Protecting the Multi-Domain Security Management Deployment

It is a security best practice to deploy a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that protects the Multi-Domain Servers, Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS. and other components. You can manage this Security Gateway with a Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or a Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that is not part of a Multi-Domain Security Management environment.

This simple use case shows a small High Availability deployment with a Security Gateway protecting each Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.. One of the Domain Management ServersClosed Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS. manages these Security Gateways.

Item

Description

1

Active Domain Management Servers

2

Standby Domain Management Servers

3

Primary Multi-Domain Server with Active and Standby Domain Management Servers

4

Security Gateways

5

Internet

6

Secondary Multi-Domain Server with Active and Standby Domain Management Servers

Security Gateway Managed by a Domain Management Server

You can create a Domain and Domain Management Server to manage the Policies for Security Gateways that protect Multi-Domain Servers in your environment.

Workflow for this scenario:

  1. Run SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and log into the Multi-Domain Server.

  2. Create a new Domain and Domain Management Server.

  3. Connect to the new Domain SmartConsole and create a Security Gateway object.

  4. Enable the Firewall and other Software Blades on this Security Gateway.

  5. Create and install a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for the Security Gateway.

Defining an Access Control Policy for Multi-Domain Server Components

communication between the different Multi-Domain Security Management components. You can define these rules in global configurations or in local Domain Policies.

Use this table as a guideline to allow connections between specified components:

Activity

Source

Destination

Allow connections between SmartConsole and the Multi-Domain Server

SmartConsole
Multi-Domain Server

Multi-Domain Server
SmartConsole

Allow connections between Multi-Domain Servers

Multi-Domain Servers

Multi-Domain Servers

Allow connections between Domain Management Servers and Security Gateways

Domain Management Server
Security Gateway

Security Gateway
Domain Management Server

Allow Domain Management Server status data and certificate exchange between Domain Management Server High Availability peers

Allow Domain Management Server synchronization between peers

Domain Management Server peer

Domain Management Server peer

See the R81 Security Management Administration Guide to learn how to create a Security Policy.

Using External Authentication Servers

Multi-Domain Security Management supports these external authentication solutions:

  • RADIUS

  • TACACS

  • RSA SecurID Authentication Manager

When an administrator logs in, an authentication requests goes to the external authentication server, which sends a reply to the Multi-Domain Server. TACACS and RADIUS use the Multi-Domain Server as a proxy between the Domain Management Server and the external authentication server. To make this work correctly, you must configure each Multi-Domain Server on the authentication server.

Note - If the Multi-Domain Server is DOWN, the Domain Management Server cannot authenticate administrators.

Configuring External Authentication

To configure External Authentication:

  1. Connect to the Multi-Domain Server with SmartConsole.

  2. In the Domains view, select the Global Domain, and then click Connect.

  3. Connect to the Global Domain with SmartConsole, and then create a host object for the authentication server.

  4. Define the Multi-Domain Security Management administrators in the authentication server.

  5. In SmartConsole, select Administrators.

  6. Select an existing administrator or click New.

  7. In the General tab, select the applicable Authentication Scheme.

  8. If the selected authentication server is RADIUS or TACACS, select the server that you configured in the Global Domain SmartConsole.

  9. If the authentication server is SecurID:

    1. Close SmartConsole.

    2. Generate the file sdconf.rec on the Authentication Manager, and configure the user to use Tokencode only.

    3. Copy sdconf.rec to /var/ace/ on each Multi-Domain Server.

    4. Open /etc/services in a text editor and add the following lines:

      securid 5500/udp

      securidprop 5510/tcp

    5. Reboot the Multi-Domain Server.

Note - The <authentication_server> parameter is required for TACACS and RADIUS.