Tài liệu Provider-1/SiteManager-1 ppt

Provider-1/SiteManager-1

Administration Guide

Version NGX R65

March 7, 2007

TM TM

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,

distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written

authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or

omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer

Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point

Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,

Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,

FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless

Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,

Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,

SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,

SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,

SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,

TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN￾1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web

Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,

Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check

Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The

products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by

other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5

Table Of Contents

Preface Who Should Use This Guide.............................................................................. 12

Summary of Contents....................................................................................... 13

Related Documentation .................................................................................... 14

More Information............................................................................................. 17

Feedback ........................................................................................................ 18

Chapter 1 Introduction

The Need for Provider-1/SiteManager-1 ............................................................. 20

Management Service Providers (MSP)........................................................... 21

Data Centers .............................................................................................. 23

Large Enterprises........................................................................................ 23

The Check Point Solution ................................................................................. 26

Basic Elements........................................................................................... 27

Point of Presence (POP) Network Environment............................................... 31

Managers and Containers............................................................................. 33

Log Managers............................................................................................. 36

High Availability ......................................................................................... 38

Security Policies in Provider-1 ..................................................................... 38

The Management Model ................................................................................... 40

Introduction to the Management Model......................................................... 40

Administrators............................................................................................ 40

Management Tools...................................................................................... 43

The Provider-1/SiteManager-1 Trust Model......................................................... 49

Introduction to the Trust Model.................................................................... 49

Secure Internal Communication (SIC) ........................................................... 49

Trust Between a CMA and its Customer Network............................................ 50

Trust Between a CLM and its Customer Network ............................................ 51

MDS Communication with CMAs .................................................................. 52

Trust Between MDS to MDS......................................................................... 52

Authenticating the Administrator.................................................................. 52

Authenticating via External Authentication Servers......................................... 53

Setting up External Authentication ............................................................... 55

Re-authenticating when using SmartConsole Clients....................................... 56

CPMI Protocol ............................................................................................ 58

Chapter 2 Planning the Provider-1 Environment

Asking yourself the right questions... ................................................................. 61

Consider the Following Scenario........................................................................ 63

Protecting the Provider-1/SiteManager-1 Network ............................................... 65

MDS Managers and Containers.......................................................................... 66

MDS Managers ........................................................................................... 66

MDS Containers.......................................................................................... 66

6

Choosing your deployment for MDS Managers and Containers ......................... 67

MDS Clock Synchronization ......................................................................... 68

Setting up the Provider-1/SiteManager-1 Environment......................................... 69

A Typical Scenario ...................................................................................... 69

A Standalone Provider-1/SiteManager-1 Network ........................................... 70

A Distributed Provider-1/SiteManager-1 Network............................................ 71

Provider-1/SiteManager-1 Network with Point of Presence (POP) Center........... 72

Hardware Requirements and Recommendations.................................................. 74

Provider-1/SiteManager-1 Order of Installation ................................................... 75

Licensing and Deployment................................................................................ 76

The Trial Period.......................................................................................... 76

Considerations............................................................................................ 76

Further Licensing Detail .............................................................................. 78

Miscellaneous Issues ....................................................................................... 82

IP Allocation & Routing ............................................................................... 82

Network Address Translation (NAT) .............................................................. 83

Enabling OPSEC......................................................................................... 84

Chapter 3 Provisioning the Provider-1 Environment

Overview ......................................................................................................... 88

The Provisioning Process .................................................................................. 89

Installation and Configuration ........................................................................... 90

Supported Platforms for the MDS................................................................. 90

Minimal Hardware Requirements and Disk Space .......................................... 90

Installing the MDS - Creating a Primary Manager ........................................... 91

Uninstall the MDS ...................................................................................... 93

Entering the MDS License ........................................................................... 93

Install the MDG and SmartConsole Clients .................................................... 95

Using the MDG for the First Time...................................................................... 97

To Launch the MDG.................................................................................... 97

Defining a Security Policy for the Provider-1 Gateway.......................................... 99

Enabling Connections Between Different Components of the System ............. 100

Configurations with More than One MDS.......................................................... 103

MDS Clock Synchronization ....................................................................... 103

Adding an MDS (Container, Manager, or both), or MLM ................................ 104

Editing or Deleting an MDS ....................................................................... 106

When the VPN-1 Power Gateway is Standalone................................................. 107

When a CMA Manages the VPN-1 Power Gateway ............................................. 108

Starting the Add Customer Wizard .............................................................. 109

OPSEC Application Connections...................................................................... 110

Connecting with an OPSEC Application Client to all Customers ..................... 110

Connecting with an OPSEC Application Client to a Single Customer............... 111

