Installing Multi-Domain Security Management

Multi-Domain Security Management is a centralized management solution for large-scale, distributed environments with many different network Domains. This best-of-breed solution is ideal for enterprises with many subsidiaries, branches, partners and networks. Multi-Domain Security Management is also an ideal solution for managed service providers, cloud computing providers, and data centers.

Centralized management gives administrators the flexibility to manage polices for many diverse entities. Security policies should be applicable to the requirements of different departments, business units, branches and partners, balanced with enterprise-wide requirements.

Basic Architecture

Multi-Domain Security Management uses tiered architecture to manage Domain network deployments.

• The Security Gateway enforces the security policy to protect network resources.
• A Domain is a network or group of networks belonging to a specified entity, such as a company, business unit, department, branch, or organization. For a cloud computing provider, one Domain can be defined for each customer.
• A Domain Management Server is a virtual Security Management Server that manages security policies and Security Gateways for a specified Domain.
• The Multi-Domain Server is a physical server that hosts the Domain Management Server databases and Multi-Domain Security Management system databases.
• The SmartDomain Manager is a management client that administrators use to manage domain security and the Multi-Domain Security Management system.

The Multi-Domain Servers and SmartDomain Manager are typically located at central Network Operation Centers (NOCs). Security Gateways are typically located together with protected network resources, often in another city or country.

Setting Up Multi-Domain Security Management Networking

The Multi-Domain Server and Domain Security Gateway computers should be ready to connect to the network. The Multi-Domain Server must have at least one interface with a routable IP address. It also must be able to query a DNS server and resolve other network components.

Make sure that you configure routing to allow IP communication between:

• Domain Management Server, Domain Log Server and their Domain Security Gateways.
• All Multi-Domain Servers in the deployment.
• The Domain Management Server and Log Servers for the same Domain.
• The Domain Management Server and its High Availability Domain Management Server peer.
• The SmartDomain Manager clients and Multi-Domain Servers.
• The SmartDomain Manager clients and Log Servers.

Installing Multi-Domain Server

You can install a Multi-Domain Server on certain Smart-1 appliances, or Open Servers on SecurePlatform or Gaia. For more about supported appliances and platforms, see the R76 Release Notes.

Smart-1 Appliances

Install a Multi-Domain Server on supported Smart-1 models. Make sure that you use the Smart-1 ISO file when you install the operating system.

To install Multi-Domain Server on an appliance:

1. Install the SecurePlatform operating system on the appliance, as described for the UTM-1 and 2012 Models.
2. While the appliance restarts, open the terminal emulation program.
3. When prompted, press any key to enter the boot menu.
4. Select Reset to factory defaults - Multi-Domain Server and press Enter.
5. Type yes and press Enter.

   Multi-Domain Server is installed on the appliance and then the appliance resets.

To start the First Time Configuration Wizard:

1. Connect a standard network cable to the appliance management interface and to your management network.

   The management interface is marked MGMT.

2. Open Internet Explorer to the default management IP address, https://192.168.1.1:4434
3. Log in to the system using the default login name/password: admin/admin.

1. Set the username and password for the administrator account.
2. Click Save and Login.

   The First Time Configuration Wizard opens.

To configure Multi-Domain Server R76 on appliances:

1. In the First Time Configuration Wizard, set the date and time and then click Next.
2. Configure the settings for the management and other interfaces and then click Next.
3. Configure the settings for the routing table and then click Next.
4. Set the host name, domain name, and DNS servers and then click Next.
5. Set the clients that can manage the appliance using a web or SSH connection and then click Next.
6. Select Multi-Domain Server and then click Next.
7. Select Primary Multi-Domain Server and then click Next.
8. Define the Multi-Domain Server administrator that is a Multi-Domain Server Superuser and then click Apply.

   Click Next.

9. Optional: Download SmartConsole and SmartDomain Manager and then click Next.

   The Summary window shows the settings for the appliance.

10. Click Finish.

    Multi-Domain Server R76 is installed on the appliance.

To configure a secondary Multi-Domain Server R76 on appliances:

Do steps 1 - 10 with these changes:

• Step 2 - Use a different IP address for the management interface on the secondary appliance. Make sure that the primary and secondary appliances are on the same subnet.
• Step 7 - Select Secondary Multi-Domain Server.
• Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.

  This key is necessary to configure the appliances in SmartDashboard.

To configure a Multi-Domain Server R76 log server on appliances:

Do steps 1 - 10 with these changes:

• Step 6 - Select Multi-Domain Log Server.
• Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.

  This key is necessary to configure the appliances in SmartDashboard.

Converting a Security Management Server to Multi-Domain Server

The Single2Multi Domain utility lets you easily convert a Security Management server on Smart-1 50 and 150 appliances to a Multi-Domain Server.

• Security Management server is converted to a Domain Management Server with the same name and IP address.
• Security Management administrators and GUI clients that are defined using cpconfig are converted to Multi-Domain Superuser administrators and Superuser GUI clients.
• Security Management administrators defined in the SmartDashboard are converted to Domain Management administrators.
• Security Management High Availability server is converted to a Security Management backup server to the Domain Management Server.

