Installing Multi-Domain Security Management

In This Section: Basic Architecture Setting Up Multi-Domain Security Management Networking Installing Multi-Domain Server Installing Gateways Installing Multi-Domain Security Management GUI Clients Post-Installation Configuration

Multi-Domain Security Management is a centralized management solution for large-scale, distributed environments with many different network Domains. This best-of-breed solution is ideal for enterprises with many subsidiaries, branches, partners and networks. Multi-Domain Security Management is also an ideal solution for managed service providers (MSPs), cloud computing providers, and data centers.

Centralized management gives administrators the flexibility to manage polices for many diverse entities. Security policies should be applicable to the requirements of different departments, business units, branches and partners, balanced with enterprise-wide requirements.

Basic Architecture

Multi-Domain Security Management uses a tiered architecture to manage Domain network deployments.

• The Security Gateway enforces the security policy to protect network resources.
• A Domain is a network or group of networks belonging to a specified entity, such as a company, business unit, department, branch, or organization. For a cloud service provider, you can define one Domain for each customer.
• A Domain Management Server is a virtual Security Management Server that manages security policies and Security Gateways for a specified Domain.
• The Multi-Domain Server is a physical server that is the host for Domain data and system databases.
• SmartConsole is the GUI client that you use to manage Domain security and other Multi-Domain Security Management features.

The Multi-Domain Servers and SmartDomain Manager are typically located at central Network Operation Centers (NOCs). Security Gateways are typically located together with protected network resources, often in another city or country.

Item	Description
A	USA Development Domain
B	Headquarters Domain
C	UK Development Domain
1	Security Gateway
2	Network Operation Center
3	Multi-Domain Server
4A	USA Development Domain Management Server
4B	Headquarters Domain Management Server
4C	UK Development Domain Management Server

Setting Up Multi-Domain Security Management Networking

The Multi-Domain Server and Domain Security Gateway computers should be ready to connect to the network. The Multi-Domain Server must have at least one interface with a routable IP address. It also must be able to query a DNS server and resolve other network components.

Make sure that you configure routing to allow IP communication between:

• Domain Management Server, Domain Log Server and their Domain Security Gateways.
• All Multi-Domain Servers in the deployment.
• The Domain Management Server and Log Servers for the same Domain.
• The Domain Management Server and its High Availability Domain Management Server peer.
• The SmartDomain Manager clients and Multi-Domain Servers.
• The SmartDomain Manager clients and Log Servers.

Installing Multi-Domain Server

Installing Multi-Domain Server on Smart-1 Appliances

Install a Multi-Domain Server on supported Smart-1 models.

To install Multi-Domain Server on an appliance:

1. Install the Gaia operating system on the appliance using Upgrades(CPUSE). Alternatively, follow the procedure for UTM-1 and 2012 Models.
2. While the appliance restarts, open the terminal emulation program.
3. When prompted, press any key to enter the boot menu.
4. Select Reset to factory defaults - Multi-Domain Server and press Enter.
5. Type yes and press Enter.

   Multi-Domain Server is installed on the appliance and then the appliance resets.

To start the First Time Configuration Wizard:

1. Connect a standard network cable to the appliance management interface and to your management network.

   The management interface is marked MGMT.

2. Open Internet Explorer to the default management IP address, https://192.168.1.1:4434
3. Log in to the system using the default login name/password: admin/admin.

   Note - You can use the Portal menu to configure the appliance settings. Navigate to https://<appliance_ip_address>:4434.

4. Set the username and password for the administrator account.
5. Click Save and Login.

   The First Time Configuration Wizard opens.

To configure Multi-Domain Server on appliances:

1. This step applies to R77.10 and higher. For other Gaia releases, configure these options in the Gaia Portal, in the Image Management page and the (Upgrades (CPUSE)) page.

   In the Deployment Options page, select Continue with Gaia configuration. Other options are:

   Clean install

   • Install a version from the Check Point Cloud.
   • Install from a USB device.

   Recovery

   • Automatic version recovery from the Check Point Cloud.
   • Import an existing snapshot.

   Click Next.

2. In the Authentication Details page, change the default administrator password.

   Click Next.

