Multi-Domain Management

Overview

TOS Classic initially shows and manages all network devices under a single organizational entity. However, some organizations need to manage their devices under different entities. Examples are:

  • Managed security service providers (MSSPs) who use a single instance of TOS Classic to manage devices belonging to different customers and therefore need complete separation between organizations.
  • Large segmented organizations that want the ability to manage different groups of devices by different criteria, with regards policy and violations, or give users and administrators access to some groups and not others.

This separation of devices and their management is achieved by configuring your system for multi-domain management - creating new organizational entities called domains and placing devices into the appropriate domain. Until you configure your system for multi-domain management, the term domain doesn't appear anywhere in the product.

There are no restrictions as to which devices can be assigned to which domain, except where noted under Managing Monitored Devices. For example, management devices such as Checkpoint MDS and managed devices e.g. CMAs can belong to different domains and a parent device can be in one domain, with its virtual devices being assigned to others.

Once a second domain is added, multi-domain management is implemented automatically and there is no going back!

When switching from single to multi-domain, a number of changes occur in your system:

  • All existing devices become allocated to an entity called The Default Domain, from which they can be moved or 'migrated' to any one of the new domains created.
  • The two user types - Administrator and User - are replaced with four new user types - Super Administrator, Multi-Domain Administrator, Multi-Domain User and Domain User - see Managing TOS Classic Users.
  • Existing Administrators automatically become Super Administrators, which gives them access to all domains, and existing Users automatically become Multi-domain Users but do not have access to any domain until access is granted by a super administrator.
  • For the new super administrators, a new domain selector field will appear at the bottom of every screen, from which they can switch domains by selecting the desired domain from the list displayed. The Default Domain is always excluded from this list, but there is an additional option - Global - which when selected gives the super administrator access to all domains together with The Default Domain. This access is called the Global Context and is described in more detail in Contexts in Multi-Domain Management
  • Access to specific domains and to the Global Context can subsequently be granted to multi-domain administrators and multi-domain users.
  • Existing zones that you have created and the predefined Users Networks zone will appear only in the Global Context and will apply to The Default Domain only.
    • Existing USPs and USP exceptions will be set to apply to the Global Context meaning all the domains defined in the system, including The Default Domain.

Contexts in Multi-Domain Management

Once your system is configured for multi-domain management, a user will always be in one of two 'contexts'.

  • A domain context - the user sees and manages a single domain but it cannot be The Default Domain.

  • The Global Context - the user sees and manages The Default Domain together with all other domains to which he is permitted.

There are functions available in the domain context that are not available in the Global Context and vice versa. Reports (configured and generated), queries, and audits are created in the currently selected context (Global Context or domain-specific), and are not available in any other context. Similarly, Network Zones are created in the currently selected context, and are then available only for the queries and reports of that context.

Any access or permissions given to multi-domain administrators or multi-domain users while the administrator is in a domain context are limited to that domain.

Domain Context

A user of any kind is in a domain context when a specific domain is selected from the domain selector or the user only has access to a single domain. The Default Domain is not available for selection as a domain context.

Only devices in the selected domain can be viewed and policy revisions, queries, audits and reports can be configured only for these devices.

Multi-domain users working in a domain context have the same access as domain users.

Multi-domain administrators and super administrators working in a domain context can configure for the currently selected domain only. This includes managing domain users, devices, and network zones. System-level configuration, including configuring super administrators, are not available.

The Global Context

A user is in the Global Context when Global is selected from the domain selector. It is available to all super administrators, and to multi-domain administrators and multi-domain users who have been granted access to the Global Context (see Managing TOS Classic Users).

Multi-domain users working in the Global Context can:

  • View devices and policy revisions from all domains to which they have access including The Default Domain
  • Run aggregated queries, audits and reports, and alerts that have been defined by a super administrator with the Global Context, which will include only the devices and domains to which they have access
  • View Global Context entities that have been defined by a super administrator, such as USPs, and USP exceptions.
  • View and select Network Zones that were defined in the Global Context

A multi-domain administrator working in the Global Context can do everything the multi-domain user can do and additionally configure Global Context entities that have been defined by a super administrator, such as USPs, and USP exceptions, queries, audits and reports and change topology.

A multi-domain administrator working in the Global Context cannot do any domain-specific administration tasks such as managing Domain Users, devices, and network zones.

A super administrator working in the Global Context can do everything the multi-domain administrator can do and additionally:

  • Perform system-level configuration - define entities for the Global Context, such as USPs, USP exceptions, queries, audits and reports.
  • Define Network Zones for the Global Context

Recommended Best Practice for Multi-Domain Management

  1. Create one or more new domains as required.
  2. Migrate all existing devices to the new domains. See Managing Monitored Devices.
  3. Give users and administrators access to domains. See Users.

For SecureChange users:

In SecureChange, you can assign SecureChange domains to users and groups. When selecting devices for tickets, such as in access requests, users and groups assigned to domains can only select devices in those domains. This segregation of data can help in scenarios such as when you have multiple groups of administrators responsible for separate areas of the network. You can assign the groups to separate domains and each group can only see the devices for its domain.

See Enabling Multi-Domain in SecureChange.

In SecureApp, you can import the list of domains as customers. You can then define applications according to the customers that use the applications to allow for:

  • Data segregation - Connections can only contain resources that belong to related customers.
  • IP address segmentation - If different customers use the same IP address scheme in their networks (also known as IP overlapping), SecureApp analyzes traffic correctly for each customer separately.

Switching Contexts

When the logged-in user has access to more than one domain, the current context appears in the domain selector which is displayed on most screens. Clicking on the context name, displays a list of all contexts to which the user has access, including Global if the user also has access to the Global Context. When a different domain is selected, the user is returned to the dashboard.

Clicking on the context name, displays a list of all contexts to which the user has access, including Global if the user also has access to the Global Context. When a different domain is selected, the user is returned to the dashboard.

What Can I Do Here?

  • Create a domain
  • Delete a domain - click delete domain on the desired domain
  • Edit a domain - click edit domain on the desired domain, change details then save by clicking save domain

Create a Domain

  1. Click new domain

  2. enter details. Location and Description are optional for your information only.

  3. save by clicking save domain.

domain properties

How Do I Get Here?

SecureTrack > Settings > Configuration > Domains: