See:
sk179005: "Connections from Data Interface to the Management Interfaces (and Vice Versa)" feature
or
Maestro limitation ? connections going through data and management interface|
Management Interfaces Requirements:
- Defined on the MHO
- Used for control traffic (policy installation, logging) between the members of an SG and the SMS/MDS.
- For management purposes, it is also used to connect to the SMO Master using the Gaia web interface and SSH
- Depending upon the MHO model number, there are between one and four physical ports assigned for the Gateway.
- Strongly recommended: Bonding of the Management Interface to two or more upstream switches is important to ensure continuity of management access should one MHO fail. Bonds on Management Interfaces (MAGG) can be established only between identical interfaces. For example eth1-Mgmt1 and eth2-Mgmt1
- Each MHO’s Management NIC has its own dedicated IP address, subnet mask, and set of static routes.
- Used solely for accessing the MHO for management purposes (SSH, WebUI) and does not influence how production traffic is forwarded by the MHO.
- IP routing at Layer 3 is performed by the Gateway members of an SG, not by the MHO.
Management Network Traffic Guidelines:
- A single defined management hardware port can be shared between multiple SGs at the same site.
- Attempting to Hide NAT traffic traversing with the Management Interface is not supported.
- R81.10+ Connections that arrive through the Management Interface and are sent out through the Data Interface -> sk179005
- R81.10+ Connections that arrive through the Data Interface and are sent out through the Management Interface -> sk179005
Management Network Traffic Limitations:
- The defined Management Interface used by a SG is not for production traffic.
- The interface was designed to be used exclusively for management connectivity between the SMS/MDS and the SMO Master, and not for production traffic.
- Connections that arrive via the Management Interface but leave on a data port (like Uplink or Downlink interfaces).
- Connections that arrive from a data port and attempt to leave on the Management Interface
- With R81.10 and higher, the Connections from Data-to-Management feature make connectivity between management and data interfaces possible. By default, this feature is disabled. -> sk179005
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips