Provider-1-售前技术培训

SETrainingInProvider-1AgendaBackgroundandProductArchitectureProvider-1UpgradeScalabilityandPerformanceIntroductiontoPlug-insinProvider-1Plug-insDemonstrationProvider-1EnhancementPackProvider-1ArchitectureProvider-1TrainingDayMichaelSemenov,ProjectManagerLeonidBelkind,TeamLeaderTamimNassar,TrainerInthispresentation…ComponentsarchitectureofCheckPointsoftwaresolutionsConfigurationDatabasesinProvider-1FileSystemStructureofProvider-1Provider-1Processes/DataFlowManagementHigh-AvailabilityComponentsarchitectureofCheckPointsoftwaresolutionsInthissectionLow-levelInfrastructuresApplicationInfrastructuresApplicationComponentsManagementApplicationInfrastructuresManagementApplicationsProvider-1ComponentsofCheckPointManagementSolutionsOperatingsystemtransparencySecureInternalCommunicationsApplicationLogicServerPackagingandDeploymentLow-levelInfrastructuresComponentsofCheckPointManagementSolutionsOperatingsystemtransparencySecureInternalCommunicationsApplicationLogicServerPackagingandDeploymentApplicationInfrastructuresCertificatesAuthorityReal-TimeMonitoringI/SLoggingI/SAuthenticationI/SComponentsofCheckPointManagementSolutionsOperatingsystemtransparencySecureInternalCommunicationsApplicationLogic“Container”PackagingandDeploymentApplicationComponentsCertificatesAuthorityReal-TimeMonitoringI/SLoggingI/SAuthenticationI/SLogProxyandServerReal-TimeMonitoringAgentsConfigurationDatabaseBusinessLogicServerPolicyTransferComponentsofCheckPointManagementSolutionsOperatingsystemtransparencySecureInternalCommunicationsApplicationLogic“Container”PackagingandDeploymentManagementApplicationInfrastructuresCertificatesAuthorityReal-TimeMonitoringI/SLoggingI/SAuthenticationI/SGUIInfrastructureWebUIInfrastructureLogProxyandServerReal-TimeMonitoringAgentsConfigurationDatabaseBusinessLogicServerPolicyTransferComponentsofCheckPointManagementSolutionsOperatingsystemtransparencySecureInternalCommunicationsApplicationLogic“Container”PackagingandDeploymentManagementApplications(SmartCenter)CertificatesAuthorityReal-TimeMonitoringI/SLoggingI/SAuthenticationI/SLogProxyandServerReal-TimeMonitoringAgentsConfigurationDatabaseBusinessLogicServerSmartViewTrackerSmartViewMonitorSmartUpdateSmartLSMSmartDashboardGUIInfrastructureWebUIInfrastructureSmartPortalSecurePlatformUIPolicyTransferComponentsofCheckPointManagementSolutionsOperatingsystemtransparencySecureInternalCommunicationsApplicationLogic“Container”PackagingandDeploymentProvider-1CertificatesAuthorityReal-TimeMonitoringI/SLoggingI/SAuthenticationI/SLogProxyandServerReal-TimeMonitoringAgentsConfigurationDatabaseBusinessLogicServerSmartViewTrackerSmartViewMonitorSmartUpdateSmartLSMSmartDashboardGUIInfrastructureWebUIInfrastructureSmartPortalSecurePlatformUIPolicyTransferVirtualizationProvider-1(MDG)Multi-DomainServicesGlobal-LevelServicesHigh-EndUtilitiesConfigurationDatabasesinProvider-1InthissectionMDS-LevelDatabasesCMA-LevelDatabasesCPMIDatabase–conceptsandstructureDatabaseAccessToolsQueryUtilityDBEditGUIDBEditWhatisstoredwhereMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6MDSDBGlobalDBMDSDBGlobalDBWhatisstoredwhereMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6MDSDBGlobalDBMDSDBGlobalDBMDS,MLMmachinesCMAs/CLMsProvider-1CustomersProvider-1Administrators,AdministratorPermissionsProvider-1GUIClients“Collected”fromtheCMAs(todisplayintheMDG)GatewaysApplicationsinstalledongatewaysWhatisstoredwhereMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6MDSDBGlobalDBMDSDBGlobalDBGlobalObjectsGlobalSecurityPoliciesGlobalSmartDefense/WebIntelligenceConfigurationObjects“EnabledforGlobalUse”(GlobalVPN)GlobalVPNCommunitiesWhatisstoredwhereMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6MDSDBGlobalDBMDSDBGlobalDBNetworkobjects(includingglobalsafterAssignG.P.)Services/Protocols(includingglobalsafterAssignG.P.)SecurityPolicies/Rules(includingglobalsafterAssignG.P.)NatPolicies/RulesCMASmartDefense/WebIntelligenceSettingsCMAVPNCommunities(andglobalsafterAssignG.P.)CPMIDatabaseCPMIisanenginebehindourconfigurationmanagementdatabasesItconsistsofaserver(usuallyexecutedinsideanFWMprocess)handlingthedatabasefunctions,andclientsconnectingtoitviaaspecialprotocol(alsocalledCPMI)Scheme,Class,ObjectCPMIDatabaseSchemeDescribesallkindsofentitiesstoredinthedatabase,suchas:Gateway,Host,Network,GroupUser,UsersGroup,AdministratorService,Protocol,Services/ProtocolsGroupSecurityPolicy,SecurityRuleForeachentity,specifiesitsstructure,defaultvaluesforpropertiesandrelationswithotherentitiesCPMIClassDefinitionofasingleentityinsidetheCPMIDatabaseSchemeCPMIObjectData,structuredaccordingtothedatabasescheme,storedintheconfigurationdatabaseDatabaseAccessToolsGUIDBEditGraphicalTool(CPMIClient)showingthecontentsoftheconfigurationdatabaseandallowingtomodifyobjectsvisuallyDBEditCommand-linetool(CPMIClient)thatallowsmakingmodificationstotheobjectsstoredinthedatabase.CanbescriptedtomakecomplexchangesQueryToolCommand-linetool(CPMIClient)connectingtothedatabase,sendingaqueryspecifyingobjectpropertiesandretrievingalistofobjectsGUIDBEditAvailablewitheveryinstallationofSmartConsoleResidesintheSmartConsoledirectory: ?:\ProgramFiles\CheckPoint\SmartConsole\<VERSION>\PROGRAM\GuiDBedit.exeVersionsensitive(i.e.youneedtouseGUIDBEditofaspecificversionyouareconnectingto)GUIDBEditDBEditAvailablewitheveryinstallationofSmartCenter/MDSRequires administrator credentialsto accessthe databaseQueryTool-MDSQueryDBDeliveredwithProvider-1MDSContainssetofpre-definedqueriesforCMAandMDSdatabasesQueryTool-cpmiquerybinDeliveredwithProvider-1MDSAllowsfree-formatqueryingofCPMIdatabases(first-levelfieldsquery/listonly)FileSystemStructureofProvider-1InthissectionGeneralDataLocations/opt/varMDSandCMAsdataLocationsofDatabasesLocationsofadditional“named”resourcesLogsCAcertificatesProvider-1Installation–DataLocations/optInstallationofallofthe“fixed”files(binaries,libraries,…)DifferentdirectoriesfordifferentinstallationpackagesUnixSoft-Linkstovariabledatainstalledin/varProvider-1Installation–DataLocations/optCPEdgecmp-<VER>-VPN-1EdgeCompatibilityPackageCPmds-<VER>-Provider-1Multi-DomainServerCPngcmp-<VER>-VPN-1NGCompatibilityPackageCPR55WCmp-<VER>-VPN-1R55WCompatibilityPackageCPshared–“SVNInfrastructure”(mainlysoftlinks)CPshrd-<VER>-“SVNInfrastructure”CPsuite-<VER>-MainVPN-1PackageCPvsxngxcmp-<VER>-VPN-1VSXCompatibilityPackageCPInstLog–InstallationLogsProvider-1Installation–DataLocations/var/optCPmds-<VER>CPmds-<VER>/conf–Provider-1GlobalDBCPmds-<VER>/conf/mdsdb–Provider-1MDSDBCPmds-<VER>/log–MDS-levelAuditLogs,processdebuglogsCPmds-<VER>/customers–Customers(CMAs)DataCPshrd-<VER>

