Architecture and Processes
Packages in Multi-Domain Server Installation
Multi-Domain Server installation consists of the following packages:
Package
|
Description
|
CPCON62CMP-R76
|
Check Point Connectra CM Compatibility Package
|
CPEdgecmp-R76
|
Check Point UTM-1 Edge Compatibility Package
|
CPPIconnectra-R76
|
Check Point Connectra Version or Blade update
|
CPmds-R76
|
Check Point Multi-Domain Server
|
CPsuite-R76
|
Check Point Security Gateway
|
CPvsxngxcmp-R76
|
Check Point Power VSX
|
On Linux and SecurePlatform, package names contain the suffix "-00 ". For example, the full name of CPsuite-75.20 package for these platforms is CPsuite-R76-00 .
All of these packages have pre-defined dependencies between them. Under no circumstances should these packages be manually removed.
|
Important - Manually removing a package has negative implications on the Multi-Domain Server.
|
Multi-Domain Server File System
Multi-Domain Server Directories on /opt and /var File Systems
Multi-Domain Server Installation creates subdirectories under /opt and /var/opt directories.
Subdirectory
|
Description
|
CPInstLog
|
Contains installation and upgrade log files.
|
CPsuite-R76
|
Contains the installation of the CPsuite-R76 package.
|
CPshrd-R76
|
Contains information from the CPsuite-R76 package.
|
CPshared
|
Exists for compatibility with previous versions.
|
CPEdgecmp
|
Contains the installation of the CPEdgecmp package.
|
CPngcmp-R76
|
Contains the installation of the CPngcmp-R76 package.
|
CPmds-R76
|
Contains the installation of the CPmds-R76 package.
|
This is the list of subdirectories created under /opt :
Subdirectory
|
Description
|
CPsuite-R76
|
Contains configuration, state and log files for Check Point Security Gateway management.
|
CPshrd-R76
|
Contains the configuration of Check Point SVN Foundation, a well as the registry files.
|
CPEdgecmp-R76
|
Contains configuration files for the CPEdgecmp package.
|
CPngcmp-R76
|
Contains configuration files for the CPngcmp-R76 package.
|
CPmds-R76
|
Contains configuration of the Multi-Domain Server, Multi-Domain Server-level logs and configuration/state/log files of Domain databases.
|
Structure of Domain Management Server Directory Trees
On Multi-Domain Servers, the Domain Management Server directories can be found under /var/opt/CPmds-R76/Domains directory . For each Domain Management Server residing on the server, there is a different directory under this path. Each Domain Management Server directory contains the following subdirectories:
Subdirectory
|
Description
|
CPsuite-R76
|
Contains the configuration, state and log files of this Domain, as well as links to the shared binaries and library files.
|
CPshrd-R76
|
Contains the configuration for the SVN Foundation for the Domain owning this Domain Management Server, as well as links to shared binaries and library files.
|
CPEdgecmp
|
Contains configuration files of the CPEdgecmp package for the Domain owning this Domain Management Server, as well as links to shared binaries and library files.
|
CPngcmp-R76
|
Contains configuration files of the CPngcmp-R76 package for the Domain owning this Domain Management Server, as well as links to shared binaries and library files.
|
Check Point Registry
Information related to the installation and versioning issues of different components that is requested by different Check Point processes, is centrally stored in a registry file.
The registry is stored in $CPDIR/registry/HKLM_registry.data (where the value of CPDIR environment variable is different whether you are in the Multi-Domain Server environment or whether you are in different Domain Management Server environments. This means that there are different registry files for the Multi-Domain Server and for the Domain Management Servers.
Automatic Start of Multi-Domain Server Processes
The script for the automatic start of Multi-Domain Server processes upon boot can be found in /etc/init.d . The name of the file is firewall1 . A link to this file appears in /etc/rc3.d directory under the name S95firewall1 .
Processes
Environment Variables
Different Multi-Domain Server processes require standard environment variables to be defined. The variables have the following functionality, they:
- Point to the installation directories of different components.
- Contain management IP addresses.
- Hold data important for correct initialization and operation of the processes.
Additionally, specific environment variables control certain parameters of different functions of Multi-Domain Server.
Multi-Domain Server installation contains shell scripts for C-Shell and for Bourne Shell, which define the necessary environment variables:
- The C-Shell version is
/opt/CPshrd-R76/tmp/.CPprofile.csh
- The Bourne Shell version is
/opt/CPshrd-R76/tmp/.CPprofile.sh
Sourcing these files (or in other words, using "source " command in C-Shell or ". " command in Bourne Shell) will define the environment necessary for the Multi-Domain Server processes to run.
Standard Check Point Environment Variables
Variable
|
Description
|
FWDIR
|
Location of Check Point Security Gateway binary/configuration/library files.
- In the Multi-Domain Server environment, this environment variable is equal to
MDSDIR
- In Domain Management Server environment, it contains
/opt/CPmds-R76/Domains/<Domain Management Server Name>/CPsuite-R76/fw1
|
CPDIR
|
Location of Check Point SVN Foundation binary/configuration/library files. It points to different directories in Multi-Domain Server and Domain Management Server environments.
|
MDSDIR
|
Location of the Multi-Domain Server installation. In Multi-Domain Security Management the path is /opt/CPmds-R76
|
SUROOT
|
Points to the location of SmartUpdate packages
|
Parameters/Thresholds for Different Multi-Domain Server functions
Logging Cache Size
By default, the Domain Management Server reserves 1MB memory for log caching on the Management. In very intensive logging systems it is possible to raise the cache size. This requires more memory, but boosts the performance. To change the cache size, set:
LOGDB_CACHE_SIZE variable to the desired size in Kilobytes. For example, to set the cache to 4MB enter:
setenv LOGDB_CACHE_SIZE 4096 (in C-Shell syntax)
Additional environment variables controlling such mechanism as statuses collection mechanism (like MSP_SPACING_REG_CMAS_FOR_STATUSES ) or connection retries (like MSP_RETRY_INTERVAL ) are described later in this chapter.
Multi-Domain Server Level Processes
Each Multi-Domain Server Level process has one instance on every Multi-Domain Server/Multi-Domain Log Server machine, when the Multi-Domain Server/Multi-Domain Log Server is running. The following processes run on the Multi-Domain Server level.
Process
|
Description
|
cpd
|
SVN Foundation infrastructure process.
|
cpca
|
The Certificate Authority manager process. This process doesn't run on a Multi-Domain Log Server or Multi-Domain Server.
|
fwd
|
Audit Log server process.
|
fwm mds
|
Multi-Domain Server main process.
|
For proper operation of the Multi-Domain Server all four processes must be running, unless dealing with configurations where cpca shouldn't be running.
Domain Management Server Level Processes
Each one of these processes has a different instance for each running Domain Management Server. The following processes run on the Domain Management Server level:
Process
|
Description
|
cpd
|
SVN Foundation infrastructure process.
|
cpca
|
The Certificate Authority manager process. This process doesn't run on log servers and Multi-Domain Servers.
|
fwd
|
Log server process.
|
fwm
|
Security Management Server main process.
|
status_proxy
|
Status collection of SmartLSM Security Gateways. This process runs only on Domain Management Servers that are activated for Large Scale Management.
|
sms
|
Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Domain Management Servers that manage UTM-1 Edge devices.
|
For proper operation of the Domain Management Server, at least cpd , cpca , fwd and fwm must be running, unless dealing with configurations where cpca shouldn't be running. Other processes are required only for Domain Management Servers using specific functionality for which these processes are responsible.
Multi-Domain Server Configuration Databases
The Multi-Domain Server environment contains a number of configuration databases, as opposed to a single Security Management Server, that contains only one.
