Domain Management

This chapter includes procedures for creating and configuring Multi-Domain Security Management objects.

Creating a Domain - Wizard

This wizard contains several windows that let you configure Domain settings. You can use a simplified procedure or customize the procedure by selecting additional settings groups.

If you choose the Simplified option, you can configure any of the other settings at a later time.

To run the Add Domain wizard:

1. In the SmartDomain Manager, click General in the Selection bar.
2. Select the Domain Contents view.
3. In the Domain Contents pane, right-click Multi-Domain Security Management.
4. Select New Domain from the Options menu. The Domain Contents wizard opens.
5. In the Configure Domain Creation Mode window, select one of these options:

   Simplified Domain Creation - Select this option and define these basic Domain settings:

   • General Definitions - Enter a unique Domain name.
   • Domain Assigned GUI Clients - Select one or more GUI clients that are authorized to manage this Domain.
   • First Domain Management Server - Define the first Domain Management Server included in this Domain. If you use the Simplified method, these default values are assigned automatically:
   • QoS: Deactivated

   Customized Domain Creation - Select this option to configure any of these additional settings groups:

   • Domain Properties - Enter contact and other user-defined information.
   • Global Policy - Assign all Global Objects or assign only those Global Objects used in the currently assigned Global Policy. You can also subscribe to Domain level IPS services.
   • Administrators - Select one or more administrators authorized to manage the Domain.
   • Version and Blade Updates - Activate version and blade updates for the Domain.
   • Select settings groups to include in the wizard, or clear settings groups to remove from the wizard.

   Don't Show Again - Automatically use these wizard settings when creating a new Domain. You can also configure this property on the Global Policies tab in the Multi-Domain Server window.

Configuring General Properties

In the General Properties window, enter a unique Domain name. You can optionally enable Check Point QoS.

Domain Properties

You can enter information in Domain Properties fields. These fields typically contain contact information or other descriptive data about the Domain. Superusers can define the fields that show in the Administrator Properties window.

Assigning a Global Policy

You can include all Global Objects when assigning the Global Policy or assign only those global objects required by the Global Policy. This includes objects directly or indirectly referenced by rules, such as network objects contained in groups. Reference objects are also copied to the Domain Management Server databases. Administrators can see them individually or as members of a group.

Although you can change global settings later, we recommend that you do so carefully. Consider the following scenario:

A Domain assigns a Global Policy including all Global Objects. All objects are copied to the global database. If a Global Policy is re-assigned with only those objects applicable to the assigned Global Policy, extraneous objects not used by the Global Policy are removed from the database. In this case, if the removed objects are required by Domain security rules or objects, the assignment operation will terminate with an error message showing these missing objects.

This window only shows in the Customized Domain Creation wizard option. If you are using the Simplified option, you can define these properties later.

To assign a Global Policy:

1. Select one of these configuration settings:
   • Assign all Global Objects - Assigns all global objects to this Domain.
   • Assign only Global Objects that are used in the assigned Global Policy - Assigns only those Global Objects required by the Domain Global Policy.
2. Select one or more of these options:
   • Subscribe Domain to IPS service - Adds the global IPS profiles to the Domain IPS profiles list. IPS profiles defined for individual Domains are not affected.
   • Create a database version - If activated, saves a snapshot of settings before assigning a Global Policy. This allows you to go back to an earlier state.

Assigning Administrators

Superusers are automatically assigned to all Domains with full read/write privileges. You cannot remove or assign them, nor can you change their permission profiles.

You assign global manager and domain manager administrator accounts to specified Domains. You assign a permissions profile to administrators while assigning them to the new Domain. These administrators can manage the Domain according to their administrator type and permissions profile.

You can only assign administrators to new domains if you use the Customized Domain Creation wizard option. If you use the Simplified wizard option, only superusers are assigned to the new Domain. You can add more administrators later.

To assign a permissions profile to a new Domain:

1. Select one or more administrators.
2. Click Add to move the selected administrators from the Not Assigned list to the Assigned list.
3. In the Assign Permissions Profile to Domain window, select a permissions profile.

   

You can create a new permissions profile or see an existing permissions profile from this window:

• To create a new permissions profile, click Configuration > Add New Permissions Profile.
• To see an existing permission profile, click Configuration > View Permissions Profile.

