This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Harmesh_Yadav
Collaborator
‎2019-03-28 01:21 AM
Jump to solution

Dedicated routing table of Mgmt Port Require In checkpoint which is not available in present device

As I see when we have assign any IP to management interface we can only able to communicate management Interface IP from Same Subnet , I need same management interface IP should be routeable with another VLAN , and This Management interface has own routing domain .

 

If we have requirement LIke Special Mangement VLAN customer have and all device MGMT port connected with Same Switch right so if we can reach mangement from this vlan we can communicate and if we requirement to communicate mgmt ip from diffrent subnet so in this case we require default gateway should be configured in Checkpoint .

 

This is as i observe so please if anybody have any workaround please let us know

Harmesh Yadav
2 Solutions

Accepted Solutions
Wolfgang
Authority
Authority
‎2019-03-28 02:00 AM
Jump to solution

As Aleksey wrote, there is no own routing instance for the management interface and this interface works same like any other.

To reach other subnets in your management VLANs you can configure routes going out via the management interface. And you can limit the connections via the rulebase.

But if you have to physical seperate you have to use another solution...

Another option will be to use VSX (if it is supported on your appliance and you have the license). With this you can put your management completly an a seperate network and run your firewall as an virtual system with no connectivity to the management.

And additional you have on most of the larger appliances a LOM card which you could connect to the management VLAN.

But you can use the LOM port only to connect to the console of the appliance, It is not possible to have smartcenter connections to the gateway via the LOM port. Maybee this is enough for your requirements.

Wolfgang

 

View solution in original post

0 Kudos
Alex_Shpilman
Collaborator
‎2019-03-28 12:22 PM
In response to Norbert_Bohusch
Jump to solution

This is how I achieved this with PBR, the "real default route" is pointing to another interface. 

set pbr table Mgmt static-route default nexthop gateway address 10.10.10.1 priority 1


set pbr rule priority 10 match from 10.10.10.0/24 to 10.10.10.0/24
set pbr rule priority 20 match from 10.10.10.0/24 to 10.0.0.0/8
set pbr rule priority 20 action table Mgmt
set pbr rule priority 30 match from 10.10.10.0/24 to 172.16.0.0/12
set pbr rule priority 30 action table Mgmt

View solution in original post

11 Replies
AlekseiShelepov
Advisor
‎2019-03-28 01:43 AM
Jump to solution

Maybe I don't understand something here, but it looks that just a proper routing is required.

Mgmt interface should be available from specific hosts or networks for management purposes. So, rotes to these networks should point through Mgmt interface. And default gateway stays where it is now for other traffic. Mgmt interface doesn't have a separate routing domain, it is the same interface, as other on the device.

0 Kudos
Harmesh_Yadav
Collaborator
‎2019-03-28 01:54 AM
In response to AlekseiShelepov
Jump to solution

I need Saperate routing domain for Mangement interface and then i will apply default route for dedicate mangement interface and after that it can communicate with another vlan also

 

and This management interface subnet should not showing in main routing interface like

directly connected

Harmesh Yadav
0 Kudos
Wolfgang
Authority
Authority
‎2019-03-28 02:00 AM
Jump to solution

As Aleksey wrote, there is no own routing instance for the management interface and this interface works same like any other.

To reach other subnets in your management VLANs you can configure routes going out via the management interface. And you can limit the connections via the rulebase.

But if you have to physical seperate you have to use another solution...

Another option will be to use VSX (if it is supported on your appliance and you have the license). With this you can put your management completly an a seperate network and run your firewall as an virtual system with no connectivity to the management.

And additional you have on most of the larger appliances a LOM card which you could connect to the management VLAN.

But you can use the LOM port only to connect to the console of the appliance, It is not possible to have smartcenter connections to the gateway via the LOM port. Maybee this is enough for your requirements.

Wolfgang

 

0 Kudos
Harmesh_Yadav
Collaborator
‎2019-03-28 02:53 AM
In response to Wolfgang
Jump to solution

Actaully from LOM we can get direct console which will be console Cli by Java plugin

 

Gaia OS GUI and SSH is accessible from LOM port ?

Harmesh Yadav
0 Kudos
Wolfgang
Authority
Authority
‎2019-03-28 03:10 AM
In response to Harmesh_Yadav
Jump to solution

"Gaia OS GUI and SSH is accessible from LOM port"

simple answer, NO.

Access is only possible to the console like if you are connected via the ConsolePort.

0 Kudos
Alex_Shpilman
Collaborator
‎2019-03-28 03:20 AM
In response to Wolfgang
Jump to solution

 
0 Kudos
Alex_Shpilman
Collaborator
‎2019-03-28 03:24 AM
In response to Wolfgang
Jump to solution

This is a pain I had multiple times when migration from VSX.

 

I managed to solve it with a PBR, any traffic originated from the mgmt IP is sent to a different PBR table which has a different default route.

Just need to create a bypass rule for traffic within the local network of the management.

Harmesh_Yadav
Collaborator
‎2019-03-28 04:20 AM
In response to Alex_Shpilman
Jump to solution

I have open ticket with checkpoint support they told me this will be not possible

 

Checkpoint Should give this feature ,

Harmesh Yadav
Norbert_Bohusch
Advisor
‎2019-03-28 05:11 AM
Jump to solution

This is coming with R80.30: Management Data Plane Separation (sk138672)

Alex_Shpilman
Collaborator
‎2019-03-28 12:22 PM
In response to Norbert_Bohusch
Jump to solution

This is how I achieved this with PBR, the "real default route" is pointing to another interface. 

set pbr table Mgmt static-route default nexthop gateway address 10.10.10.1 priority 1


set pbr rule priority 10 match from 10.10.10.0/24 to 10.10.10.0/24
set pbr rule priority 20 match from 10.10.10.0/24 to 10.0.0.0/8
set pbr rule priority 20 action table Mgmt
set pbr rule priority 30 match from 10.10.10.0/24 to 172.16.0.0/12
set pbr rule priority 30 action table Mgmt

Dawei_Ye
Collaborator
‎2019-03-28 07:15 PM
Jump to solution

yes,I voted for Harmesh.

Which called by other vendors "virtual-router" is needed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events