The following detailed steps show how to set up this simple centralized management group configuration:
Install and configure Screen sf-screen1 in routing mode with remote Administration Station sf-host4.
Be sure to write down the Screen's certificate ID for use in the next step. Refer to "Installing a Screen In Routing Mode" in the first example in this document for instructions on this step.
Install the Screen bos-screen1 in stealth mode with remote administration.
Refer to "Installing a Screen In Stealth Mode" described earlier in this document for instructions on this step.
Use the certificate generated in Step 1 when asked to type the Administration Station's certificate ID. This certificate is given the name "remote" by default.
Be sure to write down the Screen's certificate ID for use in a later step.
Configure the Screen bos-screen1 as a secondary Screen in the centralized management group.
Create the following objects to enable Screen sf-screen1 to push the security policy to bos-screen1.
Address objects (to enable definition of the stealth interfaces), screen objects, and policy rules, as shown in the following table:
Table 8-1 Address Object Definitions
Name |
Type |
Address |
---|---|---|
sf-screen1 |
Host |
192.168.1.2 |
bos-screen1 |
Host |
10.0.2.200 |
bos-ext-router |
Host |
192.168.2.1 |
bos-net-10 |
Range |
10.0.2.0 - 10.0.2.255 |
bos-net-192 |
Range |
192.168.2.0 - 192.168.2.255 |
bos-internal |
Group |
Include: bos-net-10, bos-net-192Exclude: bos-ext-router, * |
bos-external |
Group |
Include: *, bos-ext-routerExclude: bos-net-10, bos-net-192 |
Screen object for primary Screen sf-screen1 containing the administrative IP Address (sf-screen1) and certificate (remote) under the HA/Master Config Tab, as shown in the following figure.
Interface objects, as shown in the following table:
Table 8-2 Interface Object Definitions
Name |
Screen |
Type |
Address Group |
---|---|---|---|
qfe0 |
bos-screen1 |
STEALTH |
bos-external |
qfe1 |
bos-screen1 |
STEALTH |
bos-internal |
hme0 |
bos-screen1 |
ADMIN |
bos-screen1_hme0 (created by default) |
Modify the Screen object for bos-screen1 to show sf-screen1 as the primary Name, and be sure it contains bos-admin1 as the Administrative IP Address and bos-screen1.admin as the Administrative Certificate, as shown in the following figure.
Create policy rules to enable SunScreen SKIP and CDP packets from sf-screen1 to pass through the Screen, as shown in the following figure:
Save and activate the policy on bos-screen1.
Configure primary Screen sf-screen1 to push the policy to secondary Screen bos-screen1 by creating the following objects:
Address objects enable configuration of the stealth interfaces, screen objects, and policy rules for secondary Screen bos-screen1, as shown in the following table (same as in Step 3 above):
Table 8-3 Address Objects To Enable Configuration
Name |
Type |
Address |
---|---|---|
sf-screen1 |
Host |
192.168.1.2 |
bos-screen1 |
Host |
10.0.2.200 |
bos-ext-router |
Host |
192.168.2.1 |
bos-net-10 |
Range |
10.0.2.0 - 10.0.2.255 |
bos-net-192 |
Range |
192.168.2.0 - 192.168.2.255 |
bos-internal |
Group |
Include: bos-net-10, bos-net-192Exclude: bos-ext-router, * |
bos-external |
Group |
Include: *, bos-ext-routerExclude: bos-net-10, bos-net-192 |
Certificate object called bos-screen1.admin using the Associate MKID selection under the Certificate -> Add New in the Policy Objects area. Use the certificate ID that was generated in Step 2 above.
Screen object for bos-screen1 containing sf-screen1 as the primary Name, bos-admin1 as the Administrative IP Address, and bos-screen1.admin as the Administrative Certificate.
This looks the same as it did on the secondary Screen, as shown in Figure 8-3.
Interface objects are created for bos-screen1, as shown in the following table:
Table 8-4 Interface Objects For bos-screen1
Name |
Screen |
Type |
Address Group |
---|---|---|---|
qfe0 |
bos-screen1 |
STEALTH |
bos-external |
qfe1 |
bos-screen1 |
STEALTH |
bos-internal |
hme0 |
bos-screen1 |
ADMIN |
bos-screen1_hme0 (created by default) |
Be sure that all interface definitions for the primary Screen sf-screen1 contain sf-screen1 in the Screen field.
Add policy rules to enable SunScreen SKIP and CDP packets from sf-screen1 to pass through Screen bos-screen1, as shown in Figure 8-4 in Step 5.
Be sure that each rule has an entry in the screen object field to tell it which Screen(s) is to implement the particular rule.
Save and activate the policy on sf-screen1.
Your centralized management group is now configured, and is ready for you to implement your full security policy.
In the network diagram, as shown in , the primary routing-mode Screen sf-screen1 is shown in an HA cluster configuration. You can configure your primary centrally managed Screen with HA if you desire. However, you should first follow the steps to get your centralized management group working, then follow the procedure for adding the secondary HA Screen into the configuration.