3. In the Management Connection page, set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).

   You can change the Management IP address. Gaia automatically creates a secondary interface to keep connectivity when the management interface is not available. After you complete the First Time Configuration Wizard, you can remove this interface in the Interface Management > Network Interfaces page.

4. Optional: In the Connection to User Center page, configure an external interface to connect to the Check Point User Center. Use this connection to download a license and activate it. Alternatively, use the trial license. To connect to the User Center, you must also configure DNS and (if applicable) a Proxy Server, in the Device Information page of the Wizard.
5. In the Device Information page, set the Host Name for the appliance.

   Optional:

   • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
   • To connect to the User Center, set the IP Address and Port for a Proxy Server. Do this if you want to activate the appliance by downloading a license from the User Center.

   Click Next.

6. In the Date and Time Settings page, set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.

   Click Next.

7. This step does not apply to R77.20 and higher or Smart-1 205/210/225/3050/3150:
   In the Appliance Type page, select Smart-1 appliance.

   Click Next.

8. In the Products page, select Multi-Domain Server and Primary.

   For R77.10 and higher: Automatically download Blade Contracts and other important data. Check Point highly recommends that you select Automatic Downloads.

9. In the Security Management Administrator page, define the name and password of a Superuser administrator that can connect to the Multi-Domain Server using SmartConsole clients.

   Click Next.

10. In the Multi-Domain Server GUI Clients page, define IP addresses from which SmartConsole clients can log in to the Multi-Domain Server.
    • If you select This machine or Network, define an IPv4 or an IPv6 address.
    • You can also select a range of IPv4 addresses.

    Click Next.

11. In the Appliance Activation page, get a license automatically from the User Center and activate it, or use the 15 day trial license.

    Click Next.

12. In the Summary page, review your choices

    Optional: Improve product experience by Sending Data to Check Point.

    Click Finish.

13. To start the configuration, click Yes.

    A progress bar tracks the configuration of each task.

14. Click OK.

    The Multi-Domain Server is installed on the appliance.

15. If necessary, download SmartConsole from the Gaia Portal.
    1. Open a connection from a browser to the Portal: https://<management_ip_address>
    1. In the Overview page, click Download Now!

To configure a secondary Multi-Domain Server on appliances:

Use the same procedure as for the primary Multi-Domain Server with these changes:

• Use a different IP address for the management interface on the secondary appliance.
• Select Secondary Multi-Domain Server.
• Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.

  This key is necessary to configure the appliances in SmartDashboard.

To configure a Multi-Domain Server log server on appliances:

Do steps 1 - 10 with these changes:

• Step 6 - Select Multi-Domain Log Server.

Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.

This key is necessary to configure the appliances in SmartDashboard.

Open Servers

Install Multi-Domain Server on a dedicated open server.

Use this procedure to install these Multi-Domain Server types:

• Primary Multi-Domain Server - The first Multi-Domain Server that you install and log on to.
• Secondary Multi-Domain Server
• Standalone log servers - Domain Log Server or Multi-Domain Log Servers.

This procedure explains how to install:

• Gaia on an open server.
• Multi-Domain Server on Gaia

To install Gaia on an open server:

1. Start the computer using CPUSE.
2. When the first screen shows, select Install Gaia on the system and press Enter.
3. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The timer countdown stops once you press Enter. There is no time limit for the subsequent steps.
4. Press OK to continue with the installation.
5. Select a keyboard language. English US is the default.
6. Make sure the disk space allocation is appropriate for the environment.
7. Enter and confirm the password for the admin account.
8. Select the management interface (default = eth0).
9. Configure the management IP address, net mask and default gateway.

   You can define a DHCP server on this interface.

10. Select OK to format your hard drive and start the installation.
11. Press reboot to complete the installation.

To install a Multi-Domain Server on Gaia:

1. Using your Web browser, connect to the Portal:

   https://<Gaia management IP address>

2. In the Gaia Portal window, log in using the administrator name and password that you defined during the installation procedure.

   The Portal shows the First Time Configuration Wizard.

3. Click Next.
4. Select Continue with configuration of Gaia R77
5. Set the IPv4 address for the management interface.

   If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.

6. Click Next.
7. Set the host name for the server.

   Optional:

   • Set the domain name, and IPv4 addresses for the DNS servers.

     You can use the Gaia Portal to configure IPv6 DNS servers.

