This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sahmad
Explorer
‎2023-11-23 07:35 AM

mdplan and dplan- SMART-1 cloud

Hello everyone, 

Reaching out to see if anyone can help as I pretty much giveup on TAC and myself too. We have CP 3000 (R81.10 JHF 110) cluster that we manage through on Prem Policy Manager. Cluster has separate mplan and dplan. During the migration everything went well except SIC communication to the cloud. It can't establish SIC communication. We involved TAC 3 months ago and it has been struggle. Here is what it boils down to. TAC suggested to disable dplan/mplan separation. We did disable but by doing so, the firewalls stopped talking to internet. Upon further inverstigation we found that after disabling dplan/mplan, the firewalls wont even talk to local DNS and wont even PING. I understand that enabling mdps create separate routing table etc but need to understand few things.
Please  
1: Why Gateways can't talk to SMART-1 cloud when dplan/mplan is enabled. Even though I can ping internet, DNS etc it still can't establish SIC communication.
2: When I disable dplan/mplan separation, why firewalls stop talking to internet and local DNS server. 
3: Am I dealing with some documented bug? like I should be able to establish SIC with SAMRT 1 while dplan/mplan is enabled. No?

This issue is going on from last 3 months and as I stated TAC is not very helpful. Looking for feedback/suggestion from those who were able to establish SIC when dplan/mplan separation is enabled or workaround

Thank you 

0 Kudos
2 Replies
_Val_
Admin
Admin
‎2023-11-28 01:00 AM

Hi Sheraz, could you please send me the SR via a private message? Also, during the process and struggle with TAC, did you escalate your case? 

0 Kudos
_Val_
Admin
Admin
‎2023-11-28 01:10 AM

In addition, concerning your question number 3. It looks to me a configuration issue. With management Plane enabled, you have two VRFs, one of them taking care of FW operations and connectivity, and the MP in charge of admin/log/management traffic. As you mentioned, both planes have separate routing tables and DNS definitions. When MP admin traffic stays internal, there is no issue. Once you need to reach out to Internet, there is most probably a routing issue, since MP should actually pass through the data plane to reach Internet IPs. 

Disamping MP separation makes sense, and you need just to figure out why you lose direct internet connectivity. My bet is, that is because you lose DNS and routing settings from MP, and you just need to re-create them. 

That said, it is not exactly easy to provide you with any guidance without details. 

0 Kudos
Trending Discussions
Remediation Steps
Upcoming Events

    Sort by:
    CheckMates Events