topic Re: Checkpoint management plane data plane in Cloud Firewall

Checkpoint management plane data plane

daz10 — Tue, 10 Dec 2024 10:13:07 GMT

Hi is there a resource that explains the basics about Checkpoint management plane data plane clearly and simply (including cli setup) for a beginner ? I can't find anything.

Re: Checkpoint management plane data plane

toblun — Tue, 10 Dec 2024 10:28:09 GMT

this SK does https://support.checkpoint.com/results/sk/sk138672

Re: Checkpoint management plane data plane

daz10 — Tue, 10 Dec 2024 11:01:12 GMT

I was after more of an explanation/theory with say an example rather than 'cold' commands.

Re: Checkpoint management plane data plane

Chris_Atkinson — Tue, 10 Dec 2024 11:53:28 GMT

In case it's unclear hit the following link in the article intro section and you'll see more "Click Here to Show the Entire Article" as it appears to be collapsed by default.

Re: Checkpoint management plane data plane

Don_Paterson — Tue, 10 Dec 2024 12:55:46 GMT

Is this in a specific CSP (AWS, Azure or GCP)?

Do you have a requirement or a use case for it?

It doesn't seem like something that would be commonly demanded in CloudGuard (the question is posted is the CloudMates Forum).

Re: Checkpoint management plane data plane

PhoneBoy — Tue, 10 Dec 2024 19:59:40 GMT

I asked @CheckMatesAI for an answer, and it provided little more than a link to sk138672 and to CheckMates 🙂

In simple terms, MDPS dedicates one of the cores on the security gateway to the following functions:

Access to the Gateway Itself: SSH, FTP, and more
Provisioning: Policy installation, Gaia Portal, REST API
Monitoring: Logs, SNMP

Normally, these functions run on processes on cores that are shared with cores that process traffic.
MDPS also provides a separate routing table for these functions as well as others you can configure.

If you're experiencing issues with these functions and the gateways operate under significant load, MDPS can be helpful.
It's important to understand the known limitations should you choose to enable it.
In most situations, MDPS is not necessary.

Re: Checkpoint management plane data plane

kamilazat — Thu, 12 Dec 2024 07:35:58 GMT

Here's an explanation from another LLM:

Understanding Management Dataplane Separation (MDPS)

Core Concept

Management Data Plane Separation (MDPS) is a security feature that separates administrative traffic from regular network traffic on Check Point Security Gateways, similar to having dedicated lanes on a highway for different types of vehicles.

The Two Planes

Management Plane

Handles all administrative functions:

- System access (SSH, FTP)

- Policy installation and configuration

- System monitoring (logs, SNMP)

Data Plane

Manages regular network operations:

- User traffic (web, email, files)

- Application communications

- Network services

Implementation Methods

1. **Routing Separation**: Creates a dedicated routing domain for management traffic, preventing any cross-communication between planes.

2. **Resource Separation**: Allocates dedicated CPU resources for management functions (requires 4+ CPU cores).

Key Benefits

- Enhanced security through traffic isolation

- Improved performance by preventing management tasks from affecting regular operations

- Easier troubleshooting with clear separation of functions

So basically you separate the 'brain' and 'muscle' (veeery vaguely) on the gateway so that bad guys have to work twice as hard to get into management related parts and make bad changes. Implementation and configuration details will be in sk138672.