Chapter 4 High-Level Customer Management

Overview ....................................................................................................... 114

Creating Customers: A Sample Deployment ................................................. 116

Inputting Licenses using the MDG.............................................................. 124

Setup Considerations ..................................................................................... 127

Table of Contents 7

IP Allocation for CMAs .............................................................................. 127

Assigning Groups ...................................................................................... 127

Management Plug-ins..................................................................................... 128

Introducing Management Plug-ins .............................................................. 128

Installing Plug-ins..................................................................................... 129

Activating Plug-ins.................................................................................... 129

Plug-in Status .......................................................................................... 130

High Availability Mode .............................................................................. 131

Plug-in Mismatches .................................................................................. 131

Configuration................................................................................................. 133

Configuring a New Customer ...................................................................... 133

Creating Administrator and Customer Groups............................................... 137

Changing Administrators............................................................................ 137

Modifying a Customer’s Configuration ......................................................... 139

Changing GUI Clients................................................................................ 139

Deleting a Customer.................................................................................. 140

Configuring a CMA.................................................................................... 140

Starting or Stopping a CMA........................................................................ 140

Checking CMA Status................................................................................ 140

Deleting a CMA ........................................................................................ 141

Chapter 5 Global Policy Management

Security Policies in Provider-1 ........................................................................ 144

Introduction to Security Policies in Provider-1 ............................................. 144

The Need for Global Policies...................................................................... 146

The Global Policy as a Template................................................................. 147

Global Policies and the Global Rule Base .................................................... 148

Global SmartDashboard.................................................................................. 150

Introduction to Global SmartDashboard....................................................... 150

Global Services......................................................................................... 151

Dynamic Objects and Dynamic Global Objects ............................................. 151

Applying Global Rules to Gateways by Function ........................................... 152

Synchronizing the Global Policy Database ................................................... 153

Creating a Global Policy through Global SmartDashboard................................... 154

Global SmartDefense...................................................................................... 156

Introduction to Global SmartDefense .......................................................... 156

SmartDefense in Global SmartDashboard .................................................... 156

SmartDefense Profiles............................................................................... 158

Subscribing a Customer to the Global SmartDefense Service......................... 158

Modifying SmartDefense from the SmartDashboard of a CMA........................ 159

Assigning Global Policy .................................................................................. 161

Introduction to Assigning Global Policy ....................................................... 161

Assigning Global Policy for the First Time.................................................... 161

Reassigning Global Policy.......................................................................... 162

Reassigning Global Policy to Multiple Customers Simultaneously................... 162

Reviewing the Status of Global Policy Assignments ...................................... 163

Considerations For Global Policy Assignment............................................... 164

Global Policy History File........................................................................... 166

8

Configuration ................................................................................................ 167

Assign/Install a Global Policy ..................................................................... 167

Reassigning/Installing a Global Policy on Customers..................................... 168

Reinstalling a Customer Policy onto the Customers’ Gateways ....................... 169

Remove a Global Policy from Multiple Customers......................................... 170

Remove a Global Policy from a Single Customer .......................................... 170

Viewing the Customer’s Global Policy History File ........................................ 170

Global Policies Tab ................................................................................... 170

Global Names Format................................................................................ 171

Chapter 6 Working in the Customer’s Network

Overview ....................................................................................................... 174

Customer Management Add-on (CMA)......................................................... 174

Administrators.......................................................................................... 175

SmartConsole Client Applications............................................................... 175

Installing and Configuring VPN-1 Power Gateways ............................................ 177

Managing Customer Policies ........................................................................... 178

VPN-1 UTM Edge/Embedded Appliances .................................................... 178

Creating Customer Policies ........................................................................ 178

Revision Control ....................................................................................... 178

Working with CMAs and CLMs in the MDG ....................................................... 179

Chapter 7 Logging in Provider-1

Logging Customer Activity .............................................................................. 182

Exporting Logs............................................................................................... 186

Log Export to Text..................................................................................... 186

Manual Log Export to Oracle Database........................................................ 186

Automatic Log Export to Oracle Database.................................................... 187

Log Forwarding......................................................................................... 188

Cross Domain Logging............................................................................... 188

Logging Configuration .................................................................................... 189

Setting Up Logging ................................................................................... 189

Working with CLMs ................................................................................... 190

Setting up Customer Module to Send Logs to the CLM ................................. 191

Synchronizing the CLM Database with the CMA Database............................. 192

Configuring an MDS to Enable Log Export ................................................... 192

Configuring Log Export Profiles .................................................................. 192

Choosing Log Export Fields........................................................................ 193

Log Export Troubleshooting........................................................................ 194

Using Eventia Reporter.............................................................................. 195

Chapter 8 VPN in Provider-1

Overview ....................................................................................................... 198

Access Control at the Network Boundary ..................................................... 199

Authentication Between Gateways .............................................................. 199

How VPN Works........................................................................................ 200

VPN-1 Connectivity in Provider-1 .................................................................... 203

Table of Contents 9

VPN-1 Connections for a Customer Network ................................................ 203

Global VPN Communities................................................................................ 207

Gateway Global Names.............................................................................. 207

VPN Domains in Global VPN ...................................................................... 208

Access Control at the Network Boundary ..................................................... 209

Access Control and Global VPN Communities .............................................. 209

Joining a Gateway to a Global VPN Community ............................................ 210

Configuring Global VPN Communities .............................................................. 212

Chapter 9 Monitoring in Provider-1

Overview ....................................................................................................... 216

Monitoring Components in the Provider-1 System ............................................. 217

Exporting the List Pane’s Information to an External File .............................. 218

Working with the List Pane ........................................................................ 218

Checking the Status of Components in the System............................................ 219

Viewing Status Details............................................................................... 221

Locating Components with Problems........................................................... 221

Monitoring Issues for Different Components and Features.................................. 223

MDS........................................................................................................ 223

Global Policies ......................................................................................... 225

Customer Policies ..................................................................................... 226

Module Policies ........................................................................................ 226

High Availability ....................................................................................... 227

Global VPN Communities........................................................................... 228

Administrators.......................................................................................... 229

GUI Clients .............................................................................................. 230

Using SmartConsole to Monitor Provider-1 Components..................................... 232

Log Tracking in Provider-1......................................................................... 232

Tracking Logs with SmartView Tracker ........................................................ 232

Real-Time Network Monitoring with SmartView Monitor ................................ 233

Eventia Reporter Reports ........................................................................... 235

Chapter 10 High Availability

Overview ....................................................................................................... 238

CMA High Availability..................................................................................... 239

Active Versus Standby ............................................................................... 241

Setting up a Mirror CMA............................................................................ 242

CMA Backup using SmartCenter Server....................................................... 242

MDS High Availability .................................................................................... 245

MDS Mirror Site........................................................................................ 245

MDS Managers ......................................................................................... 246

Setting up a New MDS and Initiating Synchronization .................................. 247

MDS: Active or Standby............................................................................. 247

The MDS Manager’s Databases .................................................................. 248

The MDS Container’s Databases................................................................. 249

How Synchronization Works ....................................................................... 249

Setting up Synchronization ........................................................................ 252

Configuration................................................................................................. 255

10

Adding another MDS................................................................................. 255

Creating a Mirror of an Existing MDS .......................................................... 256

Initializing Synchronization between MDSs.................................................. 257

Subsequent Synchronization for MDSs........................................................ 257

Selecting a Different MDS to be the Active MDS.......................................... 258

Automatic Synchronization for Global Policies Databases.............................. 258

Add a Secondary CMA............................................................................... 258

Automatic CMA Synchronization................................................................. 259

Synchronize ClusterXL Modules.................................................................. 259

Chapter 11 Architecture and Processes

Packages in MDS Installation.......................................................................... 262

Packages in Common MDS Installation ....................................................... 262

Packages in MDS Upgrade......................................................................... 263

Eventia Reporter Add-on............................................................................ 263

MDS File System ........................................................................................... 264

MDS Directories on /opt and /var File Systems ............................................. 264

Structure of CMA Directory Trees ............................................................... 265

Check Point Registry................................................................................. 266

Automatic Start of MDS Processes, Files in /etc/rc3.d, /etc/init.d................... 266

Processes...................................................................................................... 267

Environment Variables............................................................................... 267

MDS Level Processes ................................................................................ 269

CMA Level Processes ................................................................................ 270

MDS Configuration Databases......................................................................... 271

Global Policy Database.............................................................................. 271

MDS Database.......................................................................................... 271

CMA Database.......................................................................................... 272

Connectivity Between Different Processes ........................................................ 273

MDS Connection to CMAs.......................................................................... 273

Status Collection ...................................................................................... 274

Collection of Changes in Objects ................................................................ 274

Connection Between MDSs ........................................................................ 275

Large Scale Management Processes............................................................ 275

VPN-1 UTM Edge Processes ...................................................................... 275

Reporting Server Processes........................................................................ 275

Issues Relating to Different Platforms.............................................................. 276

High Availability Scenarios ........................................................................ 276

Migration Between Platforms ..................................................................... 277

Chapter 12 Commands and Utilities

Index.......................................................................................................... 321

11

Preface P Preface

In This Chapter

Who Should Use This Guide page 12

Summary of Contents page 13

Related Documentation page 14

More Information page 17

Feedback page 18

Who Should Use This Guide

12

Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

• System administration.

