Planning your Deployment

This section includes best practices and other suggestions to help make your Multi-Domain Security Management deployment work efficiently.

Multi-Site High Availability Deployment

Large enterprises use Multi-Domain Security Management in a multi-site, High Availability deployment, with many Multi-Domain Servers located at remote sites, often in different countries. Each Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. and Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS. continuously synchronizes with its remote peers.

The advantages of this type of deployment are:

Single Site Deployments

Small organizations, with moderate traffic volumes can use a single-site deployment, with one Multi-Domain Server that manages a set of Domains.

Best Practice - For this type of deployment, use a backup solution that periodically saves the system databases and settings to another device.

This example shows a single-site Multi-Domain Server deployment with three Domains at remote locations. Each Domain has many Security Gateways to protect the internal networks and resources. This example has only one Multi-Domain Server and does not use High Availability.

Item

Description

1

London Domain and networks

2

New York (Headquarters) Domain and networks

3

Tokyo Domain and networks

4

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. clients, typically at a network control center.

5

Multi-Domain Server

6

London Domain Management Server

7

New York Domain Management Server

8

Tokyo Domain Management Server

9

Internet

This illustration shows the configuration grid in the SmartConsole Multi Domain view for the example deployment:

Note - The system automatically creates the Global Domain when you install Multi-Domain Security Management.

Platform & Performance Issues

Make sure that your Multi-Domain Security Management system hardware is compliant with the system requirements for this release. If your Multi-Domain Server has more than one interface, make sure that the total traffic load complies with the performance load recommendations for that Multi-Domain Server.

Topology, IP Addresses and Routing

All Multi-Domain Servers must have at least one interface with a routable IP address. You must configure these Multi-Domain Servers to run DNS server queries and to resolve the IP addresses and host names.

Configure your network routing for IP communication between:

  • All Multi-Domain Servers, Domain Management Servers and Multi-Domain Log Servers

  • Different Domains, if necessary

  • Domain Management Servers, Domain Log Servers and Security Gateways in a Domain

  • A Domain Management Server and its Domain High Availability peers

  • SmartConsole and Multi-Domain Servers, Domain Management Servers and Domain Log Servers

Make sure that IP addresses and routing configuration can handle special issues, such as Multi-Domain Servers in different physical locations.

Using More than one Interface on a Multi-Domain Server

If there is more than one interface on a Multi-Domain Server, you must configure at least one interface to be the leading interface. Multi-Domain Servers (Primary and Secondary) and Multi-Domain Log Servers use the leading interface to communicate with each other for database synchronization.

Make sure that all Multi-Domain Server interfaces are routable. Domain Management Servers must be able to communicate with their Domain Security Gateways. Domain Log Servers must be able to communicate with their Domain Security Gateways.

Changing the Leading Interface

You define the leading interface during the installation procedure, but you can change it later. If you add a new interface to a Multi-Domain Server after installation, define the Leading Interface manually.

  1. From the Multi-Domain Server command line, run: mdsconfig

  2. Select Leading VIP Interfaces, and then select Add external IPv4 interface.

  3. Enter the interface name and press Enter.

  1. From the Multi-Domain Server command line, run: mdsconfig

  2. Do steps 2-3, in the above procedure, to add new interface.

  3. Select Leading VIP Interfaces.

  4. Select Remove External IPv4 interface.

  5. Enter the interface name to remove and press Enter.

Synchronizing Clocks

All Multi-Domain Server system clocks must synchronize to approximately one second. Before you create a new Multi-Domain Server or Multi-Domain Log Server, you must synchronize its clock with other system components.

Clock synchronization is important for these reasons:

Use these resources to synchronize component system clocks:

  • Manually, using the Portal or the operating system CLI

  • A third-party synchronization utility