https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/233334#M38975 <P>So I'm kind in the same situation but for me it's not working.<BR />I separated mplane from dplane according to the (poorly documented) sk138672.</P><P>Right now the management plane is isolated which is good. BUT as this is done is software I have some strange issues:</P><P>Packets originating from the management interface traverse the management plane and lands on dplane to be processed by the firewall. dplane recognise the source IP and it's marking it as spoofed. if MDPS is to fully isolate the network. This breaks almost everything like DNS, AD for Gaia LDAP AD binding,&nbsp; TACACS.&nbsp; SMS still works because due to an "error" is in the same network <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but otherwise it will fail.</P><P>THe inbound traffic originating from inside the network (from one of many internal interfaces) arrives in DP where is processed but due to "mdps_tun" the traffic is sent over to mplane. Of course, as MDPS has a default route, traffic is sent over the default route, which lands on dplane and flow is broken due to symmetry issues.</P><P>So basically from the internal network I cannot access the management interface).</P><P>I know it's software but still.&nbsp; MDPS should be a real isolation.&nbsp;<BR />I'm thinking on switching to a dedicated VSX just for managemnet but.. as everything is in place right now, removing mdps will be a mess.</P><P>&nbsp;</P> Wed, 20 Nov 2024 20:56:50 GMT melcu 2024-11-20T20:56:50Z https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/223926#M37322 <P>Hello All</P><P>&nbsp;</P><P>We are planning to replace ASA with Check Point and are looking for an equivalent command in Check Point for the ASA management-only command.</P><P>We have already reviewed the information about this MDPS site,(sk138672)</P><P>but other threads (from 2022) mention that it has many bugs,</P><P>which makes us hesitant to use it. Have all these issues been resolved by lateset R81.20?</P><P>Do you have any information on this?</P><P>&nbsp;</P><P>Thank you for all the advice.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 19 Aug 2024 03:05:43 GMT https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/223926#M37322 TSOL 2024-08-19T03:05:43Z https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/223981#M37328 <P>What are the specific concerns you have with MDPS?</P> Mon, 19 Aug 2024 13:35:51 GMT https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/223981#M37328 PhoneBoy 2024-08-19T13:35:51Z https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/226292#M37779 <P>move to vsx, same goal, much more support and reliability</P> Wed, 11 Sep 2024 15:46:54 GMT https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/226292#M37779 CheckPointerXL 2024-09-11T15:46:54Z https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/226299#M37784 <P>One of my colleagues did this for a customer in R81.20 and they are happy with it. No issues so far.</P> <P>Andy</P> Wed, 11 Sep 2024 17:17:43 GMT https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/226299#M37784 the_rock 2024-09-11T17:17:43Z https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/233334#M38975 <P>So I'm kind in the same situation but for me it's not working.<BR />I separated mplane from dplane according to the (poorly documented) sk138672.</P><P>Right now the management plane is isolated which is good. BUT as this is done is software I have some strange issues:</P><P>Packets originating from the management interface traverse the management plane and lands on dplane to be processed by the firewall. dplane recognise the source IP and it's marking it as spoofed. if MDPS is to fully isolate the network. This breaks almost everything like DNS, AD for Gaia LDAP AD binding,&nbsp; TACACS.&nbsp; SMS still works because due to an "error" is in the same network <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but otherwise it will fail.</P><P>THe inbound traffic originating from inside the network (from one of many internal interfaces) arrives in DP where is processed but due to "mdps_tun" the traffic is sent over to mplane. Of course, as MDPS has a default route, traffic is sent over the default route, which lands on dplane and flow is broken due to symmetry issues.</P><P>So basically from the internal network I cannot access the management interface).</P><P>I know it's software but still.&nbsp; MDPS should be a real isolation.&nbsp;<BR />I'm thinking on switching to a dedicated VSX just for managemnet but.. as everything is in place right now, removing mdps will be a mess.</P><P>&nbsp;</P> Wed, 20 Nov 2024 20:56:50 GMT https://community.checkpoint.com/t5/General-Topics/Concerns-Regarding-the-Use-of-MDPS-in-the-Migrate-to-CheckPoint/m-p/233334#M38975 melcu 2024-11-20T20:56:50Z