You can now deploy a Multi-Domain Management environment, including all features and functionalities on Google Cloud Platform.
You can read more on Multi-Domain here: https://www.checkpoint.com/products/multi-domain-security-management/Minimum Instance Size Requirements
DS15_V2 / DS5_v2 or any similar instance with minimum 16 cores and 64 GB RAM (and up).Installation
To deploy a Multi-Domain Management Server in Google Cloud Platform:
- Go to the Google Cloud Platform Marketplace and search for Check Point products.
- Deploy “Check Point CloudGuard IaaS Firewall & Threat Prevention / (BYOL)” VM.
- After choosing resource allocation, choose R80.30/40 Manual configuration.
- A VM with a private & public IP will be deployed.
- Wait for the installation to finish and run the First Time Wizard with Multi-Domain configuration.
- Follow the regular First Time Wizard configuration, choose the primary and secondary Multi-Domain Log Server and the Multi-Log Server, and make sure you are using the same NTP servers for High Availability.
To check the Security Management Server's readiness:
- Log in to the machine in Expert mode and run this command:
- When the Multi-Domain Management Server is ready, the output of the command shows that all processes are up.
The Automatic Provisioning Service will be enabled only on the Primary Multi-Domain Server.Upgrade of a High Availability environment (More than one Multi-Domain Server)
To upgrade your High Availability environment: Note -
The step order (sequence) is very important.
- Export the databases from both Multi-Domain High Availability members.
- Transfer the databases to an external location.
- Backup the Secondary Multi-Domain Server.
- Delete the Secondary Multi-Domain Server (The machine itself) .
- Shut down the Primary Multi-Domain Server.
- Deploy a new Secondary Multi-Domain Server (you must make sure that the new machine receives the same IP address as the old Secondary Multi-Domain Server. Currently, there is no way to pick an IP address in our template (this will be fixed). The first available IP address is assigned automatically. Consequently, you need to manually assign the IP address.
- Add all the IP addresses of the Domain Management Servers to the new Secondary Multi-Domain Server in the Azure portal.
- Deploy the new Primary Multi-Domain Server.
- Delete all the IP addresses of the Domain Management Servers from the old Primary Multi-Domain Server, and add them to the new Primary Multi-Domain Server in the Azure portal.
- Make sure that the First Time Wizard of the Primary Multi-Domain Server completed, and that it is ready.
- Transfer the previously exported databases to the new Secondary and Primary MDS (from step #2).
mds_import.sh \[path to tgz\] on both Multi-Domain Server members.
- On the Primary Multi-Domain Server you will be asked to change the IP address, choose "Yes".
- The IP addresses of the Multi-Domain Management Server must be private static (not public IP addresses, not Dynamic IP addresses).
- The user must ensure connectivity between all Check Point objects across the Multi-Domain environment. For example: Multi-Domain Servers and Multi-Domain Log Servers, Domain Management Servers and Domain Log Servers, Security Gateways and more. All the above must be installed in the same VNET, or be connected over VPN, Google Cloud Interconnect, or VNET Peering etc. Lack of connectivity between the different objects might result in functional issues and failures.
- For on-premises objects and Windows machines (for SmartConsole usage), it is up to the user to establish connectivity with the Multi-Domain environment that is deployed in Google Cloud Platform.
- Before creating a new Domain Server, you must add a new IP address: go to the Network interface object related to your MDS machine > click Edit > Network Interface > Show Alias IP ranges, and add the IP address of the Domain Server that you are about to create (private, static). Note - You are adding the IP to the existing interface of the Multi-Domain Server in the Google Cloud Marketplace Portal Under Compute Engine > VM Instances.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.