Deploying a Domain Dedicated Log Server

Introduction

In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and dedicated Domain Log Servers.

The Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. unifies logs, and they can be stored on the Multi-Domain Server or on a dedicated Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS..

Starting in R81, Multi-Domain Server supports a dedicated Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. (installed on a separate computer) for a Domain.

You can configure a Domain Dedicated Log Server to receive logs only from a specified Domain, and no other Domains can access these logs.

This allows you to locate the dedicated Log Server in a separate network from the Multi-Domain Security Management environment to comply with special regulatory requirements.

Logs reported to the Domain Dedicated Log Server can be viewed from any SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. that has permissions for this Domain.

The Domain Dedicated Log Server communicates directly only with the associated Domain Server. No other Domain can access its log data.

Note - Connecting with SmartConsole to the Domain Dedicated Log Server to see Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is not supported.

Procedure for an R81.10 Multi-Domain Environment

  1. Install an R81.10 Multi-Domain Server.

    See the R81.10 Installation and Upgrade Guide > Chapter "Installing a Multi-Domain Server".

  2. Install a regular dedicated R81.10 Log Server.

    See the R81.10 Installation and Upgrade Guide > Chapter "Installing a Dedicated Log Server or SmartEvent Server".

  3. Connect with SmartConsole to the specific Domain.

    See the R81.10 Multi-Domain Security Management Administration Guide.

  4. Add a regular Log Server object for the dedicated R81.10 Log Server you installed in Step 2.

Limitations:

  • When a Domain administrator connects to SmartView on the Multi-Domain Server level or Global SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database., the login window shows a picker with the options MDS, Global, and allowed Domains. The Domain administrator must select "Global" or a specific allowed Domain, according to the assigned permissions.

  • An administrator who is connected to a Domain Dedicated Log Server in the assigned Domain cannot see the Domain's data in Views, Reports, and Correlated Events that are based on events from the Global SmartEvent Server.

Requirement post upgrade to R81.10:

For any environment, which uses SmartEvent Server or a Domain Dedicated Log Server, this is a required step to complete post upgrade to R81.10 from any source version:

After you upgrade the SmartEvent Server or Domain Dedicated Log Server, run this command in the Expert mode on each Multi-Domain Security Management Server:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

Procedure for an R77.x Multi-Domain Environment