CPshrd-<VER>/conf–MDS-levellicenses,CAcertificateCPshrd-<VER>/registry–MDS-levelRegistry(settings)CPshrd-<VER>/log–CPShared-levelprocessdebuglogsCPsuite-<VER>Provider-1Installation–Customers(CMAs)DataLocations/var/opt/CPmds-<VER>/customers/<CMA_Name>CPEdgecmp-<VER>CPngcmp-<VER>CPR55WCmp-<VER>CPshrd-<VER>CPshrd-<VER>/registry–CMA-levelRegistry(settings)CPshrd-<VER>/conf–CMA-levellicenses,CAcertificateCPsuite-<VER>CPsuite-<VER>/fw1/conf/–CMADatabase($FWDIR/conf)CPsuite-<VER>/fw1/log/–CMALogsCPvsxngxcmp-<VER>CPMIDatabase–FilesStructureOutline$FWDIR/confCPMIDatabaseSchemeFilesCPMIDatabaseTablesVirtualNICData(Provider-1)Auto-generatedfilesLinkstoshareddata(Provider-1)DataFilesforDifferentApplications(SVM,…)$CPDIR/confCACertificateLicenses(cplic)CPMIDatabase–FilesStructureOutlineCPMIDatabaseSchemefilesscheme.Cclasses.C(oradditionalfilesaccordingtoscheme.C)tables.Cfields.CCPMIDatabaseTablesobjects_5_0.Crulebases_5_0.fwsasm.Cfwauth.NDB…(accordingtotables.C)LocationofNamedResourcesLogsInstallation/Upgrade/opt/CPInstLog$FWDIR/conf/upgrade_log.txtCMALogs/var/opt/CPmds-<VER>/<CMA_Name>/vigor1/CPsuite-<VER>/fw1/logMDSLogs$MDSDIR/logCAcertificatesMDS:/var/opt/CPshrd-<VER>/confCMA:/var/opt/CPmds-<VER>/customers/<CMA_Name>/CPshrd-<VER>/confProvider-1Processes/DataFlowInthissectionMDSandCMAprocessesandtheirfunctionsCommunicationsbetweendifferentcomponentsDataFlowStatusesLogsObjectUpdatesGlobalPolicyAssignmentMDSprocessesfwmCPMIStatuscollectionServingGUIclientsrequests(GlobalSmartDashboard,MDG)fwdLogServer(MDS-levelAuditLogs)cpcaCAdaemoncpdLocalstatusAMONservercplmdServingSmartViewTrackerclientsCMAprocesses(separateforeachCMA)fwmCPMIStatuscollectionServingGUIclientsrequests(likePolicyinstallation,LDAPconfiguration,etc…)fwdLogServercpcaCAdaemoncpdPolicyfetchingserverLocalstatusAMONservercplmdServingSmartViewTrackerclientscpstat_monitorThresholdmonitoringforSmartViewStatussmsServingVPN-1EdgeclientsConnectionsandDataFlowFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6CPMIConnectionsConnectionsandDataFlow-StatusFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6FWDCPDVPN-1SmartViewMonitorMDGThestatusisreportedbytheCPDtotheFWMviaAMONconnections,andfromtherebyCPMItoclientsConnectionsandDataFlow–ObjectUpdatesFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6SmartDashboardMDGWhentheadministratormakesupdatestotheCMAconfigurationthatshouldbereflectedintheMDG(gateways)thechangesarepropagatedviaCPMIconnectionstotheMDS,betweenMDSsandtotheMDGConnectionsandDataFlow-LogsFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6FWDCPDVPN-1SmartViewTrackerThelogsarereportedbytheFWDprocessesonremotemachinestotheFWDprocessesonthelogserverusingtheinternallogsprotocol.CPLMDUponconnectionofSmartViewTracker,cplmdprocessisresponsibleforretrieving/processingdatafromtheFWDlogsdatabaseandsendingitviaFWM/CPMIconnectiontotheGUI.ConnectionsandDataFlow–AssignGlobalPolicyFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAFWMFWDCPDCPCAMDSAMDSBCMA1CMA2CMA3CMA4CMA1_HACMA5CMA3_HACMA6MDGFWM(fwmconnect)TemporaryCPMIConnectionsforGlobalPolicyAssignment.OpentoActiveCMAs.FWM(fwmconnect)ManagementHigh-AvailabilityInthissectionProvider-1High-Availability3levelsofsynchronizationMDSHAGlobalDatabaseHACMAHADistributedcustomer-levelManagement High-Availability(SmartCenter Backup)Provider-1HighAvailability–

