sample chapter1
TRANSCRIPT
-
7/29/2019 Sample Chapter1
1/26
41
Chapter33
.
.
.
.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .MDS INSTALLATIONAND CONFIGURATION
The MDS consists of multiple CMAs installed on a single machine. Each CMA
controls any number of VPN-1/FireWall-1 remote Enforcement Modules at asingle customer site.
Check Point Provider-1 NG with Application Intelligence includes MDS
Manager and MDS Container components to support a growing customer base.
The MDS Manager is the core component and is required for the first 200
customer CMAs. Additional MDS machines can be added, and up to 500
separate CMAs can be managed by each MDS in the Provider-1 NG
configuration.
Object ives1 List the minimum system requirements for installing the MDS.
2 Demonstrate how to install an MDS Manager on a Sun Solaris
SPARC-based or RedHat Linux system.
3 Demonstrate how to configure an MDS Manager as the Primary MDS.
Key Terms mds_setup
mdsconfig
mdsenv
mdsstart
mdsstop
-
7/29/2019 Sample Chapter1
2/26
M D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N
Choosing the Type of MDS
42
3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C H O O S I N G T H E T Y P E O F M D S
The Multi Domain Server (MDS) contains separate file structures for each
CMA. Customer specific information is kept separated in independent CMA
databases to offer greater security and data integrity. Each CMAs rules, objects,
and users reside in the CMA database and are not shared. The following
directories remain private and separated by CMA:
conf
database
state
The MDS shares the VPN-1/FireWall-1 management functions. In this way, the
CMA data is separated, but shares the same soft linked Management Server
functions such as binary executables and INSPECT files.
Every Provider-1 configuration must include an MDS Manager. The GUI
connects to the MDS Manager to access the CMAs. Additional MDS machines
can be added to the configuration as needed. There are two different types of
Multi Domain Servers:
MDS Container
MDS Manager
The MDS Container can maintain up to 500 separate CMAs and perform
Security Policy management functions. The MDS Manager can perform tasks
such as file synchronization for backup capabilities and acts as the Certificate
Authority for the Provider-1 system at the NOC. The scalable architecture of
Provider-1 allows MSPs to accommodate a growing customer base. In every
scenario, both an MDS Manager and MDS Container are necessary. These two
components can be on the same machine.
-
7/29/2019 Sample Chapter1
3/26
.
.
.
.
.M D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N
Choosing the Type of MDS
43
Mult i Domain Server - ManagerThe MDS Manager is the central point of entry for the CMAs. The MDG can
only access the MDS Manager. The Manager is a Certificate Authority for the
Provider-1 NG configuration and, if multiple MDS Managers exist, establishes
High Availability between them. High Availability (HA) is possible even if the
additional Manager machine is located at a remote location.
No CMAs are loaded on the MDS Manager. Only the MDS Container canmaintain the CMAs. If the MDS Manager is installed as the only MDS in the
configuration, both the Manager and Container functions can be installed and
run on one machine.
Mult i Domain Server - Conta inerThe less-expensive MDS Container maintains the customer CMAs. Capable of
maintaining up to 500 CMAs, the Container machine is an alternative for
Administrators who want to increase their Provider-1 capabilities withoutdramatically increasing cost. The Container machine cannot function as a
Certificate Authority for Provider-1 components or establish High Availability
for CMAs. The Container machine can be used as an additional MDS to
increase customer capacity and for backup capabilities.
Mult i Domain Server as Mul t i Domain Log ModuleThe MDS can also be licensed to function as a Multi Domain Log Module
(MLM). The MLM separates the logs of each CMA into different databases.The MLM is configured with a CLM for each Customer CMA. Unlike the
CMAs loaded on an MDS, CLMs configured on the MLM do not require a
separate license. No more than 200 CLMs can be loaded on one MDS MLM.
-
7/29/2019 Sample Chapter1
4/26
M D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N
Choosing the Type of MDS
44
3
Licensing the Mul t i Domain ServerThe MDS can be licensed in a number of different ways, depending on the
MSPs Provider-1 configuration. The MDS can be licensed as either a Manager,
a Container, or both.
Provider-1 NG licenses are additive. If an Administrator has a
50 CMA license and adds a 25 CMA license, that
Administrator would be licensed to manage up to 75 CMAs.
