contain a comma delimited list of objects
fields to display. Object name can be accessed using a
special "virtual" field called "__name__". Example:
__name__,ipaddr

Example Print all network objects in the default database

cpmiquerybin object "" network_objects ""
Print hosted_by_mds and ipaddr attributes of all network objects in database "mdsdb"
mdsenv
cpmiquerybin attr "mdsdb" network_objects "" -a hosted_by_mds,ipaddr

dbedit
Description This utility can be used in Multi-Domain Security Management configuration and is further
described in the R75.20 Security Management Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12277). It is used in conjunction with
the mdsenv command. Particular commands for accessing the Multi-Domain Server and Domain
Management Server environment are included here.

Commands and Utilities Page 147

 Command Line Reference

Usage dbedit –Multi-Domain Server

dbedit –s <Multi-Domain Server_IP> –d mdsdb -u <P1_Admin> -p <password>
dbedit –s <Domain Management Server_IP> -u <Domain Management Server_Admin> -p
<password>
Syntax

Argument Description
–Multi-Domain Server Access without user name and password. Use this
command only for Domain Management Server- or Multi-
Domain Server-configuration on the same machine as the
command line is executed.

–s <Multi-Domain Specifies the IP of the Multi-Domain Server you want to

Server_IP> connect to.

-u <P1_Admin> -p -u <P1_Admin> and -p <password> are used as a pair

<password> must specify a valid Multi-Domain Security Management
administrator and password for proper remote login. In
addition, the computer on which the command is executed
must be a valid Multi-Domain Server GUI Client. Beware not
to expose your administrator password during remote login.

–d mdsdb Edit the MDSDB database.

Examples:
To edit the database that resides on the Multi-Domain Server Global database, use the
following commands:
mdsenv
dbedit –Multi-Domain Server
To edit the database that resides on the Multi-Domain Server MDSDB database, use the
following commands:
mdsenv
dbedit –Multi-Domain Server –d mdsdb
To edit the Domain Management Server database, use the following command:
mdsenv Domain Management Server_Flower
dbedit 10.10.10.10 -Multi-Domain Server
where 10.10.10.10 is the Domain Management Server IP.
To use dbedit on a remote Multi-Domain Server/Domain Management Server the computer that you are
running the dbedit on must be defined as an authorized GUI Client of the Multi-Domain Server/Domain
Management Server. The user must be a Multi-Domain Security Management administrator and provide a
user name and password:
dbedit –s 10.10.10.10 -u CANDACE -p ****
where 10.10.10.10 is the Multi-Domain Server or Domain Management Server IP, and **** is a password.
To edit the remote Multi-Domain Server MDSDB database:
dbedit –s 10.10.9.1 –d mdsdb -u ROGER -p ****
where 10.10.9.1 is the Multi-Domain Server IP, ROGER is an administrator and **** is a password.
To edit the remote Domain Management Server database:
dbedit –s 10.10.19.1 -u SAMANTHA -p ****
where 10.10.19.1 is the Domain Management Server IP, SAMANTHA is an administrator and **** is a
password.

Commands and Utilities Page 148

 Command Line Reference

mcd bin | scripts | conf

Description This command provides a quick directory change to $FWDIR/<param>.
Example mdsenv MyDServer1
mcd conf
Brings you to: /opt/CPmds-R75.20/Domains/MyDServer1/CPsuite-R75.20/fw1/conf.

mds_backup
The mds_backup command backs up binaries and data from your Multi-Domain Server to the working
directory. This command requires Superuser privileges.
mds_backup executes the gtar command on product root directories containing data and binaries, and
backs up all files except those specified in mds_exclude.dat ($MDSDIR/conf) file. The collected
information is stored in a single .tgz file. This .tgz file name consists of the backup date and time, which is
saved in the current working directory. For example: 13Sep2002-141437.mdsbk.tgz
To perform a backup:
1. Execute mds_backup from any location outside the product directory tree to be backed up. This
becomes the working directory.
2. Upon completion of the backup process, copy the backup .tgz file, together with the mds_restore,
gtar and gzip command files, to your external backup location.
Usage mds_backup [-g -L {all|best} -b {-d <target dir name>} -v -l -h]
mds_backup [-g -b {-d <target dir name>} -v -h]
Syntax

Argument Description
-g Executes without prompting to disconnect GUI clients.

-b Batch mode - executes without asking anything (-g is implied).

-d Specifies a directory store for the backup file. When not specified, the backup
file is stored in the current directory. You cannot store the backup file in any
location inside the product root directory tree.

-v Verbose mode - lists all files to be backed up, but do not perform the backup
operation.

-l Exclude logs from the backup.

-L Lock databases on the computer being backed up so that SmartDashboard

cannot connect in the Read/Write mode. You must use one of these
argument options:
all - If a lock attempt fails on a database (global or local), the backup stops.
best - If a lock attempt fails on a database, the command continues to backup
the database, but does no lock it.
Note: The lock databases option has no effect on SmartDomain Manager
clients because they can only connect in the Read/Write mode.

-h Help - displays help text.

Comments When using the -g or -b options, make sure that no GUI clients or SmartReporter servers
are connected. Otherwise, the backup file may contain inconsistencies due to database changes made
during the backup process.
It is important not to run mds_backup from any of the directories that will be backed up. For example, when
backing up a Multi-Domain Server, do not run mds_backup from /opt/CPmds-R70 since it is a circular
reference (backing up directory that you need to write into).