You can also do these actions in the Domain Assigned Administrators window:

• To select all administrator accounts in a group, click Select by Group.
• To remove administrators from the Assigned list, select them and then click Remove.
• To add a new administrator account, click New Admin. The Add Administrator window opens.

Assign GUI Clients

In this window you can assign GUI client computers authorized to manage the specified Domain. GUI Clients are computers running the SmartConsole and SmartDomain Manager clients. GUI clients shown in the Assigned list can get access to the specified Domain.

To assign a GUI client to a Domain, select it in the Not Assigned list and then click Add.

Click New GUI Client to define new GUI client. The Add GUI Client window opens.

Version and Blade Updates

The Version & Blade Updates window lets administrators manage new features and Software Blades without doing a full management upgrade. Upgrades can include new features or Software Blades. These are typically available as hotfixes or minor releases. Install version and blade updates on each Multi-Domain Server and then activate them using the SmartDomain Manager.

Only new versions or blades and those that have not been installed show in this window.

To install and activate version and blade updates:

1. Install the update on your Multi-Domain Servers.
2. Run mdsstop and then run mdsstart to restart the Multi-Domain Servers.
   When restarting multiple Multi-Domain Servers, do so at the same time to prevent plug-in-mismatch errors.
3. Activate the updates on your Domains:
   1. In the SmartDomain Manager, select Version & Blade Updates on the Selection Bar.
   2. Select one or more Domains.
   3. Right-click the selected Domains and then select Activate Update on Domains.
4. Activate and configure new features or blades using SmartDashboard for each Domain Management Server.

This window is only included in the Customized Domain Creation wizard option.

Activating or Deactivating Updates for a Domain

• Updates installed on Multi-Domain Servers, but not yet activated, are shown in the Not Activated list.
• To activate an update, select it and click Add. The update moves to the Activated list.
• To deactivate an update, select it and click Remove. The update moves to the Not Activated list.

Creating Domain Management Servers

You can define one or two Domain Management Servers (the second is one for High Availability) as part of the Create Domain wizard procedure. This window option is available only when using the Customized Domain Creation wizard option. If you use the Simplified method, you can define the Domain Management Server at a later time.

Select one of these options:

• Yes - Define Domain Management Servers now. Select an option to define one or two Domain Management Servers.
• No - Define your Domain Management Servers later.

Creating a Domain - CLI

Description

Use the mdscmd adddomain command to create a Domain, locally or remotely. If run remotely, add login details. You can also create the first Domain Management Server with this command.

Syntax

mdscmd adddomain <DomainName> <-n Name | -i IPv4 | -a IPv6> [-t target <ServerName>][-m <ServerName> -u user -p password]

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

Configuring Domain Selection Groups

To create a Domain selection group:

1. In any SmartDomain Manager View, select Manage > Selection Groups > Domain Groups.
2. Click Add to add a group. The Domain selection Groups window opens.
3. In the Add Group window, enter a group name.
4. Select Domains from the Not in Group list and click Add. The Domains in this group now show in the In Group list.

Configuring Existing Domains

This section includes procedures for changing existing Domain definitions.

To configure an existing Domain:

1. Double click the Domain in any General view.
   The Domain Configuration window opens.
2. Click a tab to define settings for that category.

Defining General Properties

In the general tab can change the Domain name and enable the QoS feature.

To configure general properties:

1. Click the General tab.
2. If necessary, enter a new Domain name.
3. Select to Enable QoS or clear to disable it.

Defining Domain Properties

You can enter information in Domain Properties fields. These fields typically contain contact information or other descriptive data about the Domain. Superusers can define the fields that show in the Administrator Properties window.

Assign Global Policy Tab

You can include all Global Objects when assigning the Global Policy or assign only those global objects required by the Global Policy. This includes objects directly or indirectly referenced by rules, such as network objects contained in groups. Reference objects are also copied to the Domain Management Server databases. Administrators can see them individually or as members of a group.

Although you can change global settings later, we recommend that you do so carefully. Consider the following scenario:

A Domain assigns a Global Policy including all Global Objects. All objects are copied to the global database. If a Global Policy is re-assigned with only those objects applicable to the assigned Global Policy, extraneous objects not used by the Global Policy are removed from the database. In this case, if the removed objects are required by Domain security rules or objects, the assignment operation will terminate with an error message showing these missing objects.

