Architecture and Processes

In This Section:

Packages in Multi-Domain Server Installation

Multi-Domain Server installation consists of the following packages:

Package	Description
`CPCON62CMP-R76`	Check Point Connectra CM Compatibility Package
`CPEdgecmp-R76`	Check Point UTM-1 Edge Compatibility Package
`CPPIconnectra-R76`	Check Point Connectra Version or Blade update
`CPmds-R76`	Check Point Multi-Domain Server
`CPsuite-R76`	Check Point Security Gateway
`CPvsxngxcmp-R76`	Check Point Power VSX

On Linux and SecurePlatform, package names contain the suffix "-00". For example, the full name of CPsuite-75.20 package for these platforms is CPsuite-R76-00.

All of these packages have pre-defined dependencies between them. Under no circumstances should these packages be manually removed.

Important - Manually removing a package has negative implications on the Multi-Domain Server.

Multi-Domain Server File System

Multi-Domain Server Directories on /opt and /var File Systems

Multi-Domain Server Installation creates subdirectories under /opt and /var/opt directories.

Subdirectory	Description
`CPInstLog`	Contains installation and upgrade log files.
`CPsuite-R76`	Contains the installation of the `CPsuite-R76` package.
`CPshrd-R76`	Contains information from the `CPsuite-R76` package.
`CPshared`	Exists for compatibility with previous versions.
`CPEdgecmp`	Contains the installation of the `CPEdgecmp` package.
`CPngcmp-R76`	Contains the installation of the `CPngcmp-R76` package.
`CPmds-R76`	Contains the installation of the `CPmds-R76` package.

This is the list of subdirectories created under /opt:

Subdirectory	Description
`CPsuite-R76`	Contains configuration, state and log files for Check Point Security Gateway management.
`CPshrd-R76`	Contains the configuration of Check Point SVN Foundation, a well as the registry files.
`CPEdgecmp-R76`	Contains configuration files for the `CPEdgecmp` package.
`CPngcmp-R76`	Contains configuration files for the `CPngcmp-R76` package.
`CPmds-R76`	Contains configuration of the Multi-Domain Server, Multi-Domain Server-level logs and configuration/state/log files of Domain databases.

Structure of Domain Management Server Directory Trees

On Multi-Domain Servers, the Domain Management Server directories can be found under /var/opt/CPmds-R76/Domains directory. For each Domain Management Server residing on the server, there is a different directory under this path. Each Domain Management Server directory contains the following subdirectories:

Subdirectory	Description
`CPsuite-R76`	Contains the configuration, state and log files of this Domain, as well as links to the shared binaries and library files.
`CPshrd-R76`	Contains the configuration for the SVN Foundation for the Domain owning this Domain Management Server, as well as links to shared binaries and library files.
`CPEdgecmp`	Contains configuration files of the `CPEdgecmp` package for the Domain owning this Domain Management Server, as well as links to shared binaries and library files.
`CPngcmp-R76`	Contains configuration files of the `CPngcmp-R76` package for the Domain owning this Domain Management Server, as well as links to shared binaries and library files.

Check Point Registry

Information related to the installation and versioning issues of different components that is requested by different Check Point processes, is centrally stored in a registry file.

The registry is stored in $CPDIR/registry/HKLM_registry.data (where the value of CPDIR environment variable is different whether you are in the Multi-Domain Server environment or whether you are in different Domain Management Server environments. This means that there are different registry files for the Multi-Domain Server and for the Domain Management Servers.

Automatic Start of Multi-Domain Server Processes

The script for the automatic start of Multi-Domain Server processes upon boot can be found in /etc/init.d. The name of the file is firewall1. A link to this file appears in /etc/rc3.d directory under the name S95firewall1.

Processes

Environment Variables

Different Multi-Domain Server processes require standard environment variables to be defined. The variables have the following functionality, they:

Point to the installation directories of different components.
Contain management IP addresses.
Hold data important for correct initialization and operation of the processes.

Additionally, specific environment variables control certain parameters of different functions of Multi-Domain Server.

Multi-Domain Server installation contains shell scripts for C-Shell and for Bourne Shell, which define the necessary environment variables:

The C-Shell version is /opt/CPshrd-R76/tmp/.CPprofile.csh
The Bourne Shell version is /opt/CPshrd-R76/tmp/.CPprofile.sh

Sourcing these files (or in other words, using "source" command in C-Shell or "." command in Bourne Shell) will define the environment necessary for the Multi-Domain Server processes to run.