Preparing to Convert

Before you run the Single2Multi Domain utility, do these steps to prepare for the conversion.

• Install SmartDomain Manager on a computer to configure the Multi-Domain Server.
• Connect to the appliance using the console port or LOM.
• Make sure that you have these details:
  • New routable IP address and netmask for the Multi-Domain Server. The new Domain Management Server uses the Security Management server IP address.
  • Name for the Multi-Domain Server that can be resolved with DNS.
  • File with the Multi-Domain Server license.

Converting the Security Management Server

Use the s2mwrapper command to convert the Smart-1 50 or 150 appliance to a Multi-Domain Server.

The utility lets you create a snapshot of the Security Management server during the conversion process. You can use this snapshot to revert back to the Security Management server.

To convert the Security Management server:

1. Log in to the Smart-1 50 or 150 appliance and enter Expert mode.
2. Run s2mwrapper.
3. Follow the on-screen instructions.
4. Log out of the appliance.
5. Log in to SmartDomain Manager with the cpconfig administrator username and password.

Open Servers

Install Multi-Domain Server on a dedicated Gaia or SecurePlatform open server.

Configure the Multi-Domain Server when you install the operating system on the open server. This procedure starts after you configure the date and time in the Gaia or SecurePlatform installation.

Use this procedure to install these Multi-Domain Server types:

• Primary Multi-Domain Server - The first Multi-Domain Server that you install and log on to.
• Secondary Multi-Domain Server
• Standalone log servers - Domain Log Server or Multi-Domain Log Servers.

To install a Primary Multi-Domain Server on SecurePlatform:

1. Use the Multi-Domain Security Management removable media or ISO file to install and configure SecurePlatform.
2. In the Multi-Domain Security Management welcome screen, enter yes.
3. Select Multi-Domain Server.
4. Enter yes when prompted to install a Primary Multi-Domain Server.

   You must install the Primary Multi-Domain Server first.

   You can install a secondary Multi-Domain Server or a Multi-Domain Log Server later.

5. When prompted, enter yes to confirm installation of a Primary Multi-Domain Server.

   You cannot change this installation setting later.

6. At the Are you sure prompt, enter yes to continue.
7. When prompted, press the space bar to scroll through the license agreement and then press y.
8. If there is more than one interface on the Multi-Domain Server, enter the interface that connects Domain Management Servers to their managed networks and gateways. This is typically the management interface.

   You can only have one interface for this purpose.

9. In Configuring Licenses, enter n to continue using the 15 day trial license.

   We recommend that you get and attach your licenses when configuring Multi-Domain Security Management with the SmartDomain Manager.

10. In Configuring Groups, press Enter and then press y to assign the root user group by default. You can define groups later.
11. Press Enter to start the Certificate Authority.
12. Press y to save the certificate fingerprint to a file.
13. Define least one Multi-Domain Security Management administrator.

    You must define the first administrator as a Multi-Domain Security Management Superuser. You can add this administrator to a group.

    You can define more administrators, but we recommend that you use the SmartDomain Manager to do this later.

14. Enter n when prompted to add this administrator to an administrators group. You can do this later.
15. Define at least one GUI client (SmartDomain Manager) to manage this Multi-Domain Server.
16. When prompted, press Enter.
17. Restart the Multi-Domain Server.

To install a secondary Multi-Domain Server:

Do the steps in the above procedure with these exceptions:

• In step 5, enter no when prompted to install a Primary Multi-Domain Server.
• In step 6, do the action to confirm this choice.

To install a Multi-Domain Server log server:

Do the steps in the above procedure with these exceptions:

• In step 4, select Multi-Domain Log Server.
• In step 5, enter no when prompted to install a Primary Multi-Domain Server.
• In step 6, do the action to confirm this choice.

Installing Gateways

Install the Network Operation Center (NOC) and Security Gateways of the domain using the R76 removable media.

Installing Multi-Domain Security Management GUI Clients

The SmartDomain Manager is automatically installed together with Check Point SmartConsole. If you have not yet installed SmartConsole, do so now.

To install the SmartConsole clients on Windows platforms:

1. Insert the R76 distribution media or download the SmartConsole application from the Support Center.
2. If you are using the installation media, go to the Linux\linux\windows folder.
3. Run the SmartConsole executable.
4. Continue with the instructions on the screen.

Post-Installation Configuration

Use the SmartDomain Manager to configure and manage the Multi-Domain Security Management deployment. Make sure to install SmartDomain Manager on a trusted GUI Client. You must be an administrator with appropriate privileges (Superuser, Global Manager, or Domain Manager) to run the SmartDomain Manager.