Each Multi-Domain Server contains:
- One Global Database (located in
/var/opt/CPmds-R76/conf directory) - One Multi-Domain Server Database (located in
/var/opt/CPmds-R76/conf/mdsdb directory) - A number of Domain Management Server databases.
Each Domain Management Server database is located in /var/opt/CPmds-R76/Domains/ <Domain Management Server Name>/CPsuite-R76/fw1/conf directory.
Global Policy Database
This database contains the definitions of global objects and global Security Policies. It can be viewed and edited using Global SmartDashboard client.
When the Assign Global Policy operation is invoked, the objects and policies defined in Global Policy database are copied to Domain Management Server databases, where they can be seen and used by SmartDashboard. These objects are editable only from Global SmartDashboard, Domain Management Server databases will contain read-only copies.
Multi-Domain Server Database
This database contains two kinds of objects:
- Multi-Domain Server-level management objects – such as like administrators, Domains, Multi-Domain Servers and Domain Management Servers. These objects are defined either using the SmartDomain Manager or the Multi-Domain Server Command Line utilities.
- Domain Management Server-level Check Point objects – in order to display all Domains' network objects in SmartDomain Manager, these are centrally collected in Multi-Domain Server Database. Each time the object is updated in SmartDashboard, the changes are automatically updated in Multi-Domain Server Database as well.
Domain Management Server Database
This database contains:
- Definitions of objects and policies created and edited by SmartDashboard, when connecting to the Domain Management Server.
- Global Objects (in read-only mode) copied by the Assign Global Policy operation.
- SmartLSM Security Gateways definitions made by SmartProvisioning.
Different Domain Management Servers residing on the same Multi-Domain Server have different databases.
Connectivity Between Different Processes
Multi-Domain Server Connection to Domain Management Servers
The main Multi-Domain Server process (fwm mds ) looks for Domain Management Servers which are up and can be reached, but with which it has no CPMI connections. This connection is used for collecting statuses on the Domain Management Server and its Security Gateways, and for receiving changes in objects that are applicable to the Multi-Domain Server/SmartDomain Manager system.
Normally, a special task wakes up every 120 seconds and searches for "Domain Management Server connection candidates". If the task has found connection candidates previously, then by default it wakes up after only 90 seconds. This shorter interval boosts Domain Management Servers connections upon Multi-Domain Server startup.
You can change the values of the default intervals:
- To change the Domain Management Server connection candidates search interval, set the
MSP_RETRY_INTERVAL variable to the desired number of seconds. - To change the status collection interval, set the
MSP_RETRY_INIT_INTERVAL variable to the desired number of seconds.
|
Note - Changing these values (especially MSP_RETRY_INIT_INTERVAL ) makes the Multi-Domain Server-Domain Management Server connections faster during Multi-Domain Server startup, but may overload the connection if the value is set too low.
|
By default this task attempts to reconnect the Multi-Domain Server to no more than five Domain Management Servers per iteration. So, a system with 50 Domain Management Servers requires 10 iteration (of 90 seconds each, by default), so connecting to all the Domain Management Servers could take up to 15 minutes.
To change the maximum number of Domain Management Servers to which the Multi-Domain Server can connect per cycle, set the MSP_RETRY_INIT_INTERVAL variable to the desired value.
|
Note - Raising this value makes the Multi-Domain Server connect to all Domain Management Servers faster during startup, but may overload if it is set too low.
|
Status Collection
Status collection begins when a SmartDomain Manager connects to a Multi-Domain Server. The Multi-Domain Server sends all Domain Management Servers a request to start collecting statuses. The Multi-Domain Server contacts the Domain Management Servers one by one, spacing these requests by one second, thus preventing the Multi-Domain Server load from peaking when multiple statuses arrive. You can change this default spacing and set the required spacing in milliseconds, with the environment variable MSP_SPACING_REG_CMAS_FOR_STATUSES .
