A Multi Domain Management environment, including all features and functionalities, can now be deployed on Azure with the following limitations.
You can read more on Multi Domain here: https://www.checkpoint.com/products/multi-domain-security-management/
1. Multi Domain Management Server IP addresses must be private static. (not public IP addresses, not Dynamic IP addresses).
2. The user must ensure connectivity between all Check Point objects across the Multi Domain environment. For example:
- Multi Domain Servers and Multi Domain Log Servers.
- Domain Management Servers and Domain Log Servers.
- Security Gateways and more.
All the above must be installed in the same VNET, or be connected over VPN, or Azure ExpressRoute, or VNET Peering etc.
Lack of connectivity between the different objects might result in functional issues and failures.
3. For on-premise objects and Windows machine (for SmartConsole usage), it is up to the user to establish connectivity with the Multi Domain environment that is deployed in Azure.
4. Before creating a new Domain Server, a new IP address must be added: Go to the Network interface object related to 'your MDS machine > Setting > IP configuration', and add the IP address of the Domain Server that you are about to create (Private, Static).
Note: You are adding the IP to the existing interface of the MDS in the Azure Portal.
Minimum Instance size requirements
DS15_V2 / DS5_v2 or any similar instance with minimum 16 cores and 64 GB RAM (and up).
To deploy a Multi Domain Management Server in Azure, go to the Azure portal:
- Create a resource.
- Search for Check Point and choose "CloudGuard IaaS - Firewall & Threat Prevention".
- From the drop-down menu, choose: "CloudGuard Multi-Domain Server".
- In Installation type, choose "Primary Multi-Domain Server /Secondary Multi-Domain Server/ Multi-Domain Log Server (Depends from your needs).
- Wait for installation to finish and run First Time Wizard with Multi Domain configuration.
To check the Management Server's readiness:
- Login to the machine in Expert mode and run the following command: mdsstat
- When the Multi Management Server is ready, the output of the command shows that all processes are up.
Note: The Automatic Provisioning Service will be enabled only on a Primary Multi-Domain Server.
Upgrade an HA environment (More than one MDS)
Use the following procedure to upgrade your HA environment:
Note: The step order (sequence) is very important.
- Export DB from both mds-ha members.
- Transfer the DBs to an external location.
- Backup the Secondary MDS.
- Delete the Secondary MDS. (The machine itself)
- Shut down the Primary MDS.
- Deploy a new Secondary MDS. (You must make sure that the new machine receives the same IP address as the old Secondary MDS. Currently, there is no way to pick an IP address in our template (this will be fixed). The first available IP address is assigned automatically. Consequently, you need to manually assign the IP address.
- Add all the IP addresses of the CMAs to the new Secondary MDS in the Azure portal.
- Deploy the new Primary MDS.
- Delete all the IP addresses of the CMAs from the old Primary MDS, and add them to the new Primary MDS in the Azure portal.
- Make sure that the First Time Wizard of the Primary MDS completed, and that it is ready.
- Transfer the previously exported DBs to the new Secondary and Primary MDS (from step #2).
- Run mds_import.sh \[path to tgz\] on both MDS members.
- On the Primary MDS you will be asked to change the IP address, choose "Yes".
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.