Feature String Description
CPPR-MDS-M-NG MDS Manager component without Container
CPPR-MDS-C10-NG MDS Container component for hosting up to 10 CMAs
CPPR-MDS-C25-NG MDS Container component for hosting up to 25 CMAs
CPPR-MDS-C50-NG MDS Container component for hosting up to 50 CMAs
CPPR-MDS-C100-NG MDS Container component for hosting up to 100 CMAs
CPPR-MDS-C200-NG MDS Container component for hosting up to 200 CMAs
CPPR-MDS-MC10-NG Combined MDS Manager and Container for hosting up to10 CMAs
CPPR-MDS-MC25-NG Combined MDS Manager and Container for hosting up to25 CMAs
CPPR-MDS-MC50-NG Combined MDS Manager and Container for hosting up to50 CMAs
CPPR-MDS-MC100-NG Combined MDS Manager and Container for hosting up to
100 CMAs
CPPR-MDS-MC200-NG Combined MDS Manager and Container for hosting up to200 CMAs
-
7/29/2019 Sample Chapter1
5/26
.
.
.
.
.M D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N
Provider-1 NG with Application Intelligence MDS Minimum Requirements
45
P R O V I D E R - 1 N G W I T H A P P L I C A T I O NI N T E L L I G E N C E M D S M I N I M U M
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
R E Q U I R E M E N T S
The table below lists the minimum hardware and operating system
requirements for installing the specified MDS components.
The Linux kernel required to install the MDS on RedHat is
available from the Check Point download center at:
www.checkpoint.com/support/downloads
Platform Sun Ultra SPARC-based systemsIntel-based systems
Operating Systems Solaris 2.8 32 bit, 2.8 64 bit
Solaris 2.9 64 bit
RedHat Linux 7.2
RedHat Linux 7.3
SecurePlatform NG withApplication Intelligence (R55)
Required Patches Solaris 2.8 32 bit - patch number 109147-18Solaris 2.8 64 bit - patch number 109147-18
Solaris 2.8 - 109326-07
Solaris 2.8 - 109147-18
Solaris 2.9 - 112902-07
OS Patch level of at least 6
RedHat Linux 7.2 (Kernel 2.4.9-31)
RedHat Linux 7.3 (Kernel 2.4.18-5)
Edition VpnStrong (3DES)
Disk Space Basic MDS installation (mostly under /opt):
150 MB
Disk space for each CMA (under /var/opt):
10 MB per CMA
60 MB swap
Memory MDS functionality:
100 MB
Memory allocated per CMA:
10-20 MB
Network Interface All interfaces supported by the operating system
-
7/29/2019 Sample Chapter1
6/26
M D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N
Provider-1 NG with Application Intelligence MDS Minimum Requirements
46
3
-
7/29/2019 Sample Chapter1
7/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
47
L A B 1 : I N S T A L L I N G A N D C O N F I G U R I N G
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
T H E P R I M A R Y M D S S T A T I O N
Scenario: You have just been hired to deploy Provider-1 NG at an MSP that
wants to offer security services to its customers. You must now deploy a
Primary MDS at your new companys NOC.
Objectives: In this lab, you will install the MDS as a Manager and Container.
You will then configure the station to function as the Primary MDS in your
NOC environment.
Topics: The following topics are covered in this lab:
MDS installation on a LINUX or a Solaris system
MDS configuration
Configuring a Provider Superuser
Configuring a GUI client
-
7/29/2019 Sample Chapter1
8/26
Lab 1: Installing and Configuring the Primary MDS Station
48
3
V E R I F Y M D S M A C H I N E C O N F I G U R A T I O N
1 Verify that gzip and gunzip are installed on the Sun Solaris or Linux machine
before attempting to install the MDS.
2 Verify that your machine meets the minimum requirement for MDS installation,
including patch level.
A specific kernel must be running on the Linux machine before
you can install the Provider-1 MDS. If the system does not boot
up on this kernel, the MDS installation will fail.
3 Insert the Provider-1 NG CD into the CD-ROM drive.
T R A N S F E R P R O V I D E R - 1 N G F I L E S T O S O L A R I S M A C H I N E
Begin from a Terminal or Console window on the machine that will function as
your configurations Primary MDS.
1 Enter the root password for your machine.
2 Create a temporary directory for the MDS, for example:
/Provider_NG
The temporary directory from which the installation is
performed is notautomatically erased upon installation of the
Provider-1 NG MDS. It can be used later for a reinstallation.