Commands and Utilities Page 149

 Command Line Reference

Active log files are not backed up, in order to avoid read-during-write inconsistencies. It is recommended to
perform a log switch prior to the backup procedure.
Further Info. The Multi-Domain Server configuration can be backed up without backing up the log files.
Such a backup will usually be significantly smaller in size than a full backup with logs. To back up without
log files, add the following line to the file $MDSDIR/conf/mds_exclude.dat:
log/*

mds_restore
Description Restores a Multi-Domain Server that was previously backed up with mds_backup. For
correct operation, mds_restore should be restored onto a clean Multi-Domain Server installation.
Usage ./mds_restore <backup file>

Note - The mds_restore command must use the script that was
created in the directory into which the backup file was created.

mds_user_expdate
Description - Changes multiple administrator expiration dates in one operation. You can do this for
administrators on all Domain Management Servers or for users on one or more specified Domain
Management Server.
Usage - mds_user_expdate

Important
 Disconnect all GUI clients before running the mds_user_expdate command.
If you don't do this, the SmartDomain Manager will overwrite any changes done by the
command.
 You can only use the mds_user_expdate command on an Active Multi-Domain
Server in a High Availability deployment. You must synchronize your servers and
install policies on your gateways after using this command.
 We recommend that you backup your Multi-Domain Servers before using the
mds_user_expdate command.

mdscmd
Description This command is used to execute different commands on the Multi-Domain Server system.
It connects to a Multi-Domain Server as a CPMI client and causes it to execute one of the specified
commands described below. Connection parameters [-m Multi-Domain Server -u user -p
password] are required in order to log into a remote Multi-Domain Server. If these arguments are omitted,
mdscmd connects to the local machine. As the command is a CPMI client, it has an audit log.
Usage mdscmd <sub command and sub command parameters> [-m Multi-Domain Server -
u user -p password]
mdscmd help
Syntax

Argument Description
-m Multi-Domain Server For remote login; specifies the name or
IP address of the Multi-Domain Server
you want to connect to.

Commands and Utilities Page 150

 Command Line Reference

Argument Description
-u user Used as a pair, they must specify a
-p password valid Superuser administrator and
password for remote login. In addition,
the computer on which the command
is executed must be a valid Multi-
Domain Server GUI Client. Beware not
to expose your administrator password
during remote login.

help Print the usage of an mdscmd

command and a list of examples.

mdscmd adddomain
Description This command is used to create a Domain, locally or remotely. If run remotely, add login
details. A first Domain Management Server can be created at the same time using this command.
Usage mdscmd adddomain <DomainName> [-n <Domain Management Server>_name] [-i
IP] [-t target_mds] [-m Multi-Domain Server -u user -p password]
Syntax

Argument Description
DomainName Specifies the name of the Domain to add.

-n <Domain Management A first Domain Management Server is created when the

Server>_name Domain is created, using the name you provide
(<Domain Management Server>_name).

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server

you want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In
addition, the computer on which the command is
executed must be a valid Multi-Domain Server GUI
Client. Beware not to expose your administrator
password during remote login.

-i IP Specify the virtual IP address (VIP) assigned to the

Domain Management Server. If -n <Domain
Management Server>_name is used but no IP
address is specified, yet a VIP range has been defined
for the Multi-Domain Server, the next available VIP is
assigned to the Domain Management Server.
If you use -i IP without -n <Domain Management
Server>_name, a name is automatically generated
with the format: <Domain
name>_First_DomainManagementServer.

-t target_mds Specify the Multi-Domain Server to which the Domain

Management Server is added. If not specified, the
mdscmd attempts to add the Domain Management
Server to the Multi-Domain Server to which it is
connected.

Example Add a new Domain named BestDomain without a Domain Management Server:
mdscmd adddomain BestDomain
Add a new Domain named BestDomain with a Domain Management Server named BestDomainDMS,

Commands and Utilities Page 151

 Command Line Reference

using the Virtual IP address 4.4.4.4:

mdscmd adddomain BestDomain -n BestDomain-i 4.4.4.4 DMS

Note - The old form of this command (mdscmd addcustomer) is still

supported.

mdscmd addmanagement
Description A Domain must already be created in order to use this command.
Usage mdscmd addmanagement <DomainName> <-i IP> [-n <Domain Management
Server>_name] [-t target_mds] [-m Multi-Domain Server -u user -p password]
Syntax

Argument Description
DomainName Specifies the name of the Domain to which the Domain
Management Server is added.

-n <Domain Management Create a Domain Management Server with this name. If

Server>_name you do not specify -n <Domain Management
Server>_name, <Domain Management
Server>_name is generated automatically in the
format: <Domain name>_First_DMS.

-i IP Specify the virtual IP address (VIP) used by the Domain

Management Server. If -n <Domain Management
Server>_name is used but no IP address is specified,
yet a VIP range has been defined for the Multi-Domain
Server, the next available VIP is assigned to the Domain
Management Server.
If you use -i IP without -n <Domain Management
Server>_name, a name is automatically generated
with the format: <Domain name>_First_DMS.

-t target_mds Define the Multi-Domain Server to which the Domain

Management Server is added. If you do not specify this
parameter, the mdscmd attempts to add the Domain
Management Server to the Multi-Domain Server to
which it is connected.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must
be a valid Multi-Domain Server GUI Client. Beware not
to expose your administrator password during remote
login.