• The underlying operating system.

• Internet protocols (IP, TCP, UDP etc.).

Summary of Contents

Preface 13

Summary of Contents

This guide describes the installation, configuration and management of

Provider-1/SiteManager-1. It contains the following chapters:

Chapter Description

Chapter 1, “Introduction” Chapter 1 covers the need for Provider-1, and

different elements and deployments of the

Provider-1 system.

Chapter 2, “Planning the

Provider-1 Environment”

Chapter 2 covers pre-installation considerations.

Chapter 3, “Provisioning the

Provider-1 Environment”

Chapter 3 covers installation of the Provider-1

system.

Chapter 4, “High-Level

Customer Management”

Chapter 4 covers the initial configuration.

Chapter 5, “Global Policy

Management”

Chapter 5 covers setting up Global Policies for

Customers.

Chapter 6, “Working in the

Customer’s Network”

Chapter 6 covers administration on the Customer

level.

Chapter 7, “Logging in

Provider-1”

Chapter 7 covers logging and tracking.

Chapter 8, “VPN in

Provider-1”

Chapter 8 covers setting up Virtual Private

Networks.

Chapter 9, “Monitoring in

Provider-1”

Chapter 9 covers monitoring the status of the

Provider-1 system.

Chapter 10, “High

Availability”

Chapter 10 covers the different types High

Availability available for Provider-1.

Chapter 11, “Architecture

and Processes”

Chapter 11 covers the file and directory

structure of the Provider-1 system.

Chapter 12, “Commands and

Utilities”

Chapter 12 covers useful command line utilities.

Related Documentation

14

Related Documentation

The NGX R65 release includes the following documentation

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security Product

Suite Getting Started

Guide

Contains an overview of NGX R65 and step by step

product installation and upgrade procedures. This

document also provides information about What’s

New, Licenses, Minimum hardware and software

requirements, etc.

Upgrade Guide Explains all available upgrade paths for Check Point

products from VPN-1/FireWall-1 NG forward. This

guide is specifically geared towards upgrading to

NGX R65.

SmartCenter

Administration Guide

Explains SmartCenter Management solutions. This

guide provides solutions for control over

configuring, managing, and monitoring security

deployments at the perimeter, inside the network, at

all user endpoints.

Firewall and

SmartDefense

Administration Guide

Describes how to control and secure network

access; establish network connectivity; use

SmartDefense to protect against network and

application level attacks; use Web Intelligence to

protect web servers and applications; the integrated

web security capabilities; use Content Vectoring

Protocol (CVP) applications for anti-virus protection,

and URL Filtering (UFP) applications for limiting

access to web sites; secure VoIP traffic.

Virtual Private Networks

Administration Guide

This guide describes the basic components of a

VPN and provides the background for the

technology that comprises the VPN infrastructure.

Related Documentation

Preface 15

Eventia Reporter

Administration Guide

Explains how to monitor and audit traffic, and

generate detailed or summarized reports in the

format of your choice (list, vertical bar, pie chart

etc.) for all events logged by Check Point VPN-1

Power, SecureClient and SmartDefense.

SecurePlatform™/

SecurePlatform Pro

Administration Guide

Explains how to install and configure

SecurePlatform. This guide will also teach you how

to manage your SecurePlatform machine and

explains Dynamic Routing (Unicast and Multicast)

protocols.

Provider-1/SiteManager-1

Administration Guide

Explains the Provider-1/SiteManager-1 security

management solution. This guide provides details

about a three-tier, multi-policy management

architecture and a host of Network Operating Center

oriented features that automate time-consuming

repetitive tasks common in Network Operating

Center environments.

TABLE P-2 Integrity Server documentation

Title Description

Integrity Advanced

Server Installation

Guide

Explains how to install, configure, and maintain the

Integrity Advanced Server.

Integrity Advanced

Server Administrator

Console Reference

Provides screen-by-screen descriptions of user

interface elements, with cross-references to relevant

chapters of the Administrator Guide. This document

contains an overview of Administrator Console

navigation, including use of the help system.

Integrity Advanced

Server Administrator

Guide

Explains how to managing administrators and

endpoint security with Integrity Advanced Server.

Integrity Advanced

Server Gateway

Integration Guide

Provides information about how to integrating your

Virtual Private Network gateway device with Integrity

Advanced Server. This guide also contains information

regarding deploying the unified SecureClient/Integrity

client package.

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Description