Note: Administrators with Customized Permissions cannot use the Domain Manager or Global Manager to assign Global Policies.

To assign a Global Policy, define these configuration settings:

• Assign all Global Objects - Assigns all Global Objects to this Domain.
• Assign only Global Objects that are used in the assigned Global Policy - Assigns only those Global Objects required by the Domain Global Policy.
• Subscribe Domain to IPS service - Adds the global IPS profiles to the Domain IPS profiles list. IPS profiles defined for individual Domains are not affected.
• Create a database version - If activated, saves a snapshot of settings before assigning a Global Policy. This allows you to go back to an earlier state.

Assigning Administrators

In this window, you assign administrators to, or remove administrators from Domains. Administrators assigned to a Domain can manage that Domain according to their permissions. Superusers are automatically assigned to new Domains with full read/write permissions. You cannot remove them or change their permissions.

Assigning Domains to an Administrator

Using the Administrators pane to assign multiple administrators to a Domain:

1. Select Administrators in the SmartDomain Manager Selection bar.
2. Click the Toggle View icon so that the Domains per Administrator pane shows.
3. In the Domains per Administrator pane, right-click a domain and then select Assign Administrators.
4. In the Assign Do one or more of these tasks:
   • Select one or more administrators and then click Add to move selected administrators from the Not Assigned list to the Assigned list. When you add an administrator to the Assigned list, the Assign Permissions Profile window opens.
   • Select one or more administrators and then click Remove to remove selected administrators from the Assigned list.
   • Click New Admin to define a new administrator. The Add Administrator window opens.
   • Click Permissions to change an administrator's permissions. The Permissions window opens.
   • Click Select by Group to assign or remove members of a specified group.

Assigning Administrators to a Domain

You can assign and remove administrators to a Domain using one of these procedures:

Using the Domain tab:

1. Select the administrators tab.
2. Do one or more of these tasks:
   • Select one or more administrators and then click Add to move selected administrators from the Not Assigned list to the Assigned list. When you add an administrator to the Assigned list, the Assign Permissions Profile window opens.
   • Select one or more administrators and then click Remove to remove selected administrators from the Assigned list.
   • Click New Admin to define a new administrator. The Add Administrator window opens.
   • Click Permissions to change an administrator's permissions. The Permissions window opens.
   • Click Select by Group to assign or remove members of a specified group.

Using the Administrators pane to assign multiple administrators to a domain:

1. Select Administrators in the SmartDomain Manager Selection bar.
2. Click the Toggle View icon so that the Administrators per Domain pane shows.
3. In the Administrators per Domain pane, right-click a domain and then select Assign Administrators.
4. In the Assign Do one or more of these tasks:
   • Select one or more administrators and then click Add to move selected administrators from the Not Assigned list to the Assigned list. When you add an administrator to the Assigned list, the Assign Permissions Profile window opens.
   • Select one or more administrators and then click Remove to remove selected administrators from the Assigned list.
   • Click New Admin to define a new administrator. The Add Administrator window opens.
   • Click Permissions to change an administrator's permissions. The Permissions window opens.
   • Click Select by Group to assign or remove members of a specified group.

Assigning Permission Profiles

A permissions profile is a predefined set of SmartConsole administrative permissions that you assign to administrators and Domains. This feature lets you manage complex, granular permissions for many administrators with one definition. Permission profiles do not apply to SmartDomain Manager activities.

When you assign an administrator account to a domain, you must assign a permissions profile. You can assign a predefined permissions profile or you can create a unique, Domain-specific permissions profile for the administrator.

Administrators with applicable permissions can create and manage permissions profiles. By default, only superusers can create or configure permissions profiles. You can change the global properties to let global and Domain managers create and configure permission profiles for their assigned Domains.

Multi-Domain Security Management includes default permissions profiles:

• None_All_Profile - Administrators cannot use SmartConsole applications to see or configure settings.
• Read_Only_All_Profile - Administrators can use SmartConsole only to see information. They cannot configure settings.
• Read_Write_All_Profile - Administrators can use SmartConsole applications to see and configure all settings.
• Read_Write_All_Profile_no_dlp - Administrators can use SmartConsole applications to see and configure all settings with the exception of DLP.