Example Add a new Domain Management Server to the Domain BestDomain using the Virtual IP
address 4.4.4.4:
mdscmd addmanagement BestDomain -i 4.4.4.4
Add a new Domain Management Server to the Domain BestDomain named BestDomain using the
Virtual IP address 4.4.4.4:
mdscmd addmanagement BestDomain -i 4.4.4.4 -n BestDomain
Add a new Domain Management Server to the Domain BestDomain on host AnotherMds using the
Virtual IP address 4.4.4.4:
mdscmd addmanagement BestDomain -i 4.4.4.4 -t AnotherMds

Commands and Utilities Page 152

 Command Line Reference

Note - The old form of this command (mdscmd addcma) is still

supported.

mdscmd addlogserver
Description Use the addlogserver sub-command to add a Domain Log Server to an existing Domain.
addlogserver adds either the first or any subsequent Domain Log Server of the Domain. To add a Domain
Log Server to a Domain, it must already have at least one Domain Management Server.
Usage mdscmd addlogserver <DomainName> [-i IP] [-t target_mds] [-m Multi-Domain Server -u user -p
password]
Syntax
Argument Description

DomainName Specifies the name of the Domain to which the

Domain Log Server is added.

-i IP Specify this parameter to select the Virtual IP

address (VIP) to be used by the Domain Log Server.

-t target_mds Define the Multi-Domain Server to which the Domain

Log Server is added. If you do not specify this
parameter, the mdscmd attempts to add the Domain
Management Server to the Multi-Domain Server to
which it is connected.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server

you want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In
addition, the computer on which the command is
executed must be a valid Multi-Domain Server GUI
Client. Beware not to expose your administrator
password during remote login.

Note - The old version of this command (mdscmd addclm) is still

supported.

mdscmd addadmin
Description Assigns an administrator to a Domain using the specified permissions profile.
mdscmd assignadmin <administrator name> <administrator
Syntax profile> <domain name>
Parameters Parameter Description
administrator name
Administrator name
administrator
profile Administrator permissions profile
domain name
Name of the Domain to which the administrator
is assigned.
mdscmd assignadmin Reuven Default_Profile NewYorkBranch
Example

Commands and Utilities Page 153

 Command Line Reference

mdscmd assignguiclient
Description Assigns a GUI client to the specified domain

Syntax mdscmd assignguiclient <domain name> <gui client>

Parameters Parameter Description

domain name
Domain name
gui client
Name of a Multi-Domain Security Management gui
client used by the specified Domain

Example mdscmd assignguiclient NewYorkBranch Telco_Admins

mdscmd deletedomain
Description Use this command to delete an existing Domain. When deleting a Domain, you also delete
the Domain Management Servers.
Usage mdscmd deletedomain <DomainName> -m Multi-Domain Server -u user name -p
password
Syntax

Argument Description
DomainName Specifies the name of the Domain to be deleted.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition, the
computer on which the command is executed must be a
valid Multi-Domain Server GUI Client. Beware not to expose
your administrator password during remote login.

Example Delete the Domain BestDomain

mdscmd deletedomain BestDomain

Note - The old version of this command (mdscmd deletecustomer) is still

supported.

mdscmd deletemanagement
Description Use this command to delete an existing Domain Management Server.
Usage mdscmd deletemanagement <DomainName> <-n <Domain Management Server>_name
| -i IP > [-m Multi-Domain Server -u user -p password]
Syntax

Argument Description

DomainName Specifies the name of the Domain whose Domain

Management Server is deleted.

-n <Domain Management Specify the name of the Domain Management Server to

Server>_name be deleted.

-i IP Specify the Virtual IP address (VIP) used by the Domain

Management Server.

Commands and Utilities Page 154

 Command Line Reference

Argument Description

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must
be a valid Multi-Domain Server GUI Client. Beware not to
expose your administrator password during remote login.

Comments One or the other of the following parameters must be specified:

 -i IP — specify this parameter to delete the Domain Management Server by its Virtual IP address.
 -n <Domain Management Server>_name — Specify this parameter to delete the Domain
Management Server by its name (set in <Domain Management Server>_name).
Example Delete a Domain Management Server from the Domain BestDomain (by stating its virtual IP
address — 4.4.4.4):
mdscmd deletemanagement BestDomain -i 4.4.4.4
Delete a Domain Management Server from the Domain BestDomain, using the Domain Management
Server name — BestDomain, and running from the remote host AnotherMds (using user name: MyUser
and password: MyPassword):
mdscmd deletemanagement BestDomain -n BestDomain -m AnotherMds -u MyUser -p
MyPassword

Note - The old version of this command (mdscmd deletecma) is still supported.

mdscmd deletelogserver
Description Use this command to delete an existing Domain Log Server.
Usage mdscmd deletelogserver <DomainName> <-i IP > [-m Multi-Domain Server -u
user -p password]
Syntax

Argument Description
DomainName Specifies the name of the Domain to add.

-i IP Specify this parameter to select the Virtual IP address

(VIP) to be used by the Domain Log Server.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must be
a valid Multi-Domain Server GUI Client. Beware not to
expose your administrator password during remote login.

Note - The old version of this command (mdscmd deleteclm) is still supported.

mdscmd enableglobaluse
Description Use this command to connect a Domain gateway to a Global VPN Community. Executing
this command with a Domain name and a gateway name, creates a global gateway object and a VPN
Domain object for the specific Domain gateway in the Global database.
[-g global name] is used to determine the global gateway object name. If [-g global name] is

Commands and Utilities Page 155

 Command Line Reference

omitted, the global name will be gGW1_of_CUST1 for the gateway GW1 and Domain CUST1.
The VPN domain object will receive the same name as the global gateway object with a '_Domain'
extension.
Usage mdscmd enableglobaluse <DomainName> <gatewayName> [-g globalName] [-m
Multi-Domain Server -u user -p password]
Syntax

Argument Description
DomainName Specifies the name of the Domain to which the Domain
Management Server belongs.

gatewayName Specifies the name of the gateway.