3levelsofsynchronizationCMA3CMA1CMA2CMA4CMA1HACMA2HANYMDSLondonMDSMDSMDSGlobalGlobalProvider-1HighAvailability–

3levelsofsynchronizationCMA3CMA1CMA2CMA4CMA1HACMA2HANYMDSLondonMDSMDSMDSGlobalGlobalMDSHAGlobalDatabaseHACMAHAProvider-1HighAvailability–

3levelsofsynchronizationMDSHAPerformedonline,uponeachupdateanduponconnectionbetweenMDSsSynchronizedData:AdministratorsandPermissionsCustomersandCMAsGUIClientsGlobalDatabaseHAPerformedeitherexplicitlyoruponscheduledeventorwhentheGlobalDatabaseissavedSynchronizedData:GlobalObjectsGlobalPoliciesProvider-1HighAvailability–

3levelsofsynchronizationCMAHAPerformedinthefollowingcases:ExplicitlyUponscheduledeventWhenthepolicychangesaresavedWhenthepolicyisinstalledonagatewaySynchronizedData:CMAObjects(includingglobalobjectsassignedtotheCMA)CMAPolicies(includingtheassignedglobalpolicy)CertificatesAuthorityDatabaseDistributedCustomer-Level

ManagementTheGoalCreateManagementHigh-AvailabilityenvironmentforasingleProvider-1customerbetweenCMA(s)andSmartCenterAllowmanagingthegatewaysfromtheSmartCenterpeerwhennoconnectivitytoProvider-1SynchronizationbetweentheCMAandtheSmartCenterGlobaloperationsareperformedwhenaCMAisactiveDistributedCustomer-Level

ManagementCMA3CMA1CMA2CMA4CMA1HACMA2HALondonMDSNYMDSMDSMDSCMAHACMAHAManagementHASmartCenter