3 Using the cd command, navigate to the MDS file on the Provider-1 CD.
4 Select the package appropriate for the system on which you
wish to install.5 Copy the tgzipped file to /Provider_NG.
6 Change directory to /Provider_NG.
7 Decompress the *.tgz file and untar it.Solaris example:
gzip -d Provider-1_R55_MDS_pr22_solaris.tgz
tar -xvf Provider-1_R55_MDS_pr22_solaris.tar
Linux example:
gzip -d mds_release_ng_r54_linux_pr4.tgztar -xvf mds_release_ng_r54_linux_pr4.tar
-
7/29/2019 Sample Chapter1
9/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
49
P E R F O R M M D S I N S T A L L A T I O N
Install and configure the MDS software on the machine functioning as the
Primary MDS in your MSP configuration.
The steps in this lab pertain to both Sun Solaris and Linux
environments. Although you may notice slight variations in thelanguage, all differences are cosmetic, unless otherwise stated
in the lab.
1 From the Provider_NG directory, locate the mds_setup program.
2 Run the following script:
./mds_setup
The system displays the following output:
******************************************************
Welcome to the Check Point setup center for
Provider-1/SiteManager-1. This utility will guide you
through the installation or upgrade process.
Version: NG with Application Intelligence (R55)
******************************************************
Checking for installed components. This may take a few
seconds. Please wait...
No previous Provider-1 installation was detected on
this machine.
*** Do you want to proceed with fresh installation
[yes/no]?
-
7/29/2019 Sample Chapter1
10/26
Lab 1: Installing and Configuring the Primary MDS Station
50
3
3 Type y, and press Enter. Various Check Point modules are installed and thesystem displays the following output:
4 Type 3, to select the Provider-1 MDS Manager + Container station option, andpress Enter. The system displays the following output:
5 Type y, and press Enter. The system displays the following output:
6 Type y, to start the MDS automatically after reboot, and press Enter. The systemdisplays the following output:
This step does not appear in a Linux distribution. The systemcreates the directory automatically, without interaction from the
user.
Which type of installation would you like to install?
(1) Provider-1 MDS Manager station.
(2) Provider-1 MDS Container station.
(3) Provider-1 MDS Manager + Container station.
(4) Provider-1 MLM station.
Enter your selection [1,2,3,4,?,q]
Are you installing the Primary MDS Manager [y,n,?,q]
Do you want the MDS station to start automatically with
each reboot of the machine i.e. from rc3.d boot level
[y,n,?,q]
## Executing checkinstall script.
The selected base directory must exist
before installation is attempted.
Do you want this directory created now [y,n,?,q]
-
7/29/2019 Sample Chapter1
11/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
51
7 Type y, and press Enter. The directory is created and the system displays thefollowing output:
8 Press Enter. The system displays the License Agreement:
9 Read the License Agreement. Pressing the Space Bar to page down. The system
displays the following output:
Installation of was successful.
copying system files to MDSDIR
Please read the following license agreement.
Hit ENTER to continue...
This End-user License Agreement (the "Agreement") is an
agreement between you (both the individual installing
the Product and any legal entity on whose behalf such
individual is acting) (hereinafter "You" or " Your")and Check Point Software Technologies Ltd. (hereina
fter "Check Point"). TAKING ANY STEP TO SET-UP OR
INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND
ACCEPTANCE OF THIS END USER LICENSE AGREEMENT. WRITTEN
APPROVAL IS NOT A PREREQUISITE TO THE VALIDITY OR
ENFORCEABILITY OF THIS AGREEMENT AND NO SOLICITATION OF
ANY SUCH WRITTEN APPROVAL BY OR ON BEHALF OF YOU SHALL
BE CONSTRUED AS AN INFERENCE TO THE CONTRARY. IF YOUHAVE ORDERED THIS PRODUCT AND SUCH ORDER IS CONSIDER
ED AN OFFER BY YOU, CHECK POINTS ACCEPTANCE OF YOUR
OFFER IS EXPRESSLY CONDITIONAL ON YOUR ASSENT TO THE
TERMS OF THIS AGREEMENT, TO THE EXCLUSION OF ALL OTHER
TERMS. IF THESE TERMS ARE CONSIDERED AN OFFER BY CHECK
POINT, YOUR ACCEPTANCE IS EXPRESSLY LIMITED TO THE
TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL
THE TERMS OF THIS AGREEMENT, YOU MUST RETURN THIS PROD-UCT WITH THE ORIGINAL PACKAGE AND THE PROOF OF PAYMENT
TO THE PLACE YOU OBTAINED IT FOR A FULL REFUND.