   • If necessary, configure a Proxy Server
8. Set the date and time (manually, or enter the hostname or IP address of an NTP server).
9. Click Next.
10. For Installation Type, select Multi-Domain Server.
11. Click Next.
12. Select the type of server:
    • Primary
    • Secondary
    • Multi-Domain log server
13. Select the leading interfaces.

    Leading interfaces are physical interfaces that connect to the external network. These interfaces are for Domain Management server virtual IP addresses. Each leading VIP interface can have up to 250 virtual IP addresses (250 Domain management servers)

14. Define the hosts or IP addresses GUI Clients that can log in to the Multi-Domain Server.
15. Click Next.
16. Set the Name and Password for the Multi-Domain Server administrator account.
17. Click Next.
18. Click Finish.
19. Click Yes when prompted to start the configuration process.
20. After the configuration process completes successfully, click OK.

Installing Gateways

Install the Network Operation Center (NOC) and Security Gateways of the domain using the R77 removable media.

Installing Multi-Domain Security Management GUI Clients

The SmartDomain Manager is automatically installed together with Check Point SmartConsole. If you have not yet installed SmartConsole, do so now.

To install the SmartConsole clients on Windows platforms:

1. Insert the R77 distribution media or download the SmartConsole application from the Support Center.
2. If you are using the installation media, go to the Linux\linux\windows folder.
3. Run the SmartConsole executable.
4. Continue with the instructions on the screen.

Post-Installation Configuration

Use the SmartDomain Manager to configure and manage the Multi-Domain Security Management deployment. Make sure to install SmartDomain Manager on a trusted GUI Client. You must be an administrator with appropriate privileges (Superuser, Global Manager, or Domain Manager) to run the SmartDomain Manager.

To start the SmartDomain Manager:

1. Click Start > All Programs > Check Point SmartConsole R77 > SmartDomain Manager.
2. Enter your credentials:
   • To use a password, enter the Multi-Domain Server host name or IP address. Then enter your administrator user name and password.
   • To use a certificate, enter the Multi-Domain Server host name or IP address. Then click Certificate and select the certificate.
   • To start without credentials, select Demo mode.
   • Optional: Enter a description of this session.
3. Click Login.

   SmartDomain Manager connects to the Multi-Domain Server. When SmartDomain Manager opens, it shows the network objects and options that you have permission to work with.

4. If necessary, confirm the connection using the fingerprint generated during installation.

   You see this only the first time that you log in from a client computer.

Demo Mode

You can open the SmartDomain Manager in Demo mode. This mode does not require authentication or a connection to the Multi-Domain Server. Use the Demo mode to experiment with different objects, views, modes and features before you create a production system. The Demo mode includes several pre-configured sample Domains, Domain Management Servers, Security Gateways and policies.

Operations performed in Demo mode are stored in a local database. You can continue a Demo session from the point at which you left off in a previous session.

Adding Licenses using the SmartDomain Manager

You can add a license to a Multi-Domain Server or Multi-Domain Log Server using the SmartDomain Manager.

1. In the SmartDomain Manager, open the General View > Multi-Domain Server Contents page.
2. Double-click a Multi-Domain Server or Multi-Domain Log Server. The Multi-Domain Server Configuration window opens.
3. Open the License tab.
4. Install licenses using Fetch or Add:

   Fetch License File

   1. Click Fetch From File.
   2. In the Open window, browse to and double-click the desired license file.

      Add License Information Manually

   3. Click Add.
   4. In the email message that you received from Check Point, select the entire license string (starting with cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard.
   5. In the Add License window, click Paste License to paste the license details you have saved on the clipboard into the Add License window.
   6. Click Calculate to display your Validation Code. Compare this value with the validation code that you received in your email. If validation fails, contact the Check Point licensing center, providing them with both the validation code contained in the email and the one displayed in this window.

Uninstalling Multi-Domain Security Management

To uninstall a Multi-Domain Server:

1. Back up the databases.
2. Reformat the hard disk.

To uninstall the SmartDomain Manager and SmartConsole applications, use Add/Remove Programs.

Where To From Here?

Check Point documentation provides additional information and is available on the R77 home page on the Check Point Support Center. It is also available on the Check Point DVD.