To start the SmartDomain Manager:

1. Click Start > All Programs > Check Point SmartConsole R76 > SmartDomain Manager.
2. Enter your credentials:
   • To use a password, enter the Multi-Domain Server host name or IP address. Then enter your administrator user name and password.
   • To use a certificate, enter the Multi-Domain Server host name or IP address. Then click Certificate and select the certificate.
   • To start without credentials, select Demo mode.
   • Optional: Enter a description of this session.
3. Click Login.

   SmartDomain Manager connects to the Multi-Domain Server. When SmartDomain Manager opens, it shows the network objects and options that you have permission to work with.

4. If necessary, confirm the connection using the fingerprint generated during installation.

   You see this only the first time that you log in from a client computer.

Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the First Time Configuration Wizard.

If you did not do this, enable IPv6 in one of the following ways:

To enable IPv6 using clish:

1. Run:
   set ipv6-state on
2. Run:
save config
3. Run:
   reboot

To enable IPv6 using the WebUI:

1. In the WebUI navigation tree, select Advanced > System Configuration.
2. For IPv6 Support, select On.

Enabling IPv6 on the Multi-Domain Server and Domain Management Servers

If your environment uses IPv6 addresses, you first must enable IPv6 support for the Multi-Domain Server and for any existing Domain Management Servers. It is not necessary to enable IPv6 support for Domain Management Servers that are created after IPv6 is enabled on the Multi-Domain Server, because this is done automatically.

Before enabling IPv6 support for the Multi-Domain Server:

1. Enable IPv6 on Gaia and assign an IPv6 address to the management interface.
2. Write down the Multi-Domain Server IPv6 address and the names and IPv6 address for all Domain Management Servers. This is necessary because the procedures disconnect the SmartDomain Manager.

To enable IPv6 support for the Multi-Domain Server:

1. From the Multi-Domain Server command line, run mdsconfig.
2. Select IPv6 Support for Domain Management Server.
3. Press y when asked to change the IPv6 preferences for the Multi-Domain Server.

   Press y again to confirm.

4. Enter the management interface name (typically eth0).
5. Enter the Multi-Domain Server IPv6 address.
6. Press y to start Check Point services.

   After a few moments, the mdsconfig menu shows.

To enable IPv6 support for all existing Domain Management Servers:

1. From the mdsconfig menu, select IPv6 Support for Existing Domain Management Servers.
2. Press y when asked to change the IPv6 preferences for Domain Management Servers.
3. Press a to add support to an existing Domain Management Server.
4. Press y to add Support to all Domain Management Servers at once.
5. Press m to manually add IPv6 addresses

   Or

   Press r to automatically assign IPv6 address from a specified range.

6. Do the instructions on the screen to enter the IPv6 address or a range of IPv6 addresses when prompted.

To manually enable IPv6 support for specified Domain Management Servers.

1. From the mdsconfig menu, select IPv6 Support for Existing Domain Management Servers.
2. At the prompt, press y to change the IPv6 preferences for Domain Management Servers.
3. Press a to add support to an existing Domain Management Server.
4. Press n when asked to enable IPv6 support for all Domain Management Servers at once.

   Press y to confirm.

5. At the prompt, enter the Domain Management Server name.

   The available Domain Management Servers show above prompt. You can copy and paste the name.

6. Enter the IPv6 address.

Demo Mode

You can open the SmartDomain Manager in Demo mode. This mode does not require authentication or a connection to the Multi-Domain Server. Use the Demo mode to experiment with different objects, views, modes and features before you create a production system. The Demo mode includes several pre-configured sample Domains, Domain Management Servers, Security Gateways and policies.

Operations performed in Demo mode are stored in a local database. You can continue a Demo session from the point at which you left off in a previous session.

Adding Licenses using the SmartDomain Manager

You can add a license to a Multi-Domain Server or Multi-Domain Log Server using the SmartDomain Manager.

1. In the SmartDomain Manager, open the General View > Multi-Domain Server Contents page.
2. Double-click a Multi-Domain Server or Multi-Domain Log Server. The Multi-Domain Server Configuration window opens.
3. Open the License tab.
4. Install licenses using Fetch or Add:

   Fetch License File

   1. Click Fetch From File.
   2. In the Open window, browse to and double-click the desired license file.

      Add License Information Manually

   3. Click Add.
   4. In the email message that you received from Check Point, select the entire license string (starting with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard.
   5. In the Add License window, click Paste License to paste the license details you have saved on the clipboard into the Add License window.
   6. Click Calculate to display your Validation Code. Compare this value with the validation code that you received in your email. If validation fails, contact the Check Point licensing center, providing them with both the validation code contained in the email and the one displayed in this window.

Uninstalling Multi-Domain Security Management

To uninstall a Multi-Domain Server:

1. Back up the databases if you want to reinstall the Multi-Domain Server on this or another computer.
2. Reformat the hard disk or re-install a Multi-Domain Server from the removable media.

To uninstall the SmartDomain Manager and SmartConsole applications:

• Use Add/Remove Programs to uninstall the clients.

Where To From Here?

Check Point documentation provides additional information and is available on the R76 home page on the Check Point Support Center. It is also available on the Check Point DVD.