BackupGlobalGlobalQuestions?Provider-1UpgradeandMigrateProvider-1TrainingDayMichaelSemenov,ProjectManagerLeonidBelkind,TeamLeaderYevgenyFabrikant,Upgrade&CompatibilityTeamLeaderInthispresentation…Upgrade/MigrateScenariosandToolsAvailablepathsHigh-leveloverviewofthetoolsTroubleshootingCPMIDatabaseUpgradeEngineArchitectureOverviewTroubleshootingDatabaseSplit/Merge ScenariosandToolsUpgrade/MigrateScenariosandToolsInthissectionIn-placeupgradeoftheMDSserverCMA/SmartCenterMigrationFromthesameversionWithupgradeMigrationofGlobalPoliciesFromthesameversionWithupgradeWhatisnotsupportedIn-placeupgradeoftheMDSAvailableinSolaris,LinuxandSecurePlatformbetweenallversionsException:OnLinux,NGreleaseshavesupportedRedHat7.x,whereasNGXreleasessupportRedHatEnterpriseLinuxInLinux/Solarisinvokedby:MountingtheProvider-1CDandcalling“mds_setup”InSecurePlatforminvokedby:InsertingtheProvider-1CDandrunning“patchaddcd”(upgradesboththeSPLATOSandProvider-1)Canbeusedincombinationwithbackup/restoretoperformupgradeinthelaboronanothermachineingeneralIn-placeupgradeoftheMDS-FlowRunpre-upgradeverificationsIfSPLAT,upgradetheOSInstallthenewpackages(UpdateMDSRegistry)UpgradetheMDS-leveldatabases–GlobalDB,MDSDBHandleallCMAs(registry,database)Runpost-upgradefixersCMA/SmartCenterMigrationThemigrationisperformedusingthe“ImportCMA”tool(fromtheMDG)orcma_migratecommandlinetoolThereisno“export”toolforCMA.Thedocumentationcontainsdescriptionofthefiles/directoriesthatneedtobecopiedmigrate_assist–copiestherelevantfilesviaftpCertificateAuthorityoftheoriginalmanagementispreserved,thereforeSICdoesn’tneedtobere-initializedMigrationbetweendifferentversions(withUpgrade)issupportedMultiplepre-upgradeverificationtoolsarerunAdministratorsandGUIClientsarenotimported(inProvider-1thesearedefinedatthegloballevelandnotintheCMA)CMA/SmartCenterMigrationFlowCreateanewprimaryCMARunpre-upgradeverifiersVerification-stopmigrationiftheCMAhasalreadybeenstarted(testwhetherthefileapplication.Calreadyexists)-stopmigrationiftheCMAhasVSXobjectsHandlingfilesbeforecopyingRemovingrtm.C(toavoidfailureincasethesourcedatabasedoesn’tincludethisfile)RemovingCPMILinksMgr.db,bogusIp.db,deffilesIncaseofmigratefromManagementWindows,runningdos2UnixonallfilesexceptInternalCA.NDB,fwauth.NDBBackupthefilevip_index.confbeforesavecurrentcmaIPbeforecopyingallfilesRemovefilescontainingcpmitablesoftargetversionCopy$FWDIR/conf,$CPDIR/confdirectoriesfromsourcedatabaseintothetargetdatabase,excludingschemafilesRunningfixersbeforeupgradingthedatabaseMergingthecp.licensefileofthesourcedatabase(ifany)withtheonesoftheCMASetcorrectIP-ip_migrate_fix(bothintheobjectoftheCMAandinthefilevip_index.conf)VhangeformatofCA(shouldhavenoeffectonsolarisplatform)-cpca_dbutilHandlingsicinfoinregistryformigrate(install_fix)Replaceuidsinthefollowingtables:"network_objects","applications",“licenses","servers“-replace_uids_for_cma_if_neededCorrectdefaultobjectsandclassesfilesinthetargetdirectory(Copyfrom$MDS_TEMPLATE/conf).Upgrade(cpdb)Creatingaconfdirectoryforcpdbtoholdtheentirefileslocatedunder$MRGCUST_SRC_DIR/confandtheCPMItablesandschemafilesfrom$FWDIR/confafterthefixerswererunning.RemovesoftlinksinthesourcedatabasebeforerunningRuncpdbFinalStepsRemovefilesthatwillbegeneratedwhenthefwmstarts-mgmtha.confmgmtha_stackmgha,applications.C,*.WfilesRe-createsoftlinkstoMDSDBTakecareof'hosted_by_mds'attributeformigrateinobjects_5_0.C.MigrationofGlobalPoliciesReplacestheexistingGlobalDatabase(GlobalObjects+GlobalPolicies)withthemigratedone(nomerge!!!)Doneusingmigrate_global_policiescommandlinetool(noGUI)MigratingfrompreviousversionwhileupgradingissupportedPre-upgradeverificationtoolsarerunSourcedatabasehastocomefromanotherProvider-1GlobalDatabase(nomigrationofCMA/SmartCentertoglobal)MigrationofGlobalPoliciesTechnicalprocessverysimilartoCMA/SmartCentermigrationAstheprocessdealswiththefilesoftheconfigurationdatabase,theMDSprocessesneedtobestopped(theCMAs–notnecessarily)NotsupportedMigrationofAdministrators/GUIClients(residingintheMDSDB)TheseneedtoberedefinedMigrationofCMA/SmartCenterwithVSXcomponentsDeletetheVSXcomponent,migratetherestandre-createthemMigrationofawholeMDSserverOnlymds_backup/mds_restoreifmovingbetweenmachinessharingthesameOS/architectureMigrationofaCMAbackto SmartCenterManualfixesarerequiredTroubleshootingLogsPUVToolsReport(in-placeupgrade)

/opt/CPInstLog/verification_tools_reportMDSWrapperLog /opt/CPInstLog/mds_setup_<MM>_<DD>_<HH>_<MM>.logPackageInstallationLogs

/opt/CPInstLog/install_<PKG>_<Release>.logMDSDB,GlobalDBUpgradeLog

$MDSDIR/conf/upgrade_log.txtCMADBUpgradeLog

/opt/CPmds-<VER>/customers/<CMA_Name>/CPsuite-ENF/fw1/confCPMIDatabaseUpgradeEngineInthissectionCPMIDatabaseUpgradePhasesTroubleshootingtheCPMIDatabaseUpgradeExampleLocationsofImportantFilesCPMIDatabaseUpgradeProcessUpgradetheCPMIDB(cpdb):ManualUpgradeMergetheDefaultDatabasePerformSchemeAdjustmentUpgrade–SchemeAdjustmentR55

