This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Christian_Koehl
Collaborator
Collaborator
‎2023-01-27 11:21 AM

IP of SMO

Dear Folks,

I have some questions about the IP of the SMO. I have an R81.10 environment with JHF-87.

 

1) Can the IP of the SMO be in the same subnet as one of the data-interfaces (The IPs are, of course, different)?

2) Can the IP of the SMO  be set to the IP of one of the data-interfaces?

 

My questions are regarding the fact, that my SMS is connected to one of the data-interfaces and has that interface as it's default gateway.

Best regards,

Christian

0 Kudos
3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2023-01-27 12:08 PM

See:
sk179005: "Connections from Data Interface to the Management Interfaces (and Vice Versa)" feature
or
Maestro limitation ? connections going through data and management interface|

Management Interfaces Requirements:
- Defined on the MHO
- Used for control traffic (policy installation, logging) between the members of an SG and the SMS/MDS.
- For management purposes, it is also used to connect to the SMO Master using the Gaia web interface and SSH
- Depending upon the MHO model number, there are between one and four physical ports assigned for the Gateway.
- Strongly recommended:  Bonding of the Management Interface to two or more upstream switches is important to ensure continuity of management access should one MHO fail. Bonds on Management Interfaces (MAGG) can be established only between identical interfaces. For example eth1-Mgmt1 and eth2-Mgmt1
- Each MHO’s Management NIC has its own dedicated IP address, subnet mask, and set of static routes.
- Used solely for accessing the MHO for management purposes (SSH, WebUI) and does not influence how production traffic is forwarded by the MHO.
- IP routing at Layer 3 is performed by the Gateway members of an SG, not by the MHO.

Management Network Traffic Guidelines:
- A single defined management hardware port can be shared between multiple SGs at the same site.
- Attempting to Hide NAT traffic traversing with the Management Interface is not supported.
- R81.10+ Connections that arrive through the Management Interface and are sent out through the Data Interface -> sk179005
- R81.10+ Connections that arrive through the Data Interface and are sent out through the Management Interface -> sk179005

Management Network Traffic Limitations:
- The defined Management Interface used by a SG is not for production traffic.
- The interface was designed to be used exclusively for management connectivity between the SMS/MDS and the SMO Master, and not for production traffic.
- Connections that arrive via the Management Interface but leave on a data port (like Uplink or Downlink interfaces).
- Connections that arrive from a data port and attempt to leave on the Management Interface
- With R81.10 and higher, the Connections from Data-to-Management feature make connectivity between management and data interfaces possible. By default, this feature is disabled. -> sk179005

➜ CCSM Elite, CCME, CCTE
0 Kudos
(1)
CheckPoint_IT
Explorer
‎2023-08-22 09:00 AM
In response to HeikoAnkenbrand

@HeikoAnkenbrand Thanks for your sharing.

In my case, because of asymmetric routing, I cannot set actual management out-of-band management interface and I have to use a data interface to manage the Security Group's GaiA portal. But in fact, when I set it up, I cannot access SG's GaiA portal through the IP of the data interface. Seem like the connection split into both Security Gateway in Group but just SMO (one of these Two gateways) processes that management traffic other SG will drop that. Am I right to say that?  If I set pass fwha_data_mgmt_connection as mentioned in sk179005 will I be able to fix this error? (Like the SG backup will also sync the administrative connection from the SMO and it will still return it to the client instead of dropping them).

Thanks.

0 Kudos
emmap
Employee
Employee
‎2023-09-14 08:23 PM
In response to CheckPoint_IT

In your case it would be best not to use the management port at all. While we can enable routing of traffic through it, all that traffic will be corrected over to the SMO, which if you use it as a default gateway for a lot of systems will cause load imbalance. Basically, put a 'dummy' IP on the mgmt port of the SG, SIC it to a regular uplink, and disable L4 distribution to resolve the issues with accessing the WebUI via an uplink.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events