Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
daz10
Explorer
Jump to solution

Checkpoint management plane data plane

Hi is there a resource that explains the basics about Checkpoint management plane data plane clearly and simply (including cli setup) for a beginner ? I can't find anything.

0 Kudos
1 Solution

Accepted Solutions
kamilazat
Collaborator

Here's an explanation from another LLM:

Understanding Management Dataplane Separation (MDPS)

Core Concept
Management Data Plane Separation (MDPS) is a security feature that separates administrative traffic from regular network traffic on Check Point Security Gateways, similar to having dedicated lanes on a highway for different types of vehicles.

The Two Planes

Management Plane
Handles all administrative functions:
- System access (SSH, FTP)
- Policy installation and configuration
- System monitoring (logs, SNMP)

Data Plane
Manages regular network operations:
- User traffic (web, email, files)
- Application communications
- Network services

Implementation Methods

1. **Routing Separation**: Creates a dedicated routing domain for management traffic, preventing any cross-communication between planes.

2. **Resource Separation**: Allocates dedicated CPU resources for management functions (requires 4+ CPU cores).

Key Benefits
- Enhanced security through traffic isolation
- Improved performance by preventing management tasks from affecting regular operations
- Easier troubleshooting with clear separation of functions


So basically you separate the 'brain' and 'muscle' (veeery vaguely) on the gateway so that bad guys have to work twice as hard to get into management related parts and make bad changes. Implementation and configuration details will be in sk138672
 
 

View solution in original post

0 Kudos
(1)
6 Replies
toblun
Participant
Participant
daz10
Explorer

I was after more of an explanation/theory with say an example rather than 'cold' commands.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

In case it's unclear hit the following link in the article intro section and you'll see more "Click Here to Show the Entire Article" as it appears to be collapsed by default.

CCSM R77/R80/ELITE
0 Kudos
Don_Paterson
Advisor
Advisor

Is this in a specific CSP (AWS, Azure or GCP)?

Do you have a requirement or a use case for it?

It doesn't seem like something that would be commonly demanded in CloudGuard (the question is posted is the CloudMates Forum).

 

 

0 Kudos
PhoneBoy
Admin
Admin

I asked @CheckMatesAI for an answer, and it provided little more than a link to sk138672 and to CheckMates 🙂 

In simple terms, MDPS dedicates one of the cores on the security gateway to the following functions:

  • Access to the Gateway Itself: SSH, FTP, and more
  • Provisioning: Policy installation, Gaia Portal, REST API
  • Monitoring: Logs, SNMP

Normally, these functions run on processes on cores that are shared with cores that process traffic.
MDPS also provides a separate routing table for these functions as well as others you can configure.

If you're experiencing issues with these functions and the gateways operate under significant load, MDPS can be helpful.
It's important to understand the known limitations should you choose to enable it.
In most situations, MDPS is not necessary.

(1)
kamilazat
Collaborator

Here's an explanation from another LLM:

Understanding Management Dataplane Separation (MDPS)

Core Concept
Management Data Plane Separation (MDPS) is a security feature that separates administrative traffic from regular network traffic on Check Point Security Gateways, similar to having dedicated lanes on a highway for different types of vehicles.

The Two Planes

Management Plane
Handles all administrative functions:
- System access (SSH, FTP)
- Policy installation and configuration
- System monitoring (logs, SNMP)

Data Plane
Manages regular network operations:
- User traffic (web, email, files)
- Application communications
- Network services

Implementation Methods

1. **Routing Separation**: Creates a dedicated routing domain for management traffic, preventing any cross-communication between planes.

2. **Resource Separation**: Allocates dedicated CPU resources for management functions (requires 4+ CPU cores).

Key Benefits
- Enhanced security through traffic isolation
- Improved performance by preventing management tasks from affecting regular operations
- Easier troubleshooting with clear separation of functions


So basically you separate the 'brain' and 'muscle' (veeery vaguely) on the gateway so that bad guys have to work twice as hard to get into management related parts and make bad changes. Implementation and configuration details will be in sk138672
 
 
0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.