Standard Check Point Environment Variables

Variable	Description
`FWDIR`	Location of Check Point Security Gateway binary/configuration/library files. In the Multi-Domain Server environment, this environment variable is equal to `MDSDIR` In Domain Management Server environment, it contains `/opt/CPmds-R76/Domains/<Domain Management Server Name>/CPsuite-R76/fw1`
`CPDIR`	Location of Check Point SVN Foundation binary/configuration/library files. It points to different directories in Multi-Domain Server and Domain Management Server environments.
`MDSDIR`	Location of the Multi-Domain Server installation. In Multi-Domain Security Management the path is `/opt/CPmds-R76`
`SUROOT`	Points to the location of SmartUpdate packages

Parameters/Thresholds for Different Multi-Domain Server functions

Logging Cache Size

By default, the Domain Management Server reserves 1MB memory for log caching on the Management. In very intensive logging systems it is possible to raise the cache size. This requires more memory, but boosts the performance. To change the cache size, set:

LOGDB_CACHE_SIZE variable to the desired size in Kilobytes. For example, to set the cache to 4MB enter:

setenv LOGDB_CACHE_SIZE 4096 (in C-Shell syntax)

Additional environment variables controlling such mechanism as statuses collection mechanism (like MSP_SPACING_REG_CMAS_FOR_STATUSES) or connection retries (like MSP_RETRY_INTERVAL) are described later in this chapter.

Multi-Domain Server Level Processes

Each Multi-Domain Server Level process has one instance on every Multi-Domain Server/Multi-Domain Log Server machine, when the Multi-Domain Server/Multi-Domain Log Server is running. The following processes run on the Multi-Domain Server level.

Process	Description
`cpd`	SVN Foundation infrastructure process.
`cpca`	The Certificate Authority manager process. This process doesn't run on a Multi-Domain Log Server or Multi-Domain Server.
`fwd`	Audit Log server process.
`fwm mds`	Multi-Domain Server main process.

For proper operation of the Multi-Domain Server all four processes must be running, unless dealing with configurations where cpca shouldn't be running.

Domain Management Server Level Processes

Each one of these processes has a different instance for each running Domain Management Server. The following processes run on the Domain Management Server level:

Process	Description
`cpd`	SVN Foundation infrastructure process.
`cpca`	The Certificate Authority manager process. This process doesn't run on log servers and Multi-Domain Servers.
`fwd`	Log server process.
`fwm`	Security Management Server main process.
`status_proxy`	Status collection of SmartLSM Security Gateways. This process runs only on Domain Management Servers that are activated for Large Scale Management.
`sms`	Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Domain Management Servers that manage UTM-1 Edge devices.

For proper operation of the Domain Management Server, at least cpd, cpca, fwd and fwm must be running, unless dealing with configurations where cpca shouldn't be running. Other processes are required only for Domain Management Servers using specific functionality for which these processes are responsible.

Multi-Domain Server Configuration Databases

The Multi-Domain Server environment contains a number of configuration databases, as opposed to a single Security Management Server, that contains only one.

Each Multi-Domain Server contains:

One Global Database (located in /var/opt/CPmds-R76/conf directory)
One Multi-Domain Server Database (located in /var/opt/CPmds-R76/conf/mdsdb directory)
A number of Domain Management Server databases.

Each Domain Management Server database is located in /var/opt/CPmds-R76/Domains/<Domain Management Server Name>/CPsuite-R76/fw1/conf directory.

Global Policy Database

This database contains the definitions of global objects and global Security Policies. It can be viewed and edited using Global SmartDashboard client.

When the Assign Global Policy operation is invoked, the objects and policies defined in Global Policy database are copied to Domain Management Server databases, where they can be seen and used by SmartDashboard. These objects are editable only from Global SmartDashboard, Domain Management Server databases will contain read-only copies.

Multi-Domain Server Database

This database contains two kinds of objects:

Multi-Domain Server-level management objects – such as like administrators, Domains, Multi-Domain Servers and Domain Management Servers. These objects are defined either using the SmartDomain Manager or the Multi-Domain Server Command Line utilities.
Domain Management Server-level Check Point objects – in order to display all Domains' network objects in SmartDomain Manager, these are centrally collected in Multi-Domain Server Database. Each time the object is updated in SmartDashboard, the changes are automatically updated in Multi-Domain Server Database as well.

Domain Management Server Database

This database contains:

Definitions of objects and policies created and edited by SmartDashboard, when connecting to the Domain Management Server.
Global Objects (in read-only mode) copied by the Assign Global Policy operation.
SmartLSM Security Gateways definitions made by SmartProvisioning.

Different Domain Management Servers residing on the same Multi-Domain Server have different databases.

Connectivity Between Different Processes

Multi-Domain Server Connection to Domain Management Servers

The main Multi-Domain Server process (fwm mds) looks for Domain Management Servers which are up and can be reached, but with which it has no CPMI connections. This connection is used for collecting statuses on the Domain Management Server and its Security Gateways, and for receiving changes in objects that are applicable to the Multi-Domain Server/SmartDomain Manager system.

Normally, a special task wakes up every 120 seconds and searches for "Domain Management Server connection candidates". If the task has found connection candidates previously, then by default it wakes up after only 90 seconds. This shorter interval boosts Domain Management Servers connections upon Multi-Domain Server startup.

You can change the values of the default intervals:

To change the Domain Management Server connection candidates search interval, set the MSP_RETRY_INTERVAL variable to the desired number of seconds.
To change the status collection interval, set the MSP_RETRY_INIT_INTERVAL variable to the desired number of seconds.