You can assign one of the default permissions profiles to any administrator and domain.

To assign a permissions profile:

1. Select a profile from the Permissions Profile list.
2. In the Assign Permissions Profile to Domain window, select a permissions profile form the list.

You can also do these actions here:

• Click Configuration > Add New Permissions Profile to create a new permissions profile.
• Click Configuration > Add Domain Specific Permissions Profile to create a unique permissions profile for the selected administrator and Domain. This option only shows for superusers and the permissions profile name is assigned automatically.
• Click Configuration > View Permissions Profile to see the selected permissions profile definition.

Defining GUI Clients

To create a new GUI client:

1. Select a GUI clients view.
2. Right-click the Multi-Domain Security Management root and select New GUI client from the Options menu.
3. Select the Type of the GUI client from the drop-down list. Choose one of the following:
   • Any - Generic GUI client type that lets any client computer connect to Domain Management Servers. You can only have one GUI client of the 'Any' type in the deployment. The name must be AnyHost. This option is useful for system testing but is less secure.
   • Name - Identify the GUI client by resolving the specified Name.
   • IP Address - Identify the GUI client by a specified IPv4 or IPv6 Address.
   • IP Address Range - Identify the GUI client by a specified IPv4 and/or IPv6 Address Range. Any computer with an IP address within this specified range can connect to Domain Management Servers.
   • Domain - Identify the GUI client by a specified Domain. Any client located in the specified Domain can connect to the Domain Management Servers
4. Enter a Name for the new GUI client. If you selected the Any, the name is assigned automatically and you cannot change it. The name cannot include spaces or special characters (except for the underscore character).
5. Enter the applicable information according GUI client types:
   • IP Address - Enter an IPv4 and/or IPv6 address, or click Get Address to resolve the address from the DNS.
   • IP Address Range - Define the first and the last IP addresses in the range. You define a range for IPv4 or IPv6 addresses.
   • Domain - Enter the applicable Domain.
6. Select the Multi-Domain Server GUI client option to let this GUI client access the Multi-Domain Servers in your environment. Clear (default) this option to define this client as a Domain-level GUI client.

Version and Blade Updates

The Version & Blade Updates window lets administrators manage new features and Software Blades without doing a full management upgrade. Upgrades can include new features or Software Blades. These are typically available as hotfixes or minor releases. Install version and blade updates on each Multi-Domain Server and then activate them using the SmartDomain Manager.

Only new versions or blades and those that have not been installed show in this window.

To install and activate version and blade updates:

1. Install the update on your Multi-Domain Servers.
2. Run mdsstop and then run mdsstart to restart the Multi-Domain Servers.
   When restarting multiple Multi-Domain Servers, do so at the same time to prevent plug-in-mismatch errors.
3. Activate the updates on your Domains:
   1. In the SmartDomain Manager, select Version & Blade Updates on the Selection Bar.
   2. Select one or more Domains.
   3. Right-click the selected Domains and then select Activate Update on Domains.

Activate and configure new features or blades using SmartDashboard for each Domain Management Server.

Activating or Deactivating Updates for a Domain

• Updates installed on Multi-Domain Servers, but not yet activated, are shown in the Not Activated list.
• To activate an update, select it and click Add. The update moves to the Activated list.
• To deactivate an update, select it and click Remove. The update moves to the Not Activated list.

Deleting a Domain

When you delete a Domain, all Domain Management Servers assigned to this Domain are also deleted.

To delete a domain using the SmartDomain Manager:

1. In the General tab, click Domain Contents.
2. Right-click the applicable Domain and select Delete Domain.

To delete a domain using the Multi-Domain Server CLI:

Description

Use this command to delete an existing Domain. When deleting a Domain, you also delete the Domain Management Servers.

Usage

mdscmd deletedomain <DomainName> -m <ServerName> -u <user> -p <password>

Creating a Domain Management Server - Wizard

This release supports both IPv4 and IPv6 addresses. You must always enter an IPv4 address.

Domain Management Servers share one Multi-Domain Server physical interface by using their own routable virtual IP addresses. The Multi-Domain Server physical IP addresses must also be routable and not hidden by virtual IP addresses.

