Managing Auto-Scale with One Multi-Domain Server
Automatic provisioning enables the management of Scale set gateways deployed in cloud environments by a Check Point Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..
Multi-Domain Server in Public Cloud:
If the Multi-Domain Server is installed in the Public Cloud, refer to the relevant article:
-
sk154436 - MDS / MDSM (Multi-Domain Management) Deployment on Azure
-
sk174186 - Multi-Domain Management Deployment on Google Cloud Platform
Important Notes
-
The Security Multi-Domain Server login credentials must allow the script to access all the applicable Domain Management Servers.
-
One instance of the CME service is responsible for provision in all the Domain Management Servers.
-
For the
autoprov_cfg
commands to take effect, you must restart the CME service.Run this command in the Expert mode to restart the CME service:
service cme restart
Use Case 1 - Working with a Single Domain in the Multi-Domain Server
Rather than a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., a Single Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (in the Multi-Domain Server) does the provisioning.
For this use case, you must specify the Domain of the Domain Management Server, run:
|
|
Note - In the Multi-Domain Server, replace the |
Use Case 2 - Working with Multiple Domains in the Multi-Domain Server and Multiple-Cloud Accounts
For this use case, it is assumed that for each Domain Management Server, there is a different dedicated cloud account.
The presumption is that, based on the given cloud credentials, each of the accounts returns a mutually exclusive set of objects. Different sets of credentials must not return the same instance. For example, if the two different cloud accounts return the same CloudGuard Network Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. instance, the CME service tries to provision it two times - one time for each of the different cloud accounts.
For this use case, you must specify a Domain for each of the controllers used to connect to your cloud environments. (A controller contains configuration required to connect to a cloud environment, such as credentials, regions, or a subscription ID).
To specify a name for each controller, run:
|
|
Notes:
|
The configuration and policy of a CloudGuard Network Security Gateway is determined by:
-
A configuration template that you can create and edit with the
autoprov_cfg
CLI configuration tool. -
A tag on the instance or Virtual Machine with the configuration template name.
By default, any Security Gateway may be tagged with the name of any existing configuration template which is then provisioned with the parameters.
If particular templates must only be used by a specific Domain, you can run this command to enforce it:
|
|
Notes:
|
Use Case 3 - Working with Multiple Domains in the Multi-Domain Server and a Single Cloud Account
Sometimes the environment requires that all the cloud objects be managed by one cloud account, but the security management is divided across multiple Domains.
It is possible to configure multiple controllers with the same credentials, but specify a different Domain for each controller. As explained in the use case "Working with Multiple Domains in the Multi-Domain Server and Multiple Cloud Accounts", this causes multiple controllers to retrieve the same CloudGuard Network Security Gateway and to provision the same Security Gateway in multiple Domains.
The solution is to configure exclusive templates for each Domain Management Server. To avoid duplication of attributes shared by multiple configuration templates, it is possible to configure a prototype configuration template. Multiple exclusive configuration templates use this prototype configuration template.
These example commands specify a prototype configuration template with a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., Security Gateway version, and a SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. Activation Key.
Example that shows how to configure a exclusive template for each Management Domain Server.
|
|
|
Notes:
|
After you configure a set of templates dedicated for each Domain Management Server, you can specify the templates for each controller as explained in the use case "Working with Multiple Domains in the Multi-Domain Server and Multiple Cloud Accounts". Each of the controllers, that share credentials, retrieves the same set of Security Gateways. But, the controllers skip the provisioning for the Security Gateways, of which the template tag does not match the configuration templates list enforced on the controller.
Global Policy on a Multi-Domain Server
This section applies if it necessary to use the Global Policy together with automatic provisioning.
When you deploy a new Security Gateway, it installs an internal restrictive access policy. This policy is intended to drop all traffic.
Any rules you configure in the Global Policy automatically conflict with the restrictive policy. As a result, the Global Policy installation fails.
It is possible to use a custom restrictive policy, which is manually excluded from the Global Policy Assignment -do these steps:
Step |
Description |
|
---|---|---|
1 |
Create a Global Policy in the Global Domain:
|
|
2 |
Create a new restrictive policy in each Domain:
|
|
3 |
Do not include the restrictive policy created in Step 2:
|
|
4 |
Set the newly created restrictive policy as the default restrictive policy:
|
|
Notes:
|
Autoprovision and Multi-Domain Log Server Configuration
This section applies if it necessary to add a Multi-Domain Log Server together with automatic provisioning.
|
Important - Before you can create a Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs., a Domain must have a minimum of one configured Domain Management Server. |
To add a Domain Log Server:
-
Stop the CME service.
service cme stop
-
Add a Domain Log Server.
-
Start the CME service:
service cme start
You can configure a template to forward the security logs from the Security Gateway to the applicable Domain Log Server:
|
By default, alerts are not sent to the Domain Log Server.
You can configure a template to forward the security logs from the Security Gateway to the applicable Domain Backup Log Server:
|
You can configure the template to forward the alerts also from the Security Gateway to the applicable Domain Log Server:
|
|
Notes:
|