Configuring an IPv6 Address on a Multi-Domain Server

Starting in R82, it is possible to use IPv6 addresses for the internal Check Point communication:

  • Between a Multi-Domain Security Management Server, its Domain Management Servers, and their managed Security Gateways.

    This internal Check Point communication includes Secure Internal Communication (SIC), policy installation, and logging.

  • Between a Multi-Domain Log Server, its Domain Log Servers, and the managed Security Gateways.

    This internal Check Point communication includes Secure Internal Communication (SIC) and logging.

  • Between a Multi-Domain Security Management Server and a Multi-Domain Log Server.

    This internal Check Point communication includes Secure Internal Communication (SIC) and logging.

Part 1 - Configuring the Multi-Domain Server

  1. Enable IPv6 support in the Gaia OS on the Multi-Domain Server.

    See System Configuration.

  2. Reboot the Multi-Domain Server.

    See Shut Down.

  3. On the Leading Interface of the Multi-Domain Server, configure the required IPv6 address.

    See Physical Interfaces.

  4. Configure the applicable IPv6 static routes on the Multi-Domain Server.

    See IPv6 Static Routes.

  5. Add the same IPv6 address you configured on the Leading Interface to the Multi-Domain Server database with the API command "set-mds":

    1. In the Management API Reference:

      1. Open the chapter "Multi-Domain".

      2. Open the section "Multi-Domain Server (MDS)".

      See one of these Management API references:

      • The online Check Point Management API Reference.

      • The local Management API Reference (first, you must follow sk174606 to allow access to this local Management API reference):

        https://<IP Address or Gaia Management Interface>/api_docs/#introduction

    2. Run the API command "set-mds":

      (The syntax below is for the CLI command "mgmt_cli".)

      mgmt_cli --domain 'System Data' set-mds name <Name of Multi-Domain Server Object> ipv6-address "IPv6 Address Configured on Leading Interface>"

      Notes:

      • In the "name" parameter, you must enter the name of the Multi-Domain Server object as it appears in SmartConsole.

      • If you run command in the CLI on the Primary Multi-Domain Server, then in the "name" parameter you can specify the name of the Secondary Multi-Domain Server object.

  6. Restart the Check Point services on the Multi-Domain Server with these commands in the CLI (Gaia Clish or the Expert mode):

    1. Stop the Check Point services:

      mdsstop

    2. Start the Check Point services:

      mdsstart

  7. Make sure all the required processes are running on the Multi-Domain Server with this command in the CLI (Gaia Clish or the Expert mode):

    mdsstat

  8. Configure the required IPv6 address in the Domain Management Server / Domain Log Server with the applicable API command.

    You can update and existing object or create a new object.

    (The syntax below is for the CLI command "mgmt_cli".)

    • To update an existing Domain Management Server / Domain Log Server object and restart it:

      mgmt_cli set domain name "<Name of Domain Object>" servers.update.multi-domain-server "Name of Multi-Domain Server Object" servers.update.name "Name of Domain Management Server or Domain Log Server Object" servers.update.ipv6-address "<IPv6 Address of Domain Management Server or Domain Log Server Object>" servers.update.restart-domain-server true

    • To create a new Domain Management Server / Domain Log Server object with both an IPv4 and an IPv6 addresses:

      • To create a new Domain Management Server and start it:

        mgmt_cli add domain name "Name of Domain Object" servers.1.multi-domain-server "<Name of Multi-Domain Security Management Server Object>" servers.1.name "<Name of Domain Management Server Object>" servers.1.type "management server" servers.1.ipv4-address "<IPv4 Address of Domain Management Server Object>" servers.1.ipv6-address "<IPv6 Address of Domain Management Server Object>"

        Note - Digit "1" in the syntax "servers.1." means the first Domain Management Server on this Multi-Domain Security Management Server. If there are already configured Domain Management Servers, then enter the next subsequent number.

      • To create a new Domain Log Server and start it:

        mgmt_cli add domain name "Name of Domain Object" servers.1.multi-domain-server "<Name of Multi-Domain Log Server Object>" servers.1.name "<Name of Domain Log Server Object>" servers.1.type "log server" servers.1.ipv4-address "<IPv4 Address of Domain Log Server Object>" servers.1.ipv6-address "<IPv6 Address of Domain Log Server Object>"

        Note - Digit "1" in the syntax "servers.1." means the first Domain Log Server on this Multi-Domain Log Server. If there are already configured Domain Log Servers, then enter the next subsequent number.

  9. Make sure all the required processes are running on the Multi-Domain Server with this command in the CLI (Gaia Clish or the Expert mode):

    mdsstat

Part 2 - Configuring the Security Gateways and Cluster Members

  1. Enable IPv6 support in the Gaia OS on the applicable Security Gateways and each applicable Cluster Member.

    See System Configuration.

  2. Reboot the Security Gateways and each Cluster Member.

    See Shut Down.

  3. Configure IPv6 addresses on the applicable interfaces.

    See Network Interfaces.

  4. Configure the applicable IPv6 static routes.

    See IPv6 Static Routes.

Part 3 - Configuring the Security Gateways and Cluster objects in SmartConsole

Follow the R82 Security Management Administration Guide.

  1. Connect to the command line on the Multi-Domain Security Management Server.

  2. Log in to the Expert mode.

  3. Disable the current IPv6 configuration:

    mdsconfig -n disable_ipv6 <Name of Leading Interface>

  4. Restart the Check Point services on the Multi-Domain Server:

    1. Stop the Check Point services:

      mdsstop

    2. Start the Check Point services:

      mdsstart

  5. Make sure all the required processes are running on the Multi-Domain Server:

    mdsstat

  6. Configure the new IPv6 address on the Leading Interface.

    Follow steps 3-7 in Part 1 - Configuring the Multi-Domain Server.

  7. Change the IPv6 addresses assigned Domain Management Servers / Domain Log Servers with the API command "set domain":

    (The syntax below is for the CLI command "mgmt_cli".)

    mgmt_cli set domain name "<Name of Domain Object>" servers.update.multi-domain-server "<Name of Multi-Domain Server Object>" servers.update.name "<Name of Domain Management Server or Domain Log Server Object>" servers.update.ipv6-address "<IPv6 Address of Domain Management Server or Domain Log Server Object>" servers.update.restart-domain-server true

  8. Make sure all the required processes are running on the Multi-Domain Server:

    mdsstat