分析配置手册3check point management architecture

1、Check Point SmartCenter ArchitectureMat 2011Ariel SirotaAgendaCheck Point ArchitectureSmartCenter server role and responsibilitiesManagement challengesSmartCenter architectureNetwork DiagramCorporateNetworkVPN-1SecuRemoteBranch OfficesInternetExtranet PartnersRemote UsersVPN-1 SecureClient (PDA)VPN-

2、1 SecureClientDial-upBroadband pliantVPN gatewayAuthenticationServerContentSecurityGatewayFireWall-1VPN-1 ProSmartDefenseFloodGate-1ClusterXLVPN-1 Accelerator CardManagementSmartCenterSmartDashboardSmartViewSmartMapSmartUpdateSiteManager-1Provider-1Open Security ExtensionLDAP DirectoryVPN-1/FireWall

3、-1SecureServerWeb Server PoolExtranet Application ServersConnect ControlVPN-1/FireWall-1SmallOfficeVPN-1 NetFireWall-1“Clientless VPN” (SSL browseror L2TP client)UserAuthorityManagement network diagramGatewaysManagementUser interfaceSmartCenter rolesProducts configuration database.CA.Log Server.Stat

4、us and audit collection.Gateways configuration (Policy installation).Provisioning (Remote installation and license management).Management productsSmartCenterProvider -1Management High AvailabilityCLM (Log Server)LSM (Large Scale Management)OSE (Router management)Management challengesEasy management

5、for all Check Points products.Support multiple products (integrated).Support multiple product versions.High availability and load sharing.Upgrade.Scalability.Enable parallel development for multiple products management.Add-On architectureThe management componentsFWMCPMIPTALoggingAMONSmartUpdate Engi

6、neSmartDirectory EngineInstall ManagerFWMA daemon serving all remote clients (SmartDashboard for example).Expose its functionality to the clients by CPMI SDK and additional fwm commands.Responsible for authenticating remote clients.Manage the objects database.FWMFWMCPMI ServerFireWall-1FireWall-1Sta

7、tus collectionobjects_5_0.Cfwauth.NDBasm.C Command DispatcherCPMI ClientCommands sub processes(Install policy, SmartUpdate, etc)CPLMDLog Viewing DaemonCPCACA DaemonAuthentication & AuthorizationLDAPclientCPMI (Check Point Management Interface)A Check Point software module which provides 2 services:E

8、mbedded Object oriented database. Remote database client access.FWM manages its database by using CPMI embedded database services.CPMI database featuresSchema defined object store.Granular permissions.Queries.1 concurrent transaction.Table / Object locking mechanism.Auditing.Database changes notific

9、ation services.Object linking infrastructure.Type checking and constraints validation.CPMI TablesThe database contains multiple tables.Each table holds objects (each object name must be unique in the table).Tables can be implemented in various ways (fwset files, NDB, Memory etc).Each table implement

10、s a minimal interface (Update, Delete, Query).Multiple tables can be implemented in the same file (objects_5_0.C for example).The database tables are defined in tables.C.CPMI objects typesThe database objects types are defined by classes (like in C+, Multiple inheritance is supported). Each class is

11、 defined by a set of fields.For each field you can define its valid values (constraints).scheme.C contains a list of files that defines the objects types (classes).Most classes are defined in classes.C.CPMI objects typesA field can be one of the following:Scalar types (integer, float, string or user

12、 defined types).Reference (A pointer to another object).An object (called owned object).Container of fields (one of the above).A validation function can be attached for each type.CPMI class example: (gateway_ckp:validfunc (validate_gateway_ckp):baseobj ( : (gateway): (object_ckp):fields (: (SmallOff

13、ice:type (boolean):defvalue (false): (IPSec_orig_if_nat:type (boolean):defvalue (true)# Enable keeping and copying dont fragment flag on a packet in the VPN: (keep_DF_flag_SR:type (boolean): (keep_DF_flag:type (boolean): (copy_DF_flag_SR:type (boolean)CPMI FieldsA set of predefined types are support

14、ed.User defined types can be added to CPMI.These types are defined in fields.C.An example: (ssl_strength:type (string):size (6):validvalues (auth,export,strong):validfunc (validate_str_values):defvalue (auth)Policy installationFWMInstall FW policy on A,Bfwm load Standard.W A BVerify policyCode gener

15、ationConversionCompilationCopy policy files to each gateway state directory (so it can be fetched later by the gateway)Policy installationfwm load Standard.W A BConnect as a PTA client to all gatewaysABCPD PTA ServerCopy policy files to the gateway sideCPD PTA ServerAsk the gateways to commit the po

16、licyCollect the installation status and report itLogging featuresSend logs to multiple log servers with option to backup servers (configured per gateway centralized).Cyclic logging, Automatic log switch (by time or file size).Local logging.Log forwarding (scheduled).Log unification.Dynamic log forma

17、ts.String dictionary.Logging on the log serverLog ServerFWDcpcafwmLocal log fileRemote log clientsLogging on the gatewayVPN-1 Pro gatewayKernel driversFWDSecurity ServersSecurity ServersSecurity ServersVpndSend logs to backup serverLocal log fileCyclic Log bufferSend logs to log serverManagement log

18、 analysis ISManagement (Log Server)FWDFWMLocal log fileSmartView TrackerCPLMDConnect and AuthenticateGet objects through CPMIRequest to view log fileSpawn sub processPass requestReplyReplyRead logsManagement monitoring serviceManagementSmartView MonitorConnect and AuthenticateGet objects through CPMIRequest status informationReplyCPD AMON ServerCPD AMON ServerFWM1. Find the status class.2. Gather all OIDs.3. Request the OIDs counters from the gateways.4. Receive the counters from the gateways.5. Create an object from the status class and fill it with the counters information.