topic Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev in General Topics

Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present device

Harmesh_Yadav — Thu, 28 Mar 2019 08:22:15 GMT

As I see when we have assign any IP to management interface we can only able to communicate management Interface IP from Same Subnet , I need same management interface IP should be routeable with another VLAN , and This Management interface has own routing domain .

If we have requirement LIke Special Mangement VLAN customer have and all device MGMT port connected with Same Switch right so if we can reach mangement from this vlan we can communicate and if we requirement to communicate mgmt ip from diffrent subnet so in this case we require default gateway should be configured in Checkpoint .

This is as i observe so please if anybody have any workaround please let us know

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

AlekseiShelepov — Thu, 28 Mar 2019 08:43:47 GMT

Maybe I don't understand something here, but it looks that just a proper routing is required.

Mgmt interface should be available from specific hosts or networks for management purposes. So, rotes to these networks should point through Mgmt interface. And default gateway stays where it is now for other traffic. Mgmt interface doesn't have a separate routing domain, it is the same interface, as other on the device.

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Harmesh_Yadav — Thu, 28 Mar 2019 08:54:32 GMT

I need Saperate routing domain for Mangement interface and then i will apply default route for dedicate mangement interface and after that it can communicate with another vlan also

and This management interface subnet should not showing in main routing interface like

directly connected

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Wolfgang — Thu, 28 Mar 2019 09:00:55 GMT

As Aleksey wrote, there is no own routing instance for the management interface and this interface works same like any other.

To reach other subnets in your management VLANs you can configure routes going out via the management interface. And you can limit the connections via the rulebase.

But if you have to physical seperate you have to use another solution...

Another option will be to use VSX (if it is supported on your appliance and you have the license). With this you can put your management completly an a seperate network and run your firewall as an virtual system with no connectivity to the management.

And additional you have on most of the larger appliances a LOM card which you could connect to the management VLAN.

But you can use the LOM port only to connect to the console of the appliance, It is not possible to have smartcenter connections to the gateway via the LOM port. Maybee this is enough for your requirements.

Wolfgang

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Harmesh_Yadav — Thu, 28 Mar 2019 09:53:47 GMT

Actaully from LOM we can get direct console which will be console Cli by Java plugin

Gaia OS GUI and SSH is accessible from LOM port ?

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Wolfgang — Thu, 28 Mar 2019 10:10:48 GMT

"Gaia OS GUI and SSH is accessible from LOM port"

simple answer, NO.

Access is only possible to the console like if you are connected via the ConsolePort.

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Alex_Shpilman — Thu, 28 Mar 2019 10:20:51 GMT

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Alex_Shpilman — Thu, 28 Mar 2019 10:24:42 GMT

This is a pain I had multiple times when migration from VSX.

I managed to solve it with a PBR, any traffic originated from the mgmt IP is sent to a different PBR table which has a different default route.

Just need to create a bypass rule for traffic within the local network of the management.

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Harmesh_Yadav — Thu, 28 Mar 2019 11:20:13 GMT

I have open ticket with checkpoint support they told me this will be not possible

Checkpoint Should give this feature ,

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Norbert_Bohusch — Thu, 28 Mar 2019 12:11:53 GMT

This is coming with R80.30: Management Data Plane Separation (sk138672)

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Alex_Shpilman — Thu, 28 Mar 2019 19:22:43 GMT

This is how I achieved this with PBR, the "real default route" is pointing to another interface.

set pbr table Mgmt static-route default nexthop gateway address 10.10.10.1 priority 1

set pbr rule priority 10 match from 10.10.10.0/24 to 10.10.10.0/24
set pbr rule priority 20 match from 10.10.10.0/24 to 10.0.0.0/8
set pbr rule priority 20 action table Mgmt
set pbr rule priority 30 match from 10.10.10.0/24 to 172.16.0.0/12
set pbr rule priority 30 action table Mgmt

Re: Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present dev

Dawei_Ye — Fri, 29 Mar 2019 02:15:52 GMT

yes，I voted for Harmesh.

Which called by other vendors "virtual-router" is needed.