-g global name This command is used to determine the global gateway

object name. If [-g global name] is omitted, the global
name will be gGW1_of_CUST1 for the gateway GW1 and
Domain CUST1

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must be
a valid Multi-Domain Server GUI Client. Beware not to
expose your administrator password during remote login.

Comments: mdscmd enableglobaluse is equivalent to enabling global use of a gateway from

SmartDomain Manager.

mdscmd disableglobaluse
Description Use this command to remove a Domain global gateway object and VPN Domain object from
the global database.
Usage mdscmd disableglobaluse <DomainName> <gatewayName> [-m Multi-Domain
Server -u user -p password]
Syntax

Argument Description
DomainName Specifies the name of the Domain to which the Domain
Management Server belongs.

gatewayName Specifies the name of the gateway.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must
be a valid Multi-Domain Server GUI Client. Beware not to
expose your administrator password during remote login.

Comments mdscmd disableglobaluse is equivalent to disabling the global use of a gateway from
SmartDomain Manager.

Commands and Utilities Page 156

 Command Line Reference

mdscmd removeadmin
Description Remove an administrator from the specified domain.
mdscmd removeadmin <administrator name> <domain
Syntax name>
Parameters Parameter Description
administrator
name Administrator name
domain name
Domain name
mdscmd removeadmin George Washington NewYorkBranch
Example

mdscmd removeguiclient
Description Remove a GUI client from the specified domain

Syntax mdscmd assignguiclient <domain name> <gui client>

Parameters Parameter Description

domain name
Domain name
gui client
Name of a Multi-Domain Security Management gui
client used by the specified Domain

Example mdscmd removeguiclient NewYorkBranch Telco_Admins

mdscmd startmanagement
Description Use this command to start an existing Domain Management Server.
Usage mdscmd startmanagement <DomainName> <-n <Domain Management Server>_name |
-i IP > -m Multi-Domain Server -u user name -p password
Syntax

Argument Description
DomainName Specifies the name of the Domain to which the Domain
Management Server belongs.

-n <Domain Management Specify the name of the Domain Management Server to be

Server>_name started.

-i IP Specify this parameter to select the Domain Management

Server Virtual IP address.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you want
to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition, the
computer on which the command is executed must be a valid
Multi-Domain Server GUI Client. Beware not to expose your
administrator password during remote login.

Comments One or the other of the following parameters must be specified:

 -i IP — Specify this parameter to start the Domain Management Server by its Virtual IP address.
 -n <Domain Management Server>_name — Specify this parameter to start the Domain
Management Server by its name (<Domain Management Server>_name).

Commands and Utilities Page 157

 Command Line Reference

Example Run the Domain Management Server BestDomain, which is defined for the Domain
BestDomain:
mdscmd startmanagement BestDomain -n BestDomain

Note - The old version of this command (mdscmd startcma) is still supported.

mdscmd stopmanagement
Description Use this command to stop a running Domain Management Server.
Usage mdscmd stopmanagement <DomainName> <-n <Domain Management Server>_name |
-i IP > -m Multi-Domain Server -u user name -p password
Syntax

Argument Description
DomainName Specifies the name of the Domain to which the Domain
Management Server belongs.

-n <Domain Management Specify the name of the Domain Management Server to

Server>_name be stopped.

-i IP Specify this parameter to select the Domain Management

Server Virtual IP address.

-m Multi-Domain Server Specifies the name or IP of the Multi-Domain Server you

want to connect to.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must be
a valid Multi-Domain Server GUI Client. Beware not to
expose your administrator password during remote login.

Comments One or the other of the following parameters must be specified:

 -i IP —Specify this parameter to stop the Domain Management Server using its Virtual IP address.
 -n <Domain Management Server>_name — Specify this parameter to stop the Domain
Management Server using its name (<Domain Management Server>_name).
Example Stop the Domain Management Server BestDomain, which is defined for the Domain
BestDomain:
mdscmd stopmanagement BestDomain -n BestDomain

Note - The old version of this command (mdscmd stopcma) is still supported.

mdscmd migratemanagement
Description Use this command to migrate/import an existing source database (from a Security
Management Server or Domain Management Server) into another Domain Management Server.
You can use mdscmd migratemanagement to import files created using the export_database tool.
Usage mdscmd migratemanagement <DomainName> <-l <Domain Management
Server>_path> <-n <Domain Management Server>_name>
Syntax

Argument Description
DomainName Specifies the name of the Domain to which the new Domain
Management Server belongs.

Commands and Utilities Page 158

 Command Line Reference

Argument Description
-n <Domain Specifies the name of the new Domain Management Server
Management into which the source database information is migrated.
Server>_name

-l <Domain Specifies the path containing the conf directory migrated into
Management the new Domain Management Server.
Server>_path

Example Migrate a source database from an NGX R65 version Domain Management Server, named
MyFirstDMS, into the Domain Management Server BestDomain, defined for the Domain BestDomain:
mdscmd migratemanagement BestDomain -l/opt/CPmds-R65/Domains/ MyFirstDMS/CPfw1-
R65 -n BestDomain
See also cma_migrate (on page 141).

Note - The old version of this command (mdscmd mirrrorcma) is still supported.

mdscmd miirrormanagement
Description Use this command to mirror the Domain Management Server configuration from one Multi-
Domain Server to another Multi-Domain Server. This command is used to create Domain Management
Server High Availability. This command parses all Domains and checks which Domains have a single
Domain Management Server defined. If a Domain has a Domain Management Server on the source Multi-
Domain Server, a secondary Domain Management Server is created on the target Multi-Domain Server.
Usage mdscmd miirrormanagement -s source_mds -t target_mds [-m Multi-Domain
Server -u user -p password]
Syntax

Argument Description
-s source_mds Specifies the name of the Multi-Domain Server the
mirroring is performed from.