Do you accept all the terms of this license agreement(y/n) ?
-
7/29/2019 Sample Chapter1
12/26
Lab 1: Installing and Configuring the Primary MDS Station
52
3
10 Type y, and press Enter. The system displays the following output:
Typically, the leading interface on a Solaris machine is hme0.
On an intel-based machine, the leading interface is usually
eth0.
If only one interface is active, the system will automatically
configure it as the leading interface. If more than one interface
is active, the system will ask you to specify which is the leading
interface.
Welcome to MDS Configuration Program
========================================
This program will guide you through several steps where
you will define your MDS configuration. At any later
time, you can reconfigure these parameters by running
mdsconfig
Configuring Leading VIP Interfaces...
=====================================
The Leading VIP Interfaces are real interfaces
connected to an external network. These interfaces are
used when setting CMA virtual IP addresses. Eachleading interface can host up to 250 virtual IP
addresses (250 CMAs). The following real interfaces are
defined on this machine:
hme0
-
7/29/2019 Sample Chapter1
13/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
53
11 The system displays the following output:
Check Point provides a full-featured 15-day evaluation license
with the software. For real-world deployments, the system must
be licensed before the end of the 15-day evaluation period.
12 Type n, and press Enter. The system displays the following output:
External interface has been added.
Configuring Licenses...
=======================
The following licenses are installed on this host:
Host Expiration Features
Eval 4Feb2004 CPMP-PNP-1-NG
Do you want to add licenses (y/n) [n] ?
Configuring Random Pool...
==========================You are now asked to perform a short random keystroke
session. The random data collected in this session will
be used in various cryptographic operations.
Please enter random text containing at least six
different characters. You will see the * symbol after
keystrokes that are too fast or too similar to preceding
keystrokes. These keystrokes will be ignored.
Please keep typing until you hear the beep and the bar
is full.
[ ]
-
7/29/2019 Sample Chapter1
14/26
Lab 1: Installing and Configuring the Primary MDS Station
54
3
13 Type a string of random keys. Stop when you hear a beep and the bar displayed
on the screen is full.
Try not to type the same letter twice. Type slowly when
configuring the random key! Typing too fast and ignoring the
beep could cause the machine to freeze, requiring you to reboot
and restart the installation.
14 Once the random string has been completed, the system displays the following
output:
15 Press Enter, and the system displays the following output:
Thank you.
Configuring Groups...
=====================
MDS access and execution permissions-------------------------------------------
Usually, a MDS module is given group permission
for access and execution. You may now name such a group
or instruct the installation procedure to give no group
permissions to the MDS module. In the latter case, only
the Super-User will be able to access and execute the
MDS module.
Please specify group name [ for no grouppermissions]:
No group permissions will be granted. Is this ok
(y/n) [y] ?
-
7/29/2019 Sample Chapter1
15/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
55
16 Press Enter, and the system displays the following output:
17 Press Enter, and the system displays the following output:
Setting Group Permissions...
Configuring Certificate Authority...
====================================
The Provider-1/SiteManager-1 system uses an internal
Certificate Authority to provide Secured InternalCommunication (SIC) Certificates for the components in
this system.
Note that your components wont be able to communicate
with each other until the CA is initialized and they
have their SIC certificate.
Press Enter to initialize the Certificate
Authority...
Internal Certificate Authority created successfully
Certificate was created successfully
Setting FQDN to: 10.1.1.1
Executing "$CPDIR/bin/cp_conf ca fqdn 10.1.1.1" inorder to set FQDN
Trying to contact Certificate Authority. It might take
a while...
10.1.1.1 was successfully set to the Internal CA
Executing "$CPDIR/bin/cp_conf ca fqdn 10.1.1.1" in
order to set FQDN - Done
Certificate Authority initialization ended successfully
Configuring Certificates Fingerprint...
========================================
The following text is the fingerprint of this MDS
machine:
MILK HUFF SANE IRA MAT DOLT MUD BUSS NUDE TRAY ILL AWK
Do you want to save it to a file? (y/n) [n] ?
