Chapter 8 Configuring Centralized Management Groups

This chapter describes how you configure Centralized Management Groups (CMG) using the administration GUI. Centralized Management allows you to remotely administer configurations on a group of SunScreens.

The following information describes using the administration GUI. You can also find a detailed example of setting up a CMG in the SunScreen Configuration Examples manual.

CMG Overview

A Centralized Management Group is comprised of a Primary Screen and a number of Secondary Screens. The Primary Screen, where all configuration objects reside, manages itself, as well as the centralized management group's Secondary Screens. The Primary Screen's function is to "push" Policy configurations to the other Secondary Screens in the CMG. This capability lets you effectively manage many Screens from one location.

To configure a Centralized Management Group, you have to exchange certificate information between the CMG Primary and Secondary Screens. You then add these certificates to the Screen objects, along with the Admin IP address information, and encryption algorithms for the respective Screen.

On the CMG Primary Screen, you need to specify each interface present on any Secondary Screen. These interface definitions should appear with the Screen object selected to make them Screen specific.

Finally, you must add packet filtering rules to both the Primary and Secondary Screens to allow the Primary screen to "push" its policy to the Secondary Screens.

CMG Requirements

Many configurations require cluster members to pass through a firewall in order to communicate with the Primary Screen. In these configurations, any firewall being traversed must contain packet filtering rules to allow certain traffic from the Primary Screen to pass through its interfaces to the Secondary Screen. These rules need to include the following services:

• SKIP

• Certificate Discovery Protocol

CMG Configuration Tasks

The following steps outline the workflow in setting up a CMG. Detailed steps for each task are provided in the following sections.

1. Generate a certificate ID for the Primary Screen (if needed.)

2. On the Primary Screen, associate this ID with the Primary Screen object.

3. Add the Primary Screen certificate ID to the Secondary Screen.

4. Add a Screen object for the Primary Screen to the Secondary Screen.

5. Generate a certificate ID for the Secondary Screen (if needed.)

6. On the Secondary Screen, modify the Secondary Screen object.

7. Add new rules on the Secondary Screen allowing it to be managed by the Primary Screen and activate the policy.

8. Add the Secondary Screen certificate ID to the Primary Screen.

9. Add a Screen object for the Secondary Screen to the Primary Screen.

10. Add a new Address group on the Primary Screen.

11. Define the Secondary Screen's Interfaces on the Primary Screen.

12. Add new rules on the Primary Screen allowing it to manage the Secondary Screen.

13. On the Primary Screen, activate the policy for the CMG.

To Generate the Certificate ID on the Primary Screen

If you selected Remote Administration during SunScreen installation, a certificate was automatically generated for the Screen. This certificate has a name containing the Primary Screen's hostname with a .admin suffix. You can use this certificate to configure Centralized Management so it is not necessary in this instance to generate a new certificate.

Perform the following steps on the Primary Screen:

1. From the Policies List page, select the policy you want to edit and click the Edit button.

   The Policy Rules page appears.

2. In the Common Objects area, select Certificate from the Type choice list.

3. Select Generate Screen Certificate from the Add New choice list.

   The Certificate dialog window appears with options for the type of key to generate. The default value for the type is "highest available".

4. Type the name of the CMG's Primary Screen (with the suffix .admin) in the Name field of the Certificate dialog window.

   In this example, boss is the Primary CMG Screen's host name.

   Figure 8-1 Primary Certificate Dialog Window

   
   

5. Click the Generate New Certificate button.

   Once generated, the Certificate ID field will contain the Certificate Identifier for the CMG's Primary Screen. You need to use this certificate ID later when configuring the Secondary Screen.

6. Click the OK button.

To Associate the Primary Screen's Certificate ID with the Primary Screen Object

Perform the following steps on the Primary Screen:

1. Select Screen from the Type choice list in the Common Objects area of the Policy Rules page.

2. Click the Search button.

   The results field now contains the name of the CMG's Primary Screen.

3. Select the name of the CMG's Primary Screen in the Results field.

   Information about the Screen appears in the Details field

4. Click the Edit button.

   The Screen dialog window appears.