-t target_mds Specifies the name of the Multi-Domain Server the

mirroring is targeted toward.

-u user and -p password Used as a pair, they must specify a valid Superuser
administrator and password for remote login. In addition,
the computer on which the command is executed must
be a valid Multi-Domain Server GUI Client. Beware not
to expose your administrator password during remote
login.

Example Mirror the configuration from the Multi-Domain Server FirstServer to the Multi-Domain
Server SecondServer:
mdscmd miirrormanagement -s FirstServer -t SecondServer

Note - The old version of this command (mdscmd mirrorcma) is still supported.

mdsenv
Description This command prepares the shell environment variables for running Multi-Domain Server
level command lines or specific Domain Management Server command lines. Without an argument, the
command sets the shell for Multi-Domain Server level commands (Multi-Domain Serverstart,
Multi-Domain Serverstop, etc.).
Usage mdsenv [Domain Management Server name]
Syntax

Commands and Utilities Page 159

 Command Line Reference

Argument Description
Domain Management With a Domain Management Server name, the command prepares
Server name the shell for the Domain Management Server command line (fw
load etc.)

mdsquerydb
Description The mdsquerydb command runs the Database Query Tool. The purpose of the Database
Query Tool is to allow advanced users to create UNIX shell scripts which can easily access information
stored inside the Check Point Security Management Server databases. These include the Global Database
(which are usually accessed from the Global SmartDashboard), Multi-Domain Server Database (usually
accessed from the SmartDomain Manager) and the Domain Management Server databases (usually
accessed from SmartDashboard).
Just as the mdscmd tool allows users to write UNIX shell scripts that add, remove or alter specified Multi-
Domain Security Management database objects, the Database Query Tool allows users to access the
information related to these database objects. The command is used with specific arguments to perform
various queries on Security Management Server databases.
Usage mdsquerydb key_name [-f output_file_name]
Syntax

Argument Description
key_name Query key, that must be defined in the pre-defined queries
configuration file.

-f Write query results to file with the specified file name, instead of to
output_file_nam the standard output.

Example
To retrieve list of all defined keys:
mdsquerydb
To send the list of Domains in the Multi-Domain Server database to the standard output:
mdsenv
mdsquerydb Domains
To retrieve the list of network objects in the Global database and place the list in:
/tmp/gateways.txt:
mdsenv
mdsquerydb NetworkObjects –f /tmp/gateways.txt
To retrieve the list of gateways objects of the Domain Management Server called
DServer1:
mdsenv DServer1
mdsquerydb Gateways –f /tmp/gateways.txt
Comments The purpose of the Database Query Tool is to provide advanced users of Multi-Domain
Security Management with means of querying different Security Management Server databases from UNIX
shell scripts. Some Database queries are pre-defined in the configuration file. The configuration file
(queries.conf) can be found in $MDSDIR/conf. The file should not be edited by the end-users in any
case.

mdsstart
Description This command starts the Multi-Domain Server and all Domain Management Servers. You
can reduce the time it takes to start and stop the Multi-Domain Server if you have many Domain
Management Servers. To do so, set the variable NUM_EXEC_SIMUL to the number of Domain Management
Servers to be launched or stopped simultaneously. When this variable is not defined, the system attempts to
start or stop up to 10 Domain Management Servers simultaneously.

Commands and Utilities Page 160

 Command Line Reference

Usage mdsstart [-m|-s]

Syntax

Argument Description
-m Starts only the Multi-Domain Server and not the Domain Management
Servers.

-s Starts the Domain Management Servers sequentially: waits for each

Domain Management Server to come up before starting the next.

mdsstat
Description This command utility gives detailed information on the status of the processes of the Multi-
Domain Server and Domain Management Servers, the up/down status per process.
Usage mdsstat [-h] [-m] [<Domain Management Server name>]
Syntax

Argument Description
-h Displays help message.

-m Test status for Multi-Domain Server only.

Domain The name of the Domain Management Server whose status is tested.
Management
Server name

Further Info. Status Legend:

up: The process is up.
down: The process is down.
pnd: The process is pending initialization.
init: The process is initializing.
N/A: The process's PID is not yet available.
N/R: The process is not relevant for this Multi-Domain Server.

mdsstop
Description This command stops the Multi-Domain Server and all the Domain Management Servers.
You can reduce the time it takes to start and stop the Multi-Domain Server if you have many Domain
Management Servers. To do so, set the variable NUM_EXEC_SIMUL to the number of Domain Management
Servers to be launched or stopped simultaneously. When this variable is not defined, the system attempts to
start or stop up to 10 Domain Management Servers simultaneously.
Usage mdsstop [-m]
Syntax

Argument Description
-m Use the -m option to stop the Multi-Domain Server without stopping
Domain Management Servers.

merge_plug-in_tables
Description The merge_plug-in_tables utility is included in the export_database utility. It
searches for all Domain Management Server or Version and Blade Updates and merges the plug-in tables
with the Domain Management Server or Security Management tables.
In Linux and, the merge_plug-in_tables tool runs automatically when you run the export_database tool
and its output becomes part of the Domain Management Server database .tgz file.

