Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

New! R80.30 feature: Management Data Plane Separation (for gateways with 4+ cores)

rs1810300033.png

I really like the all new R80.30 feature for separating management from data traffic via

  • Routing Separation and
  • Resource Separation

as described in sk138672.

 

Did anyone test this already?

16 Replies
Highlighted
Platinum

it is about time! finally arrived.
will test it soon and report back 🙂
Jerry
0 Kudos
Highlighted

About time!  This is a long over due feature!

0 Kudos
Highlighted
Platinum

"Use of logical interfaces is not suppoted on management interface (Alias, Bridge, VPN Tunnel, 6in4 Tunnel, PPPoE, Bond, VLAN)"

1. It is a pity. Showstopper for us.
2. There is typo (suppoted  -> supported).

Kind regards,
Jozko Mrkvicka
Highlighted

Very interesting information.

I will test it tomorrow in our LAB:-)

Thank you!

Highlighted

With Resource Separation the cpu load should not rise when installing the policy. Is that correct?

mng.PNG

 

Highlighted

Hi Dameon,

Do I need a license for the management instance or lose a core license?

Regards

Heiko

Highlighted
Admin
Admin

I assume this dedicated CPU core is treated like any other core: you need a license for it. A minimum of 8 CPU cores are required to use this feature, which means your Open Server license must be for at least 8 cores. Beyond that, no special licensing requirements.
Highlighted
Pearl

So anything below 5900 will not be able to take advantage of it...

0 Kudos
Highlighted
Admin
Admin

Sounds about right.
0 Kudos
Highlighted
Pearl

Danny, you may want to change the heading by adding "for gateways with 8 or more cores".

Otherwise it leads to unwarranted euphoria 🙂

Highlighted
Pearl

Added.

Highlighted

I do have a concern about the best practices from the article:  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

"Connectivity to the LDAP and similar servers from the Gateway should be done via the Data Plane."

 

I've always been told that only the management/control plane of a security gateway should be making or allowing connections to the device.  The data plane should not allow or make connections, it should only play the role of traffic cop. 

What is everyone's thoughts on this?

Highlighted

FYI this was changed to min 4 recently 

0 Kudos
Highlighted
Pearl

Thanks for the info. I changed the thread title from 8  to 4 CPU cores.

0 Kudos
Highlighted

I tested and worked successfully. (resource&routing both enabled)

It's not possible to use mgmt ip on identity collector and i think it should be.

Could you please add a service/task for this issue?

 

XXXXXXXXX:TACP-0> show mdps state

Management Data plane separation:

Routing plane: Enabled
Dedicated resource: Enabled (FW-Instance [39,38], CPU [4,28])
Management interface: Mgmt
Sync interface: Sync
Management plane configured routes:
default via X.X.X.X

XXXXXXXXX:TACP-0> show mdps tasks

Management plane tasks:
Service: cpri_d
Service: ntpd
Service: sshd
Service: syslog
Process: cloningd
Process: httpd2
Process: ntpd
Process: snmpd
Process: snmpmonitor
Port;Protocol: 256;tcp
Port;Protocol: 257;tcp
Port;Protocol: 2010;tcp
Port;Protocol: 5432;tcp
Port;Protocol: 18181;tcp
Port;Protocol: 18183;tcp
Port;Protocol: 18184;tcp
Port;Protocol: 18187;tcp
Port;Protocol: 18191;tcp
Port;Protocol: 18192;tcp
Port;Protocol: 18195;tcp
Port;Protocol: 18210;tcp
Port;Protocol: 18211;tcp
Port;Protocol: 18264;tcp

0 Kudos
Highlighted

I tried mdps in the lab. I have two issues so far:

1. Can't make backup traffic to go over Mgmt interface, it attempts ssh connections on one of the data interfaces instead, even if I try to backup gateway to a management appliance.

2. TACACS traffic on port 49 goes over Mgmt interface during initial login the the gateway, which is expected, then it attempts to go over data interface for some reason during 2nd authentication when I try escalate my privileges from TACP-0 to TACP-15. 

These two issues are show stoppers for us to deploy this feature.