5. Click the Primary/Secondary tab.

   Figure 8-2 Primary Screen Dialog Window, Primary/Secondary tab

   
   

6. Be sure the IP address of the Primary Screen appears in the Administrative IP Address field. If it is not present, enter it now.

7. Type the name of the CMG Primary's Certificate name (the Primary name with the suffix ".admin") in the Administration Certificate field of the Primary/Secondary page.

   This action associates the certificate with the CMG's Primary Screen.

8. Click the OK button.

To Put the Primary Screen's Certificate ID on the Secondary Screen

Perform the following steps on the Secondary Screen:

1. Select the policy and click the Edit button in the Policies List page.

   The Policy Rules page appears.

2. From the Common Objects area, select Certificate from the Type choice list.

3. Select Associate MKID from the Add New choice list.

   The Certificate dialog window appears.

4. Type the Primary Screen name (with .admin suffix) in the Name field.

   Figure 8-3 Add Primary Certificate to Secondary Screen

   
   

5. In the Certificate ID field, type the Certificate ID of the Primary Screen.

6. Click the OK button.

To Add the Primary Screen Object to the Secondary Screen

Perform the following steps on the Secondary Screen:

1. Select Screen from the Type choice list in the Common Objects area of the Policy Rules page.

2. Click the add New button.

   The Screen dialog window appears with the Miscellaneous tab selected.

   Figure 8-4 Add Primary Screen to Secondary Screen

   
   

3. Type the name of the CMG's Primary Screen in the Name field.

4. Click the Primary/Secondary tab.

5. Be sure the IP address of the Primary Screen appears in the Administrative IP Address field.

6. Type the name of the CMG Primary's Certificate name (the Primary name with the suffix ".admin") in the Administration Certificate field of the Primary/Secondary page.

7. Click the OK button.

To Generate a Certificate ID for the Secondary Screen

Perform the following steps on the Secondary Screen:

If you selected Remote Administration during SunScreen installation, a certificate was automatically generated for the Screen. This certificate has a name containing the Primary Screen's hostname with a .admin suffix. You can use this certificate to configure Centralized Mangement so it is not necessary in this instance to generate a new certificate.

Perform the following steps on the Secondary Screen:

1. From the Policies List page, select the policy you want to edit and click the Edit button.

   The Policy Rules page appears.

2. In the Common Objects area, select Certificate from the Type choice list.

3. Select Generate Screen Certificate from the Add New choice list.

   The Certificate dialog window appears with options for the type of key to generate. The default value for the type is "highest available.".

4. Type the name of the CMG's Secondary Screen (with the suffix .admin) in the Name field of the Certificate dialog window.

   In this example, efs-u5 is the Secondary Screen's name.

   Figure 8-5 Secondary Certificate Dialog Window

   
   

5. Click on Generate New Certificate to create a new key for the Secondary Screen.

6. Click the OK button.

To Modify the Secondary Screen Object

Perform the following steps on the Secondary Screen:

1. From the Common Objects area of the Policy rules page, select Screen from the Type choice list.

2. Click the Search button.

3. Select the name of the CMG's Secondary Screen from the Results field.

4. Click the Edit button.

   The Screen dialog window appears.

5. Select the Primary/Secondary tab in the Screen dialog window.

   Figure 8-6 Secondary Screen Dialog Window with Primary/Secondary Tab

   
   

6. If not present, type the administration IP address of the CMG's Secondary Screen in the Administration IP Address field.

7. Type the name of the Secondary Screen certificate in the Administration Certificate field.

   In this example, the name is efs-u5.admin.

8. Click the OK button.

To Configure the Secondary Screen for Management by the Primary Screen

Perform the following steps from the CMG Secondary Screen.

The configuration changes in this step allow the Primary Screen to download a policy to the Secondary Screen. Once a policy is downloaded, these changes will no longer be in effect. Be sure to carefully follow the section titled "To Allow the Primary Screen to Manage the Secondary Screen", so that you can download additional policies.

1. Click on the Packet Filtering tab of the Policy Rules area.

   The policy rules which are currently defined for this policy are displayed.

2. Click the Add New... button in the Policy Rules area.

   The Rule Definition dialog window appears.