Changing the Status Collection Cycle
The default status collection cycle takes 300 seconds, i.e. each system entity is monitored once every 5 minutes. This value can be changed per Multi-Domain Server in the SmartDomain Manager as follows:
- In the General View, display the Multi-Domain Server Contents Mode. Choose and double click a Multi-Domain Server. The Configure Multi-Domain Server - General window opens.
- Under Status Checking Interval, specify the desired number of seconds in the Set to field (this value is saved in the
$MDSDIR/tmp/status_interval.dat file).
Once the Status Checking Interval is set in the SmartDomain Manager, it is effective immediately, with no need to restart the Multi-Domain Server. The higher you raise this value, the longer it takes to detect a change in a Security Gateway status.
Collection of Changes in Objects
Check Point objects defined in Domain Management Server databases are copied to the Multi-Domain Server database and presented in the Network Objects view of the SmartDomain Manager. Every time one of these objects is updated by SmartDashboard that is connected to the Domain Active Domain Management Server, this change is immediately propagated to the Multi-Domain Server database of the Multi-Domain Server hosting the Active Domain Management Server. From there it is distributed to the other Multi-Domain Servers participating in the High Availability environment.
Connection Between Multi-Domain Servers
Whenever Multi-Domain Servers and Multi-Domain Log Servers are connected in a High Availability deployment, they keep a constant network connection open between them. This connection is used to distribute:
- The status of Domain Management Servers and Security Gateways between the Multi-Domain Servers.
- The status of administrators connected to Multi-Domain Servers.
- Latest updates of the objects propagated from Domain Management Servers.
Large Scale Management Processes
The Status Proxy process runs for each Domain Management Server that is enabled for Large Scale Management, and is constantly connected to the Domain Management Server to which it belongs. This process, amongst other functions, updates the Domain Management Server configuration database with such details as the last known IP address of the Dynamic IP address SmartLSM Security Gateway, as well as, the Security Gateway status.
UTM-1 Edge Processes
The SMS process runs for each Domain Management Server that manages UTM-1 Edge devices, and is constantly connected to the Domain Management Server to which it belongs. UTM-1 Edge devices can be created either using SmartDashboard or using SmartProvisioning (where they are defined as UTM-1 Edge SmartLSM Security Gateways).
Reporting Server Processes
When the SmartReporter Blade for Multi-Domain Security Management is used, the SmartReporter server maintains a connection to the Multi-Domain Server. Whenever reports are generated, another component called SmartReporter Generator opens a connection to the Multi-Domain Server as well.
Issues Relating to Different Platforms
The Multi-Domain Server supports the following platforms:
- Check Point SecurePlatform
- RedHat Enterprise Linux
- Solaris
High Availability Scenarios
When creating High Availability environments with:
- a number of Multi-Domain Servers
- a number of Multi-Domain Log Servers
Multi-Domain Servers connected to a single environment can run on different platforms (for example, one Multi-Domain Server can be installed on Solaris and another on RedHat Enterprise Linux or SecurePlatform.
Migration Between Platforms
Use the existing Multi-Domain Security Management migration tools to move configuration databases (such as the Global Policies databases or the Domain Management Server databases) between different Multi-Domain Security Management platforms:
Action
|
Use Script/Command
|
Comment
|
Migrate the Global Policies Database
|
migrate_global_policies script
|
Run this script without any parameters to see its usage. The files required before executing this script are specified in the script's usage. The specified files should be copied manually to the destination Multi-Domain Server.
|
Export a Domain Management Server, Security Management, or Global Policy database from one computer to another.
|
migrate export script
|
This script exports the comprehensive database files into one .tgz file on the source machine that can be imported to a different Multi-Domain Server.
|
Migrate the Domain Management Server into the destination environment.
|
Use any one of:
- Import Domain Management Server command from the SmartDomain Manager
cma_migrate scriptmdscmd migratemanagement utility
|
|
|