Deploying a Domain Dedicated Log Server

Introduction

In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and dedicated Domain Log Servers.

The Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. unifies logs, and they can be stored on the Multi-Domain Server or on a dedicated Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS..

Starting in R81, Multi-Domain Server supports a dedicated Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. (installed on a separate computer) for a Domain.

You can configure a Domain Dedicated Log Server to receive logs only from a specified Domain, and no other Domains can access these logs.

This allows you to locate the dedicated Log Server in a separate network from the Multi-Domain Security Management environment to comply with special regulatory requirements.

Logs reported to the Domain Dedicated Log Server can be viewed from any SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. that has permissions for this Domain.

The Domain Dedicated Log Server communicates directly only with the associated Domain Server. No other Domain can access its log data.

Note - Connecting with SmartConsole to the Domain Dedicated Log Server to see Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is not supported.

Procedure for an R81.20 Multi-Domain Environment

  1. Install an R81.20 Multi-Domain Server.

    See the R81.20 Installation and Upgrade Guide > Chapter "Installing a Multi-Domain Server".

  2. Install a regular dedicated R81.20 Log Server.

    See the R81.20 Installation and Upgrade Guide > Chapter "Installing a Dedicated Log Server or SmartEvent Server".

  3. Connect with SmartConsole to the specific Domain.

    See the R81.20 Multi-Domain Security Management Administration Guide.

  4. Add a regular Log Server object for the dedicated R81.20 Log Server you installed in Step 2.

Limitations:

  • When a Domainadministrator connects to SmartView on the Multi-Domain Server level or Global SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database., the login window shows a picker with the options MDS, Global, and allowed Domains. The Domainadministrator must select "Global" or a specific allowed Domain, according to the assigned permissions.

  • An administrator who is connected to a Domain Dedicated Log Server in the assigned Domain cannot see the Domain's data in Views, Reports, and Correlated Events that are based on events from the Global SmartEvent Server.

Requirement post upgrade to R81.20:

For any environment, which uses SmartEvent Server or a Domain Dedicated Log Server, this is a required step to complete post upgrade to R81.20 from any source version:

After you upgrade the SmartEvent Server or Domain Dedicated Log Server, run this command in the Expert mode on each Multi-Domain Security Management Server:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

Procedure for an R77.x Multi-Domain Environment

  1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).

    This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain Dedicated Log Servers, and SmartEvent Servers.

    1. Follow the instructions in the R80.40 Installation and Upgrade Guide.

      Important - Stop after the CPUSEClosed Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. Verifier shows the upgrade / installation is allowed.

      • For Multi-Domain Servers:

        See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" > select the applicable section to upgrade "from R80.10 and lower" > select the applicable section to upgrade "with CPUSE".

      • For Log Servers:

        See the chapter "Upgrade of Security Management Servers and Log Servers" > section "Upgrading a Dedicated Log Server from R80.10 and lower" > select the applicable section to upgrade "with CPUSE".

      • For SmartEvent Servers:

        See the chapter "Upgrade of Security Management Servers and Log Servers" > section "Upgrading a Dedicated SmartEvent Server from R80.10 and lower" > select the applicable section to upgrade "with CPUSE".

    2. Fix all the errors, except the one specified for Log Servers on a Domain Management Server:

      Log Servers on the Domain Management Server level are not yet supported in R80.x

    3. On each Multi-Domain Security Management Server, modify the Pre-Upgrade Verifier to treat the upgrade errors as warnings:

      1. Connect to the command line on the Multi-Domain Server.

      2. Log in to the Expert mode.

      3. Enter these commands as they appear below (after each command, press the Enter key):

        cp -v $CPDIR/tmp/.CPprofile.sh{,_BKP}

        cat >> $CPDIR/tmp/.CPprofile.sh << EOF

        > export PUV_ERRORS_AS_WARNINGS=1

        > EOF

    4. Restart the CPUSE daemon:

      DAClient stop ; DAClient start

    5. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade all the servers "with CPUSE".

  2. Upgrade all Multi-Domain Servers to R81.20.

    See the R81.20 Installation and Upgrade Guide > chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" > select the applicable section to upgrade "from R80.20 and higher" > select the applicable section to upgrade "with CPUSE".

  3. On each Multi-Domain Security Management Server, run this script in the Expert mode:

    $MDS_FWDIR/scripts/configureCrlDp.sh

  4. Reboot each Multi-Domain Security Management Server:

    reboot

  5. Upgrade all Log Servers and SmartEvent Servers to R81.20.

    See the R81.20 Installation and Upgrade Guide > chapter "Upgrade of Security Management Servers and Log Servers" > section "Upgrading a Security Management Servers or Log Server from R80.20 and higher" > section "Upgrading a Security Management Server or Log Server from R80.20 and higher with CPUSE".

    Note - To install an R81.20 Log Server or an R81.20 SmartEvent Server, see the chapter "Installing a Dedicated Log Server or SmartEvent Server".

  6. On each Multi-Domain Security Management Server, run this script in the Expert mode:

    $MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

  7. Reboot all the Domain Dedicated Log Servers and the SmartEvent Servers:

    reboot

  1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).

    This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain Dedicated Log Servers, and SmartEvent Servers.

    1. Run the Pre-Upgrade Verifier, as detailed in the R80.40 Installation and Upgrade Guide.

      • For Multi-Domain Servers:

        See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" > select the applicable section to upgrade "from R80.10 and lower" > select the applicable section to upgrade "with Advanced Upgrade".

      • For Log Servers:

        See the chapter "Upgrade of Security Management Servers and Log Servers" > section "Upgrading a Dedicated Log Server from R80.10 and lower" > select the applicable section to upgrade "with Advanced Upgrade".

      • For SmartEvent Servers:

        See the chapter "Upgrade of Security Management Servers and Log Servers" > section "Upgrading a Dedicated SmartEvent Server from R80.10 and lower" > select the applicable section to upgrade "with Advanced Upgrade".

    2. Fix all the errors, except the one specified for Log Servers on a Domain Management Server:

      Log Servers on Domain Management Server level are not yet supported in R80.x

    3. In your active shell window, run this command in the Expert mode:

      export PUV_ERRORS_AS_WARNINGS=1

    4. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade all the servers "with Advanced Upgrade".

  2. Upgrade all Multi-Domain Servers to R81.20.

    See the R81.20 Installation and Upgrade Guide > chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers" > select the applicable section to upgrade "from R80.10 and lower" > select the applicable section to upgrade "with Advanced Upgrade".

  3. On each Multi-Domain Security Management Server, run this script in the Expert mode:

    $MDS_FWDIR/scripts/configureCrlDp.sh

  4. Reboot each Multi-Domain Security Management Server:

    reboot

  5. Upgrade all Log Servers and SmartEvent Servers to R81.20.

    See the R81.20 Installation and Upgrade Guide > chapter "Upgrade of Security Management Servers and Log Servers" > section "Upgrading a Security Management Servers or Log Server from R80.20 and higher" > section "Upgrading a Security Management Server or Log Server from R80.20 and higher with Advanced Upgrade".

    Note - To install an R81.20 Log Server or an R81.20 SmartEvent Server, see the chapter "Installing a Dedicated Log Server or SmartEvent Server".

  6. On each Multi-Domain Security Management Server, run this script in the Expert mode:

    $MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all –sd

  7. Reboot all the Domain Dedicated Log Servers and SmartEvent Servers:

    reboot