topic Re: What are the implications of setting an interface as "management interface" ? in Firewall and Security Management

What are the implications of setting an interface as "management interface" ?

Benedikt_Weissl — Wed, 26 May 2021 09:24:30 GMT

Hey Guys,

what are the exact implications of setting an interface as "management interface" ? For example, are the number of queues for the management interface somehow limited?

Cheers

Re: What are the implications of setting an interface as "management interface" ?

Timothy_Hall — Wed, 26 May 2021 18:53:36 GMT

There are a couple of aspects to what the management interface definition actually does, let's cover the Multi-Queue side first.

In regards to Multi-Queue and the management interface, it was impossible to enable Multi-Queue on the defined management interface in the Gaia 3.10 FCS (First Customer Ship) edition of R80.30 and the FCS of R80.40 (which uses Gaia 3.10). The explanation I got from R&D is that they wanted to ensure management access to the box even if some kind of Multi-Queue failure occurred, as MQ is enabled by default on all interfaces that support it under Gaia 3.10 except the management interface.

This restriction was lifted in Gaia 3.10 R80.30 Jumbo HFA Take 219+ and R80.40 Jumbo HFA Take 78+. In R81+ FCS MQ is enabled by default on all interfaces that support it. I'm not exactly sure what happens to the MQ status of the management interface if you started with an older Jumbo HFA or FCS and cross the boundary into where MQ is supported on the management interface, I believe it does get automatically enabled.

Be warned however that it is not a good idea to manually mess around with MQ's state on the various interfaces under Gaia 3.10 as you can end up with various issues such as sk168498: High rate of input discards after reboot when Multi-Queue is configured and sk167200: Multi-queue state is "off" when changing the management interface.

The other aspect to the management interface definition independent of Multi-Queue is what the definition means to the Gaia OS:

The defined management interface will have it's IP mapped to the firewall's hostname in the /etc/hosts file generated at Gaia boot. Elements of the Gaia OS (not Check Point Product code) that need to determine what the main IP is they should use for various purposes will look here.
Trying to change the IP address of the management interface in the Gaia web interface will throw a warning cautioning that completing this change may cut off your administrative access.

That's about it as far as I know, if I missed any other impacts I'd love to hear about it. The management interface definition does not impact or restrict your ability to "manage" the Gaia OS with SSH or HTTPS on any interface, as long as the firewall policy and the Gaia "Authorized Hosts" definitions (clish command add allowed-hosts) permit it. As far as which interface to choose as the management interface, I did provide some guidance on this in my Gaia 3.10 Immersion video course; here are the relevant pages:

Gaia 3.10 Immersion Video Course Page 64Gaia 3.10 Immersion Video Course Page 65

Re: What are the implications of setting an interface as "management interface" ?

Benedikt_Weissl — Mon, 30 Aug 2021 11:32:10 GMT

This setting might also impact if the gateway tries to connect to the SMS via NAT IP or not, see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk171665&partition=Advanced&product=Quantum

Quote: "The Security Gateway sends logs to the Security Management NATed IP because the Management's server private IP is found on the "Management" interface of the NAT-enforcing Gateway, and only hosts with IP's from the network behind the "Management" interface are allowed to connect to the Management server private IP.

Since the Gateway IP is not in range of the "Management" interface, the Gateway connects to the Management server via the NATed IP."

Re: What are the implications of setting an interface as "management interface" ?

Timothy_Hall — Mon, 30 Aug 2021 11:43:17 GMT

Always kind of wondered how the gateway decided whether to use the SMS's NAT address or real address for sending logs, thanks for this.

Re: What are the implications of setting an interface as "management interface" ?

Vladimir — Mon, 30 Aug 2021 13:16:14 GMT

I am having trouble visualizing this. From what I am reading, it seems that:

1. both management interfaces, the one of SMS and the one of the gateway are on the same network.

2. SMS object defined with public IP in its NAT properties.

3. the last sentence: "Since the Gateway IP is not in range of the "Management" interface, the Gateway connects to the Management server via the NATed IP." does not make sense to me, because of the preceding statement "Management's server private IP is found on the "Management" interface of the NAT-enforcing Gateway".

Re: What are the implications of setting an interface as "management interface" ?

Benedikt_Weissl — Tue, 31 Aug 2021 09:57:41 GMT

Hopefully someone from Checkpoint can clarify, I'm not sure if this info is still relevant myself.

Re: What are the implications of setting an interface as "management interface" ?

Vladimir — Tue, 31 Aug 2021 13:52:27 GMT

I also would like for someone from Check Point to clarify.

The only scenario where that description may be applicable, (stretching our imagination), is if there is an L3 routing hop between SMS and the Management interface of the gateway performing NAT for SMS.

Re: What are the implications of setting an interface as "management interface" ?

PhoneBoy — Wed, 01 Sep 2021 00:46:38 GMT

I'm pretty sure the IP that will be used here is the main IP of the management object in SmartConsole.
Which...may or may not be the interface marked as management.

Re: What are the implications of setting an interface as "management interface" ?

Vladimir — Wed, 01 Sep 2021 02:05:04 GMT

Fair point, but even in this case, I do not see why the logs would be forwarded to a different interface, unless there is a routing issue.

I've used some fancy routing setup on virtual SMS long time ago, advertising its local loop address (used as its main IP as well as management interface) through different virtual interfaces via OSPF, but did not see any issues described in sk171665.