Note - Changing these values (especially MSP_RETRY_INIT_INTERVAL) makes the Multi-Domain Server-Domain Management Server connections faster during Multi-Domain Server startup, but may overload the connection if the value is set too low.

By default this task attempts to reconnect the Multi-Domain Server to no more than five Domain Management Servers per iteration. So, a system with 50 Domain Management Servers requires 10 iteration (of 90 seconds each, by default), so connecting to all the Domain Management Servers could take up to 15 minutes.

To change the maximum number of Domain Management Servers to which the Multi-Domain Server can connect per cycle, set the MSP_RETRY_INIT_INTERVAL variable to the desired value.

Note - Raising this value makes the Multi-Domain Server connect to all Domain Management Servers faster during startup, but may overload if it is set too low.

Status Collection

Status collection begins when a SmartDomain Manager connects to a Multi-Domain Server. The Multi-Domain Server sends all Domain Management Servers a request to start collecting statuses. The Multi-Domain Server contacts the Domain Management Servers one by one, spacing these requests by one second, thus preventing the Multi-Domain Server load from peaking when multiple statuses arrive. You can change this default spacing and set the required spacing in milliseconds, with the environment variable MSP_SPACING_REG_CMAS_FOR_STATUSES.

Changing the Status Collection Cycle

The default status collection cycle takes 300 seconds, i.e. each system entity is monitored once every 5 minutes. This value can be changed per Multi-Domain Server in the SmartDomain Manager as follows:

In the General View, display the Multi-Domain Server Contents Mode. Choose and double click a Multi-Domain Server. The Configure Multi-Domain Server - General window opens.
Under Status Checking Interval, specify the desired number of seconds in the Set to field (this value is saved in the $MDSDIR/tmp/status_interval.dat file).

Once the Status Checking Interval is set in the SmartDomain Manager, it is effective immediately, with no need to restart the Multi-Domain Server. The higher you raise this value, the longer it takes to detect a change in a Security Gateway status.

Collection of Changes in Objects

Check Point objects defined in Domain Management Server databases are copied to the Multi-Domain Server database and presented in the Network Objects view of the SmartDomain Manager. Every time one of these objects is updated by SmartDashboard that is connected to the Domain Active Domain Management Server, this change is immediately propagated to the Multi-Domain Server database of the Multi-Domain Server hosting the Active Domain Management Server. From there it is distributed to the other Multi-Domain Servers participating in the High Availability environment.

Connection Between Multi-Domain Servers

Whenever Multi-Domain Servers and Multi-Domain Log Servers are connected in a High Availability deployment, they keep a constant network connection open between them. This connection is used to distribute:

The status of Domain Management Servers and Security Gateways between the Multi-Domain Servers.
The status of administrators connected to Multi-Domain Servers.
Latest updates of the objects propagated from Domain Management Servers.

Large Scale Management Processes

The Status Proxy process runs for each Domain Management Server that is enabled for Large Scale Management, and is constantly connected to the Domain Management Server to which it belongs. This process, amongst other functions, updates the Domain Management Server configuration database with such details as the last known IP address of the Dynamic IP address SmartLSM Security Gateway, as well as, the Security Gateway status.

UTM-1 Edge Processes

The SMS process runs for each Domain Management Server that manages UTM-1 Edge devices, and is constantly connected to the Domain Management Server to which it belongs. UTM-1 Edge devices can be created either using SmartDashboard or using SmartProvisioning (where they are defined as UTM-1 Edge SmartLSM Security Gateways).

Reporting Server Processes

When the SmartReporter Blade for Multi-Domain Security Management is used, the SmartReporter server maintains a connection to the Multi-Domain Server. Whenever reports are generated, another component called SmartReporter Generator opens a connection to the Multi-Domain Server as well.

Issues Relating to Different Platforms

The Multi-Domain Server supports the following platforms:

Check Point SecurePlatform
RedHat Enterprise Linux
Solaris

High Availability Scenarios

When creating High Availability environments with:

a number of Multi-Domain Servers
a number of Multi-Domain Log Servers

Multi-Domain Servers connected to a single environment can run on different platforms (for example, one Multi-Domain Server can be installed on Solaris and another on RedHat Enterprise Linux or SecurePlatform.

Migration Between Platforms

Use the existing Multi-Domain Security Management migration tools to move configuration databases (such as the Global Policies databases or the Domain Management Server databases) between different Multi-Domain Security Management platforms:

Action

Use Script/Command

Comment

Migrate the Global Policies Database

migrate_global_policies script

Run this script without any parameters to see its usage. The files required before executing this script are specified in the script's usage. The specified files should be copied manually to the destination Multi-Domain Server.

Export a Domain Management Server, Security Management, or Global Policy database from one computer to another.

migrate export script

This script exports the comprehensive database files into one .tgz file on the source machine that can be imported to a different Multi-Domain Server.

Migrate the Domain Management Server into the destination environment.

Use any one of:

Import Domain Management Server command from the SmartDomain Manager
cma_migrate script
mdscmd migratemanagement utility

Top of Page

Download Complete PDF

Send Feedback