Commands and Utilities Page 161

 Command Line Reference

If you have a Security Management running on FreeBSD, IPSO 6.x, or Windows, use merge_plug-
in_tables to consolidate plug-in data before migrating.
Before using the merge_plug-in_tables utility, you must:
1. Copy the export tool .tgz file for your operating system to the source Domain Management Server or
Security Management machine. The export tool files can be found on your installation DVD.
2. Extract the export tool .tgz file to some path in the source machine.
A directory called export_tools is extracted.
3. Run the merge_plug-in_tables command from the export_tools directory.
Usage merge_plug-in_tables <-p conf_dir> [-s] [-h]
where <-p conf_dir> is the path of $FWDIR directory of the Domain Management
Server/Security Management Server, -s performs the utility in silent mode (default is interactive mode), and -
h displays usage.
Example To merge the plug-in tables of a Domain Management Server, DSERVER1, run:
mdsenv DServer1
merge_plug-in_tables -p "$FWDIR"

migrate_global_policies
Description This utility transfers (and upgrades, if necessary) the global policies database from one
Multi-Domain Server to the global policies database of another Multi-Domain Server.
migrate_global_policies replaces all existing Global Policies and Global Objects. Each of the existing
Global Policies is saved with a *.pre_migrate extension.
If you only migrate the global policies (without the Domain Management Servers) to a new Multi-Domain
Server, you should disable any gateways that are enabled for global use.
You can migrate global policies from the following Multi-Domain Security Management versions:
 R71.30 and later minor releases, R75.x
You can use migrate_global_policies to import files created using the export_database tool.
Usage migrate_global_policies <path>
Syntax

Argument Description
path Specifies the fully qualified path to the directory where the global policies files,
originally exported from the source Multi-Domain Server ($MDSDIR/conf), are
located.

Example migrate_global_policies /tmp/exported_global_db.22Jul2007-

124547.tgz

Commands and Utilities Page 162

 Automatic Synchronization for Global Policies
Databases • 103

Index B
Basic Architecture • 11
. Blocking Suspicious Connections • 125

...When Connecting to a Specific Domain C

Management Server • 27 Changing an Existing Multi-Domain Server • 30
...When Connecting to all Domain Management Changing or Deleting a Group • 43
Servers Created on This System in the Changing the Global Name Template • 87
Future • 27 Changing the Status Collection Cycle • 133
...When Connecting to this Multi-Domain Server Check Point Registry • 129
or Multi-Domain Log Server • 28 Check Point System Counters • 125
A Checking a Domain Management Server Policy
• 121
Access Control at the Network Boundary • 88 Checking a Gateway's Current Policy • 121
Access Control in Global VPN • 89 Choosing Fields to Export • 110
Active Versus Standby • 99 Choosing Log Export Fields • 113
Add a Domain Log Server • 111 Clock Synchronization • 21
Add a Secondary Domain Management Server cma_migrate • 142
• 104 Collection of Changes in Objects • 133
Add or Change Administrator Window Warning Command Line Reference • 142
• 46 Commands and Utilities • 136
Adding a Secondary Domain Management Configuration • 68, 102
Server • 99 Configuring a Multi-Domain Server to Enable
Adding a Secondary Multi-Domain Server or a Log Export • 112
Multi-Domain Log Server • 28 Configuring Authentication • 41
Adding another Multi-Domain Server • 102 Configuring Certificates • 41
Adding Licenses from the Configure Domain Configuring Customized Permissions • 50
Management Server Window • 37 Configuring Default Expiration Settings • 46
Administrator - General Properties • 39 Configuring Domain Management Servers • 79
Administrators Management • 38 Configuring Domain Selection Groups • 85
Applying Global Rules to Gateways by Function Configuring Existing Domains • 80
• 57 Configuring External Authentication • 26
Architecture and Processes • 127 Configuring General Properties • 74
Assign Global Policy Tab • 80 Configuring Global VPN Communities • 90
Assign GUI Clients • 77 Configuring Log Export Profiles • 112
Assign to Many Domains Configuring Permissions • 48
How to Assign/Install from a Global Policy Configuring Synchronization • 97
Object • 68 Configuring the Expiration Date • 40
Assign to One Domain Connecting to a Remaining Multi-Domain
Assign/Install from a Domain Object • 68 Server • 105
Assigning a Different Global Policy • 67 Connection Between Multi-Domain Servers •
Assigning a Global Policy • 74 133
Assigning Administrators • 75, 81 Connectivity Between Different Processes • 132
Assigning Administrators to a Domain • 81 Considerations • 89
Assigning Domains to an Administrator • 81 Considerations for Global Policy Assignment •
Assigning Global Policies to VPN Communities 66
• 63 Copying Search Results • 137
Assigning Global Policy • 63 CPMI Protocol • 28
Assigning IPS Profiles to Gateways • 62 cpmiquerybin • 148
Assigning or Installing a Global Policy • 68 CPperfmon - Solaris only • 143
Assigning Permission Profiles • 82 CPperfmon hw - Solaris only • 143
Assigning Policy for the First Time • 66 CPperfmon mdsconfig - Solaris only • 145
Assigning the First Global Policy • 63 CPperfmon monitor - Solaris only • 145
Audit Logging • 142 CPperfmon off - Solaris only • 147
Authentication Between Gateways • 86 CPperfmon procmem - Solaris only • 144
Automatic Domain Management Server CPperfmon summary - Solaris only • 146
Synchronization • 104 CPperfPack • 147
Automatic Gateway Policy Installation • 64 Creating a Backup Security Management
Automatic Log Export to Oracle Database • 110 Server • 101
Automatic Start of Multi-Domain Server Creating a Global Policy through Global
Processes, Files in /etc/rc3.d, /etc/init.d • 129 SmartDashboard • 58
Creating a Mirror of an Existing Multi-Domain Full Synchronization Between Multi-Domain
Server • 102 Servers • 96
Creating a New Group • 43
Creating a New IPS Profile • 60 G
Creating a Primary Multi-Domain Server • 28 Gateway Global Names • 87
Creating or Changing an Administrator Account Gateway Licenses • 36
• 39 Gateway Policies • 121
Cross Domain Logging • 110 General Multi-Domain Security Management
Cross-Domain Management Server Search • Commands • 139
136 Global IPS • 59
D Global Names Format • 71
Global Object Transfer Method • 67
dbedit • 148 Global or Neighbor VPN Gateway • 88
Defining a New Domain • 72 Global Policies • 17, 120
Defining Administrator Groups • 42 Global Policies and the Global Rule Base • 55
Defining Administrator Properties • 42 Global Policies Database Synchronization • 96
Defining Domain Properties • 80 Global Policy Database • 131
Defining General Properties • 80 Global Policy History File • 68
Defining GUI Clients • 83 Global Policy Management • 54
Defining your First Domain Management Global Services • 56
Servers • 78 Global SmartDashboard • 56
Deleting a Domain Log Server • 112 Global VPN Communities • 87, 122
Deleting a Multi-Domain Server • 31 Glossary • 9
Deleting an Administrator • 42 GUI Clients • 123
Deployment Planning • 20
Domain Log Server • 16 H
Domain Management • 72 High Availability • 16, 20, 92, 121
Domain Management Server and SmartDomain High Availability Scenarios • 134
Manager • 32 How Synchronization Works • 95
Domain Management Server Backup Using a
Security Management Server • 99 I
Domain Management Server Database • 132
ICA Database for Multi-Domain Servers • 95
Domain Management Server Database
Important Information • 3
Synchronization • 96
Introduction • 66
Domain Management Server Databases • 95
Introduction to Global IPS • 59
Domain Management Server High Availability •
Introduction to Global SmartDashboard • 56
98
Introduction to the Management Model • 17
Domain Management Server Level Processes •
Introduction to the Trust Model • 25
131
IP Allocation & Routing • 22
Domain Management Server Licenses • 36
IPS in Global SmartDashboard • 60
Domain Management Servers • 14
IPS Profiles • 60
Domain Policies • 121
Issues Relating to Different Platforms • 134
Domain Properties • 74
Dynamic Objects and Dynamic Global Objects • J
57
Joining a Gateway to a Global VPN Community
E • 89
Editing an IPS Profile • 61 K
Enabling a Domain Gateway to Join a Global
VPN Community • 90 Key Features • 11
Enabling OPSEC • 22 L
Entering Administrator Properties • 42
Environment Variables • 129 Large Scale Management Processes • 133
Example • 138 Launching the SmartDomain Manager • 31
Export Profiles • 110 License Types • 35
Exporting Logs • 109 License Violations • 37
Exporting the List Pane's Information to an Licensing • 35
External File • 116 Licensing Overview • 35
Locating Components with Problems • 119
F Log Export to Text • 109
Failure Recovery • 105 Log Export Troubleshooting • 113
File Constraints for P1Shell Commands • 139 Log Files • 110
Filtering • 117 Log Forwarding • 110
First Multi-Domain Server Synchronization • 103 Log In Warning • 45
Footnote • 98 Log Server Licenses • 36