gateway_ckp:ip_addr():hostname(castle):firewall(true)NGX

gateway_ckp:ip_addr():hostname(castle):firewall(true):antivirus(false)Scheme:(antivirus:type(boolean):defvalue(false))Upgrade–MergetheDefaultDBDNS:port(113):color(blue)R55NGXdefaultDBNGXDNS:port(113):color(black):protocol(udp)ssh2:port(22):color(black):protocol(tcp)DNS:port(113):color(blue):protocol(udp)ssh2:port(22):color(black):protocol(tcp)TroubleshootingcpdbUpgradelogparts(upgrade_log.txt)GenerallogLegacyupgradeinformation(optional)“Manualupgrade”logMergelogWrite(save)logLocationofImportantFilesUpgradeutility-$FWDIR/bin/cpdbInstallationlogfiles-/opt/CPInstLog/*cpdblogfile-$FWDIR/conf/upgrade_log.txtDefaultDB-$FWDIR/conf/defaultDatabaseDatabaseSplit/MergeScenariosandToolsInthissectionSplittingoneSmartCenter/CMAConfigurationdatabaseintoanumberofCMAsMergingmultipleSmartCenters/CMAsintoasingleCMAPromotingobjectstoGlobalPolicylevelSplittingSmartCenterintoanumberofProvider-1CMAsThesameSmartCenterconfigurationcanbemigratedmorethanonceintotheProvider-1environmentSICResethastobeperformedonallofthemigrated“copies”butone,asdifferentCMAs(Customers)musthavedifferentCAs“Irrelevant”objects/policiesshouldbedeletedafterthemigrationandtheSICResetSplittingSmartCenterintoanumberofProvider-1CMAsTheGoalCopy/MoveexistingdefinedobjectsfromanumberofSmartCenters/CMAsintoasingleCMATheToolsObjectsDumper/FillerScriptsthatautomatecreationofobjectswithdbeditCancreatebulksofsimplenetworkobjectsbasedonCSVfilesConstantlyupdated(canbedownloadedfromtheInternet)cp_mergeBinaryexecutablethatimportsobjectsintoarunningmanagementfromanofflineconfigurationfile(fromanothermanagement)Candealwith“simple”objects–hosts,networks,…ProvidedwitheachSmartCenter/Provider-1 installationMergingmultipleSmartCenters/CMAsintoasingleCMAMergingmultipleSmartCenters/CMAsintoasingleCMAThingstokeepinmindMovingobjectswithcertificates(gateways,users)isproblematic.Inmostofthecases,thecertificateswillhavetobere-initializedMovingfirewallsandtheirpoliciesistricky,aspoliciesrequireallofthereferencednetworkobjects/services/…tobebroughtalong.Namecollisionshaveahighchance“Promoting”ObjectstoGlobalPolicyTheGoalCopy/MoveexistingdefinedobjectstotheGlobalDatabaseinsteadofredefiningthemTheToolsDbedit–commandlineinterfacetoCheckPointconfigurationdatabases(officiallysupported)ObjectsDumper/ObjectsFiller–toolsthatautomatedbedittasks(noofficialsupport)ObjectsFiller/Dumper–MoreInformationMoreinformationaboutthesetools(includingdetaileddocumentationwithsamples)andthetoolsthemselvesareavailablefrom:/Additionalsites(partialmirrors):/ofiller//check_point_resources.htmQuestions?Provider-1Scalability&PerformanceMichaelSemenovProvider-1ProjectManagerInthispresentation…CapabilitiesofProvider-1usage(numbers)TypicalProvider-1scalesSystemconfigurationHardwareconfigurationrequirementsAnalyzingthesystemloadCapabilitiesofProvider-1usageInthissectionMaximum#ofsynchronizedMDSsMaximumCMAsononeMDSMaximum#ofgatewaysononeCMAHAlimitationsGlobalobjectsGlobalrulesSomenumbers–MDSinsyncNoofficialrestrictiononthemaximum#ofsynchronizedMDSsRecommendedupto6–8MDS/MLMsExistinginstallations:morethan20(withsomerestrictions)Somenumbers:CMAsonMDSOfficialrestriction:250CMAsononeMDSPossibilitytoincreaseupto500(notsupportedandnottested)InrealityitdependsontherealCMAconfigurationsForMDSsthatcontainalargeamountofCMAs:“Light”CMAs:fewobjectsandrulesoneachoneStrongHardwareSeparatedloggingtothedesignatedlogserver/MLMSomenumbers:GWsonCMADesirablyupto50Heavilydependsonthecomplexityofrule-base/databaseThereareinstallationswithmoreGWsonaCMA.Thecommonproblemswithsuchconfigurationsare:LongpolicycompilationtimesSeriousstatusestrafficloadGatewaysshouldhaveenoughmemorytoholdalargedatabaseSmartLSMisasolutioninsomecasesThereareinstallationswhere1MDSservermanagesupto2000firewallmodulesdistributedbetweenCMAsOtherrestrictionsHigh-Availabilityrestrictions:Only2CMAsinHA+1SmartCenterbackupareallowedpercustomer.Inthecomingreleasesweareplanningtoallowmorethan2CMAstobeinHAGlobalrulesandobjectsThousandsofglobalobjectsareallowedKnownnamedcustomerswithglobaldatabasesofupto20000objectsNolimitationonamountofglobalrulesLargepolicydatabasesaffectsthesystemperformanceProvider-1Environments-ScalesEnterpriseSmallEnterprise–1MDS,3-5CMAsMediumEnterprise–1-2MDSs,1MLM,5-25CMAsLargeEnterprise–2-3MDSs,1-4MLMs,25+CMAsMSPSmallMSP–1-2MDSs,1MLM,20-50CMAsMediumMSP–1-2MDSs,1-2MLMs,50-200CMAsLargeMSP–3-4MDSs,2-3MLMs,200+CMAsReallyLargeProvider-1Environments:Upto2000high-endfirewallsUpto20000globalobjectsUpto1000CMAsUpto200GBLogs/dayHardwareRequirementsInthissectionCPUandmulti-processingRAMrequirementsHDDconfigurationsCPUandmulti-processingProvider-1isamulti-processapplicationMultipleCPUsgetutilizedMultiple-coreCPUsimprovesperformanceDual-CoreCPUimprovesP-1performanceinthesamewayas2singlecoreCPUsRecommendationsP-1willworkevenonaoneCPUserverMostofthecustomersuseatleast2CPUsSomecustomerswithheavy(CMA-number-wise)MDSinstallationsuse4dual-coreCPUsserversRAMrequirementsVerydependantontheconfiguration#ofCMAs#ofrules#ofGWs#ofnetworkobjectsOtherparametersForNGXR65thefollowingrecommendationsareapplicable:Forenvironmentswithlessthan3-4smallCMAs–2GBRAMUpto10smallCMAs–2-4GB10–50CMAs–4-8GBMorethan50,orwith“heavy”CMAs–8–32GBHDDrequirements*NGX:1GB+100MBx#CMAsI/OperformanceiscriticalRAID(hardwareorsoftware)isveryusefulinstripeconfigurationsRAID5stripecanspeedupsomeoperationsupto500%ExternalHDDdevicessometimesareveryuseful,especiallyforLogServersWhendoingupgradeinplace,“old”files/directoriesbydefaultremain*TheCMAsizeiswithoutlogsandpolicyrevisions.Thedeviationcanbeupto150%SystemConfigurationSystemConfigurationLoadbalancingbetweenMDSsSetupactiveCMAsondifferentMDSsSeparateLogServersNotseparatedloggingproducessignificantloadonamanagementserverSWAPsize2xRAMormore/vardirectoryshouldbebigenoughtostoreconstantlygrowingdataDatabasesRevisionsLogsAnalyzingthesystemloadInthissectionWhydoweneedtoanalyzethesystemload/potentialVMstat–anultimatetoolforanalyzingthesystemload/potentialUnderstandingtheVMstatoutputDifferencesbetweenSolaris, LinuxandSecurePlatformWhydoweneedtoanalyzethesystemload/potentialCustomergrowthHowmanyCMAscanIaddonthissystem?TroubleshootingWhat’swrongwithmyperformance?HowcanIimproveit?UpgradescenariosLabsimulationofalargesystembeforeproductionenvironmentSimulationonanotherhardwareforpurchasingdecisionsVMstatvmstatisapartofstandardSolaris/Linux/SPLATdistributionT