-
7/29/2019 Sample Chapter1
16/26
Lab 1: Installing and Configuring the Primary MDS Station
56
3
18 Type n, and press Enter. The system displays the following output:
19 Type y, and press Enter. The system displays the following output:
20 Type the name of the administrator (admin), and press Enter. The system displays
the following output:
21 Enter the password of the Provider-1 NG administrator (abc123), and press Enter.The system displays the following output:
22 Confirm the password, and press Enter. The system displays the following output:
Configuring Administrators...
=============================
Do you want to add administrators (y/n) [y] ?
Enter the administrator name:
Enter the password for the administrator:
Verify Password:
Please choose the administrator type you wish to
define:
1) Provider Superuser
2) Customer Superuser
3) Customer Manager
4) Regular administrator (None)
5) Dont add administrator now.
Enter your choice (1-5):
-
7/29/2019 Sample Chapter1
17/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
57
23 Type 1 to give the administrator Provider Superuser rights, and press Enter. Thesystem displays the following output:
24 Type n, and press Enter. The system displays the following output:
25 Type y, and press Enter. The system displays the following output:
26 Type 1, and press Enter. The system displays the following output:
Updating administrator admin to the database...
This operation requires the Multi Domain Server to be
running.
Please wait...Starting MDS server...
...
admin updated successfully.
Do you want to add administrators (y/n) [n] ?
Configuring GUI clients...
==========================
Do you want to add Provider-1 GUI clients (y/n) [y] ?
Please choose the Provider-1 GUI client type you wish
to define:
1) MDS GUI clients by IP.
2) MDS GUI clients by name.
3) AnyHost GUI client.
4) Dont add GUI clients now.
Enter your choice (1-4):
Enter the GUI client IP:
-
7/29/2019 Sample Chapter1
18/26
Lab 1: Installing and Configuring the Primary MDS Station
58
3
27 Type the IP address of the MDG, and press Enter. The system displays the
following output:
28 Type MDG for the hostname of the GUI client, and press Enter. The system
displays the following output:
29 Type n, and press Enter. The system displays the following output:
Enter the GUI client host name:
Updating GUI client MDG to the database...
MDG updated successfully.
Do you want to add Provider-1 GUI clients (y/n) [n] ?
Stopping MDS only
CPD stopped
MDS stopped
Do you want to start MDS now [yes/no]?
-
7/29/2019 Sample Chapter1
19/26
.
.
.
.
.
Lab 1: Installing and Configuring the Primary MDS Station
59
30 Type y, and press Enter. The system displays the following output:
31 Type the following command, and press Enter:
eject CDROM
32 Remove the CD from the CD-ROM drive.
33 Type the following command, and press Enter:
init 6
End of lab.
Adding Virtual IPs
MDS: Starting MDS Server
[1] 1908
[2] 1909
[3] 1910MDS Server Started
******************************************************
The installation of Provider-1/SiteManager-1 NG with
Application Intelligence (R55) has completed
successfully.
Please logout from this shell, and login again toactivate the enviromnent settings of the new version.
******************************************************
A log file was created:
/opt/CPInstLog/mds_setup.log01_20_13_02
-
7/29/2019 Sample Chapter1
20/26
Lab 1: Installing and Configuring the Primary MDS Station
60
3
-
7/29/2019 Sample Chapter1
21/26
.
.
.
.
.
CMA Management
61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C M A M A N A G E M E N T
Each Customer Management Add-on is loaded on the MDS and functions as a
Check Point Management Server. Each CMA manages a single customers
network and requires a dedicated CMA license. CMAs can be licensed as a
single server or as a mirror server for HA configurations.
Licensing the Customer Management Add-onsThe CMAs can be licensed in a number of different ways, depending on theMSPs Provider-1 configuration.
Feature String Description
CPPR-CMA-1-NG First Customer CMA that manages one module
CPPR-CMA-2-NG First Customer CMA that manages up to two modules
CPPR-CMA-4-NG First Customer CMA that manages up to four modules
CPPR-CMA-U-NG First Customer CMA that manages an unlimited number ofmodules
CPPR-CMA-1-HA-NG Mirror CMA that manages one module
CPPR-CMA-2-HA-NG Mirror CMA that manages up to two modules
CPPR-CMA-4-HA-NG Mirror CMA that manages up to four modules
CPPR-CMA-U-HA-NG Mirror CMA that manages an unlimited number of modules
-
7/29/2019 Sample Chapter1
22/26
MDS and CMA Command Line Options
62
3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
M D S A N D C M A C O M M A N D L I N E O P T I O N S
This section provides basic command line options for administering the MDS
and CMAs. All command line options must be performed in the C shell and in
the directory specified in the description.
mdsconf ig Ut i l i ty
Themdsconfig utility executes automatically during the initial installation ofany MDS. This utility is used to setup the MDS parameters and assign basic
configuration details, such as GUI Clients, Administrator rights, etc. If
reconfiguration is necessary, themdsconfig utility can be run from the MDS
environment.