Page 164
Log Servers • 15 Multi-Domain Security Management
Log Tracking • 123 Components Installed at the NOC • 20
Logging & Tracking • 21 Multi-Domain Security Management Overview •
Logging Cache Size • 130 9
Logging Configuration • 111 Multi-Domain Security Management Shell
Logging Domain Activity • 108 Commands • 139
Logging in Multi-Domain Security Management Multi-Domain Security Management System
• 108 Database • 94
Multi-Domain Server • 120
M Multi-Domain Server Clock Synchronization • 94
Making Connections Between Different Multi-Domain Server Communication with
Components of the System • 34 Domain Management Servers • 26
Management Tools • 18 Multi-Domain Server Configuration Databases •
Managing Administrator Account Expiration • 44 131
Managing Global IPS Sensors • 63 Multi-Domain Server Connection to Domain
Managing IPS from a Domain Management Management Servers • 132
Server • 62 Multi-Domain Server Database • 131
Managing IPS Profiles • 60 Multi-Domain Server Database Synchronization
Managing Licenses • 36 • 95
Managing Licenses Using SmartUpdate • 37 Multi-Domain Server Directories on /opt and
Managing Permission Profiles • 51 /var File Systems • 128
Manual Log Export to Oracle Database • 110 Multi-Domain Server File System • 128
mcd bin | scripts | conf • 150 Multi-Domain Server High Availability • 92
mds_backup • 150 Multi-Domain Server ICA Database
mds_restore • 151 Synchronization • 96
mds_user_expdate • 151 Multi-Domain Server Level Processes • 130
mdscmd • 151 Multi-Domain Server Licenses • 36
mdscmd addadmin • 154 Multi-Domain Server Status • 93
mdscmd adddomain • 152 Multi-Domain Server Synchronization • 21
mdscmd addlogserver • 154 Multiple Interfaces on a Multi-Domain Server •
mdscmd addmanagement • 153 22
mdscmd assignguiclient • 155 Multiple Multi-Domain Server Deployments • 28,
mdscmd deletedomain • 155 92
mdscmd deletelogserver • 156 N
mdscmd deletemanagement • 155
mdscmd disableglobaluse • 157 Native P1Shell Commands • 141
mdscmd enableglobaluse • 156
mdscmd migratemanagement • 159 O
mdscmd miirrormanagement • 160 Overview • 86, 92, 115, 136, 138
mdscmd removeadmin • 157
mdscmd removeguiclient • 158 P
mdscmd startmanagement • 158
P1Shell • 138
mdscmd stopmanagement • 159
Packages in Multi-Domain Server Installation •
mdsenv • 160
127
mdsquerydb • 161
Parameters/Thresholds for Different Multi-
mdsstart • 161
Domain Server functions • 130
mdsstat • 162
Performing a Search in CLI • 137
mdsstop • 162
Permission Profiles and Domains • 48
merge_plug-in_tables • 162
Platform & Performance Issues • 22
Merging Identical Permissions Profiles • 52
Processes • 129
migrate_global_policies • 163
Protecting Multi-Domain Security Management
Migration Between Platforms • 134
Networks • 21
Mirroring Domain Management Servers with
Protecting the Multi-Domain Security
mdscmd • 104
Management Environment • 32
Monitoring • 115
Provisioning Multi-Domain Security
Monitoring Components in the Multi-Domain
Management • 24
Security Management System • 116
Provisioning Process Overview • 24
Monitoring Issues for Different Components and
Features • 119 R
Monitoring the Status of a Domain Management
Server • 125 Real-Time Network Monitoring with SmartView
Multi-Domain Log Server • 16 Monitor • 124
Multi-Domain Log Server Configuration - Re-assigning Global Policies • 64
Additional Step • 30 Re-assigning Global Policies to Multiple
Domains • 65