   Figure 8-7 CMG Rule Definition Dialog Window

   
   

3. Enter a Rule Index of 1.

To Add the Secondary Screen's Certificate ID to the Primary Screen

Perform the following steps on the Primary Screen:

1. Select the policy and click the Edit button in the Policies List page.

   The Policy Rules page appears.

2. From the Common Objects area, select Certificate from the Type choice list.

3. Select Associate MKID from the Add New choice list.

   The Certificate dialog window appears.

4. Type the Secondary Screen name (with .admin suffix) in the Name field.

   Figure 8-8 Add Secondary ID to Primary Screen

   
   

5. In the Certificate ID field, type the Certificate ID of the CMG's Secondary Screen.

6. Click the OK button.

To Add a Secondary Screen Object to the Primary Screen

SunScreen EFS 3.0 Primary Screens cannot properly manage a SunScreen 3.1 Secondary Screen. However, a SunScreen 3.1 Primary Screen can manage SunScreen EFS Version 3.1 Secondary Screens.

Perform the following steps on the Primary Screen:

1. Select Screen from the Type choice list in the Common Objects area of the Policy Rules page.

2. Click the Add New button.

   The Screen dialog window appears with the Miscellaneous tab selected.

3. Type the name of the CMG's Secondary Screen in the Name field then click the Primary/Secondary tab.

   Figure 8-9 Add Secondary Screen to Primary

   
   

4. Select the Primary Screen Object name by choosing it from the Primary Name choice list.

   This action tells the Secondary Screen the name of it's Primary Screen.

5. Be sure the IP address of the Secondary Screen appears in the Administrative IP Address field.

6. Type the name of the CMG Secondary's Certificate name (the Secondary name with the suffix ".admin") in the Administration Certificate field of the Primary/Secondary page.

7. Click the OK button.

To Add a New Address Group to the Primary Screen

Perform the following steps on the Primary Screen:

1. From the Common Objects area, select Address from the Type choice list.

2. Select New Group... from the Add New choice list.

   The Address dialog window appears.

   Figure 8-10 Add Address Group window

   
   

3. Type the name of the Address Group.

   In this example, you create the Address Group efs-u5_le0 to be used for the Interface Definition on the Secondary Screen.

4. Select the name of the Secondary Screen from the Screen choice list.

   In this example, the Screen name is efs-u5.

5. Click the OK button.

   Select the Address Objects to include and exclude from this Address Group. If the required object is not listed, click on cancel and follow the instructions in "To Add a Group of Addresses" on page 65. After you create the required objects, return to this section and start again.

To Define the Secondary Screen's Interfaces on the Primary Screen

Perform the following steps on the Primary Screen:

1. From the Common Objects area of the Policy Rules page, select Interface from the Type choice list.

2. Select New... from the Add New choice list.

   The Interface Definition dialog window appears.

   Figure 8-11 Interface Definition Dialog Window

   
   

3. Define the interfaces of the Secondary Screen:

   The Interface Definition for efs-u5_le0 is shown in this figure. You must define each of the Secondary Screen's interfaces on the Primary Screen as follows. Each definition must contain one of the following:

   • Interface : (the actual interface name on the Secondary Screen)

   • Type: (STEALTH, ROUTING, or ADMIN)

   • Screen: (Screen name as defined in the Screen object))

   • Address Group: (valid addresses for this interface)

   The Interface Definition dialog window is now identical on both screens.

4. Click the OK button.

To Configure the Primary Screen to Manage the Secondary Screens

Perform this task on the CMG Primary Screen. Add policy rules to allow the Primary Screen to pass management traffic through the Secondary Screen's interfaces by following these steps.

1. Click on the Packet Filtering tab of the Policy Rules area.

   The policy rules which are currently defined for this policy are displayed.

2. Click the Add New... button in the Policy Rules area.

   The Rule Definition dialog window appears.

   Figure 8-12 CMG Rule Definition Dialog Window

   
   

3. Enter a Rule Index of 1.

To Activate the CMG Policy

Be sure to activate the policy on the Secondary screen first so it will be able to receive the "pushed" policy from the Primary Screen.

From the Primary Screen, activate the policy to push it to all the CMG Secondary Screens.