MDS Commands mdsenv
Themdsenv command sets the environment variable for the MDS. Once theMDS environment is set, all MDS specific commands can be executed.
mdsstart [-m]
Themdsstart command starts the MDS and all CMAs loaded on the MDS. Ifthe command is run with the -mqualifier, the MDS is started but the CMAs are
not.
mdsstop [-m]
Themdsstop command stops the MDS and all CMAs loaded on the MDS. Ifthe command is run with the -mqualifier, the MDS is stopped but the CMAs are
not.
mdscmd
Themdscmdis a CPMI client that allows an Administrator to add or remove a
customer or to use the mirror option to back up MDS information. This utilitywalks the administrator through the addition or removal of customers from the
MDS and allmdscmd commands are logged and synchronized with other MDS
machines.
mdsstat
Themdsstat command utility displays detailed information on the processstatus of both the MDS and CMAs.
-
7/29/2019 Sample Chapter1
23/26
.
.
.
.
.
MDS and CMA Command Line Options
63
cplic printlic
Thecplic printlic command displays all MDS licenses.
cplic putlic
Thecplic putlic command allows Administrators to add licenses to the MDS.
fw mds ver
Thefw mds ver command displays the version information of the MDS DLL.
MSP_RETRY_INTERVAL [Number of seconds]
TheMSP_RETRY_INTERVAL command changes the MDS setting thatregulates how often it looks to see if a GUI client is connected to a CMA.
MSP_RETRY_INIT_INTERVAL [Number of seconds]
TheMSP_RETRY_INIT_INTERVAL command changes the MDS settingthat regulates how often it requests that the CMAs send status information to
the MDS.
MSP_SPACING_REG_CMAS_FOR_STATUSES
TheMSP_SPACING_REG_CMAS_FOR_STATUSES commandinitiates the MDS to contact the CMAs with a request to start collecting status
information. If there is no MDG connection to the MDS, it will not initiate a
status collection request to the CMAs. The above command forces the request
to each CMA in one-second intervals.
Customer Management Add-on Commands mdsenv [CMA name]
Themdsenv command sets the environment variable for the specified CMA.Once the CMA environment is set, all CMA specific commands can be
executed. This command must be repeated, referencing the appropriate CMA,
if the user intends to execute commands for a different CMA. All CMA specificcommands can only take place once the correct environment variable has
been set.
fw ver
Thefw ver command displays the VPN-1/FireWall-1 version information forthe CMA for which the environment is set.
-
7/29/2019 Sample Chapter1
24/26
MDS and CMA Command Line Options
64
3
cplic printlic
Thecplic printlic command displays all licenses assigned to the CMA forwhich the environment is set.
cplic putlic
Thecplic putlic command adds licenses to the CMA for which theenvironment is set.
.
-
7/29/2019 Sample Chapter1
25/26
.
.
.
.
Review
65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
R E V I E W
Summary The MDS consists of multiple CMAs installed on a single machine.
Each CMA controls any number of VPN-1/FireWall-1 remote Enforcement
Modules at a single Customer site.
Check Point Provider-1 NG with Application Intelligence includes Primary
MDS and additional MDS components to support a growing customer base.
The Primary MDS is the core component of a Provider-1 NG with
Application Intelligence system.
An additional MDS is required for any system with more than 500
Customers, and can manage up to 500 additional Customers.
Review Quest ions1 What are the main differences between MDS Manager and MDS
Container machines?
2 How many MDS Manager machines are required for each Provider-1
configuration?
-
7/29/2019 Sample Chapter1
26/26
Review
66
3
Review Quest ions and Answers
1 What are the main differences between MDS Manager and MDS Container
machines?
- The MDG can only connect to the MDS Manager machine.
- The MDS Manager machine acts as the Certificate Authority for the
Provider-1 configuration.- The MDS Container machine maintains all CMA data.
2 How many MDS Manager machines are required for each Provider-1
configuration?
One MDS Manager machine is necessary for standard operations, two forMDS - level High Availability functions.