This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TSOL
Advisor
‎2024-08-18 08:05 PM
Jump to solution

Concerns Regarding the Use of MDPS in the Migrate to CheckPoint

Hello All

 

We are planning to replace ASA with Check Point and are looking for an equivalent command in Check Point for the ASA management-only command.

We have already reviewed the information about this MDPS site,(sk138672)

but other threads (from 2022) mention that it has many bugs,

which makes us hesitant to use it. Have all these issues been resolved by lateset R81.20?

Do you have any information on this?

 

Thank you for all the advice.

 

 

1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2024-09-11 10:17 AM
Jump to solution

One of my colleagues did this for a customer in R81.20 and they are happy with it. No issues so far.

Andy

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2024-08-19 06:35 AM
Jump to solution

What are the specific concerns you have with MDPS?

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-09-11 08:46 AM
Jump to solution

move to vsx, same goal, much more support and reliability

the_rock
Legend
Legend
‎2024-09-11 10:17 AM
Jump to solution

One of my colleagues did this for a customer in R81.20 and they are happy with it. No issues so far.

Andy

0 Kudos
melcu
Explorer
Explorer
Wednesday
Jump to solution

So I'm kind in the same situation but for me it's not working.
I separated mplane from dplane according to the (poorly documented) sk138672.

Right now the management plane is isolated which is good. BUT as this is done is software I have some strange issues:

Packets originating from the management interface traverse the management plane and lands on dplane to be processed by the firewall. dplane recognise the source IP and it's marking it as spoofed. if MDPS is to fully isolate the network. This breaks almost everything like DNS, AD for Gaia LDAP AD binding,  TACACS.  SMS still works because due to an "error" is in the same network 🙂 but otherwise it will fail.

THe inbound traffic originating from inside the network (from one of many internal interfaces) arrives in DP where is processed but due to "mdps_tun" the traffic is sent over to mplane. Of course, as MDPS has a default route, traffic is sent over the default route, which lands on dplane and flow is broken due to symmetry issues.

So basically from the internal network I cannot access the management interface).

I know it's software but still.  MDPS should be a real isolation. 
I'm thinking on switching to a dedicated VSX just for managemnet but.. as everything is in place right now, removing mdps will be a mess.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events