Page 165
Re-assigning Global Policy to one Domain • 64 Synchronizing the Domain Log Server
Reassigning/Installing a Global Policy on Database with the Domain Management
Domains • 69 Server Database • 112
Re-authenticating when using SmartConsole Synchronizing the Global Policy Database • 58
Clients • 27
Recovery from Failure of the Only Multi-Domain T
Server • 106 The Global Policy as a Template • 55
Recovery with a Functioning Multi-Domain The Management Model • 17
Server • 105 The Multi-Domain Security Management Trust
Recreating the Multi-Domain Security Model • 25
Management Deployment • 106 The Multi-Domain Server • 13
Reinstalling a Domain Policy on Domain The Multi-Domain Server Databases • 94
Gateways • 69 The Need for Global Policies • 54
Remove a Global Policy from a Single Domain • The SmartDomain Manager • 18, 19
70 The Trial Period • 35
Remove a Global Policy from Multiple Domains To assign to many Domains at one time • 90
• 70 To assign to one Domain at a time • 90
Removing Global IPS from a Domain To Change the Active Multi-Domain Server •
Management Server • 62 103
Reporting Server Processes • 134 To Reassign/Install a Global Policy for a
Resetting Domain Management Servers • 106 Specific Domain who already has been
Restarting Multi-Domain Server Assigned a Global Policy • 69
Synchronization • 103 To Reassign/Install a Global Policy for Multiple
Restoring the High Availability Deployment • Domains • 69
106 To See the Latest Changes to Permissions
Routing Issues in a Distributed Environment • Profiles • 51
21 To Synchronize a Group of Multi-Domain
Running the Wizard • 72 Servers • 103
S To Synchronize a Single Multi-Domain Server
with Another Multi-Domain Server • 103
Searching • 136 Tracking Logs using SmartView Tracker • 123
Secure Internal Communication (SIC) • 25 Traffic Flow and Virtual Link Monitoring • 125
Security Gateways Protecting a Multi-Domain Trust Between a Domain Log Server and its
Server • 33 Domain Network • 25
Security Policies • 17, 54 Trust Between a Domain Management Server
Seeing Administrators Using a Permissions and its Domain Network • 25
Profile • 51 Trust Between Multi-Domain Server to Multi-
Selecting a Different Multi-Domain Server to be Domain Server • 26
the Active Multi-Domain Server • 103
Selecting an Administrator Type • 39 U
Setting Policy Management Options • 70 Using External Authentication Servers • 26
Setting up Domain Gateway to Send Logs to Using Multiple Multi-Domain Servers • 20
the Domain Log Server • 112 Using SmartConsole • 123
Setting Up Logging • 111 Using SmartDomain Manager • 31
Setting Up Your Network Topology • 24 Using SmartDomain Manager to Synchronize
Showing and Hiding Selected List Pane Multi-Domain Servers • 97
Columns • 117 Using SmartReporter • 114
Showing Connected Administrators • 52 Using the Expired Accounts Window • 45
SmartConsole Client Applications • 19 Using Thresholds • 125
SmartReporter Reports • 126 UTM-1 Edge Processes • 133
Standalone Gateway/Security Management • 32
Standard Check Point Environment Variables • V
130
Verifying Component Status • 117
Starting or Stopping a Domain Log Server • 111
Version & Blade Updates • 84
Starting P1Shell • 138
Version and Blade Updates • 77
Status Collection • 133
Viewing Status Details • 118
Step 1 - In the SmartDomain Manager • 90
Viewing the Domain Global Policy History File •
Step 2 - In Global SmartDashboard • 90
70
Step 3 - In the SmartDomain Manager • 90
Viewing the Status of Global Policy
Structure of Domain Management Server
Assignments • 67
Directory Trees • 128
Virtual IP Limitations and Multiple Interfaces on
Subscribing Domains to IPS Service • 61
a Multi-Domain Server • 22
Synchronize ClusterXL Gateways • 104
VPN Connectivity • 86
Synchronizing Clocks • 28
VPN Domains in Global VPN • 88
VPN in Multi-Domain Security Management • 86

Page 166
VSX Licenses • 36
W
When You Change a Global Policy • 66
Working with Domain Log Servers • 111
Working with Expiration Warnings • 45
Working with Permission Profiles • 47
Working with the List Pane • 116

Page 167