You can configure the Multi-Domain Server to use a range of virtual addresses for automatic assignment to Domain Management Servers. When you create a Domain Management Server, the Multi-Domain Server assigns an IP address from this range. Alternatively, you can manually assign a virtual IP address for a new Domain Management Server. You must make sure that your routing tables include these assigned IP addresses.

You can retrieve an IP address using the Get Automatic IP Address button. If you have already defined resolvable domain names (by using the DNS or by editing the /etc/hosts file) for your Domain Management Servers, click Resolve by Name to get the IP address.

To configure a new Domain Management Server using the wizard:

1. In the First Domain Management Server window, select a Multi-Domain Server from the list.
2. Enter a unique name for the Domain Management Server or accept the automatically assigned name.

   The name cannot include spaces or special characters (except for the underscore character).

3. Click Get IP Addresses to assign IPv4 and IPv6 addresses from the predefined pool of available addresses.

   You can also manually enter IP addresses.

4. Click Add License and select one of these options:

   Add License Information Manually

   1. Click Manually.
   2. In the email message that you received from Check Point, select the entire license string (starting with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard.
   3. In the Add License window, click Paste License to paste the license details you have saved on the clipboard into the Add License window.
   4. Click Calculate to display your Validation Code. Compare this value with the validation code that you received in your email. If validation fails, contact the Check Point licensing center, providing them with both the validation code contained in the email and the one displayed in this window.

      Import a License File

   5. Click Fetch From File.
   6. In the Open window, browse to and double-click the desired license file.

      Get from the License Repository

   7. Click From License Repository.
      This option is only available if you have valid, unattached licenses in the repository.
   8. In the Select Domain License select, click a Domain Management Server license.
      The license automatically attaches to the Domain Management Server and the window closes.

If you selected the two Domain Management Server option, do these steps again for the second Domain Management Server.

Creating a Domain Management Server - CLI

Description

Use the mdscmd adddomain command to create a Domain, locally or remotely. If run remotely, add login details. You can also create the first Domain Management Server with this command.

Syntax

mdscmd adddomain <DomainName> <-n Name | -i IPv4 | -a IPv6> [-t target <ServerName>][-m <ServerName> -u user -p password]

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).

Changing a Domain Management Server

Use this procedure to change an existing Domain Management Server.

To create or change a Domain Management Server:

1. Double-click a Domain Management Server.
2. In the Edit Domain Management Server window, select a Multi-Domain Server from the list.
3. Click Get IPv6 Address to assign an IPv6 address from the predefined pool of available addresses.

   You can also resolve addresses by name or manually enter IP addresses. IPv6 addresses are optional.

4. Click Add License and select one of these options:

   Add License Information Manually

   1. Click Manually.
   2. In the email message that you received from Check Point, select the entire license string (starting with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard.
   3. In the Add License window, click Paste License to paste the license details you have saved on the clipboard into the Add License window.
   4. Click Calculate to display your Validation Code. Compare this value with the validation code that you received in your email. If validation fails, contact the Check Point licensing center, providing them with both the validation code contained in the email and the one displayed in this window.

      Import a License File

   5. Click Fetch From File.
   6. In the Open window, browse to and double-click the desired license file.

      Get from the License Repository

   7. Click From License Repository.
      This option is only available if you have valid, unattached licenses in the repository.
   8. In the Select Domain License select, click a Domain Management Server license.
      The license automatically attaches to the Domain Management Server and the window closes.

Deleting a Domain Management Server

To delete a Domain Management Server using the SmartDomain Manager:

1. In the General tab, click Domain Contents.
2. Right-click the applicable Domain Management Server and select Delete Domain Management Server.

To delete a Domain Management Server using the Multi-Domain Server CLI:

Description

Use this command to delete an existing Domain Management Server.

Syntax

mdscmd deletemanagement <DomainName> <-n Name | -i IPv4 | -a IPv6> [-m <SeverName> -u user -p password]

You must use at least one these arguments to identify the Domain Management Server:

• -n DomainName
• -i IPv4
• -a IPv6

When you create a new object, you can use one or more of these arguments to manually define the name or IP address.

You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.

The -t, -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).