Checkpoint Security lectures

1
Moving to Provider-1

• When and How

2
Agenda

• What is Provider-1 (just a reminder)
• Why it is better then SMC?
• Reasons to migrate
• How to migrate
• Preparations
• Process flow
• Check List

3
What is Provider-1 NGX?
4
Check Point says

• Benefits of Provider-1 NGX
• Centralized Management
• Security Product Scalability
• Multi-Level High Availability (MDS-HA and CMA-HA)
• Global security and Global VPN communities

5
What people say

• Check Point PS consultant
• Global (corporate) policy, objects, services
• More diversity for administrators privileges
• Separate DBs for CMAs
• Consolidate SmartCenters, save Power, money, HW,
  space
• Multi user access to the MDS level
• Each CMA has its own processes, which goes better
  with multi cores/CPUs

6
What people say, cont. (1)

• Yet another Check Point PS consultant
• There are some deployments where P-1 has to be
  used due to size but mostly due to the
  organization needs
• Global objects and global rules, but still having
  separate CMA based on either country, division,
  function, role, etc...
• Also multi-user If you have 100 FW per SMC, you
  can only have 1 RW admin. If you need 5
  concurrent edits, you need 5 CMA.
• Ease of backup / restore. Logical separation of
  policies, logs, etc...

7
What people say, cont. (2)

• CPUG gurus
• Consolidates hardware - you only have one
  management server to look after, not many
• Patching easier - just apply one patch to the
  management server, not to many servers
• User management - particularly with large
  environments, trying to manage users on a whole
  lot of different management stations would be a
  complete nightmare.
• Easy importing of other management stations.
• There's also an economic angle to it. A CMA-U is
  cheaper than a full SmartCenter license, so
  there's a point when an organization has gt5
  SmartCenters where Provider-1 becomes a cheaper
  option.

8
What people say, cont. (3)

• CPUG again
• I found the following useful when moving to
  Provider-1 in a large environmentCentralized
  policy, administrator, object, and version
  management is a huge win
• Consolidation of hardware (Moving from 20
  SmartCenter Servers to 3 P1 MDS)
• Licensing and Logging are easier to
  manageServices between different business
  entities are easier to share (VPNs between
  different regions) but are still logically
  separate.

9
What people say, cont. (3)

• Check Point Forums on https//forums.checkpoint.co
  m/
• More then 200 views,
• but no reply

10
Organizational reasons MSP/ISP

• Independent groups of FWs for customers
• Delegating major administrative functions to
  customer
• Parallel administration of policies and objects
• Need to maintain the Security system in whole
• Saving some HW and space

11
Organizational reasons Large Enterprise

• Different groups of FWs, multiple geographical
  locations, multiple purposes
• Delegating major administrative functions to
  local admin teams
• Diversification of administration procedures and
  access rights
• Global definition for vital policy elements and
  objects
• Unified company Security policies
• Saving some HW and space

12
Technical reasons

• Consolidation of several management servers on a
  few machines
• Easy maintenance
• Better backups
• Nice performance
• Multiuser access, flexible admin rights
• And not named before
• VSX..

13
VSX on Providers-1

• VSX migration from Smart Center to Provider-1 is
  hardy doable
• Consider using Provider-1 if you want to
  implement VSX

14
Migrations on Provider-1 environment

• So, how do we do it after all?

15
Tips and tools

• Doable between version and Operational Systems
• Manually or by using tools
• Can and should be simulated in the lab before
  touching production systems
• What to use?
• cma_migrate
• migrate_assist
• migrate_global_policies
• And some manual work, anyway

16
Before you start

• Prepare your licenses
• the hardest part
• Plan IP address for MDS and CMAs
• Plan initial administrators for OS and MDG
• The options are to keep SMC IP or use another
• Install Provider-1 MDS

17
Materials from Smart Center

• FWDIR/conf -gt conf
• FWDIR/database -gt database
• FWDIR/logs -gt logs (optional)
• CPDIR/conf -gt conf.cpdir
• CPDIR/database -gt database.cpdir
• Zip them and prepare to transfer to P1 machine

18
Creating a new customer

• Create a new customer, name it as you wish
• Get through the wizard, assign
• GUI clients
• Administrators
• Plug-ins (R65 and up)
• Then

19
Creating a CMA

• DO NOT start it!
• Choose to migrate
• Put the collected files into some folder on P1
  and unzip
• Type in the folder onto the dialog window

20
Potential issues

• Migration fails
• DB corruption
• MDS related issues
• Out of space
• MDS is too slow
• Not the right files ?
• Some good reasons to simulate before going onto
  production
• You always can delete CMA and customer and start
  over

21
Potential issues, cont.

• Implicit FW rules do not catch new MGMT IP
• To resolve this, create a dummy MGMT object, add
  it to masters list before migration and push
  policy
• Third party devices block new MGMT IP
• Change policies on them before migration
• CMA cannot start
• Most probably licensing issue
• If not, debug failing process

22
Checklist after migration

• SIC with managed objects
• Log server definition on Enforcement points
• Policy installation works
• Logs
• Licenses to check twice (especially central
  ones)

23
Questions?

• Thank you guys