This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marco32
Contributor
Contributor
‎2022-09-28 05:02 AM

MDS with 2 interface, asymmetric routing issue

Hi there,

I’m trying to fix in my lab best configuration for MDS R81.10 HA that have strict security policy for interface access.

Architecture is like this:

  • bond1 (configured as leading interface) that can be reached only by appliance that have to be managed by various CMA. IP are like 192.168.1.2/24 CMA1 , 192.168.1.3/24 CMA2 , 192.168.1.4/24 CMA3
  • eth0 (configured as leading interface too) that can be reached only for SmartConsole/ssh access. IP is 10.0.0.1/24

Customer security policy don’t want that 192.168.1.0/24 can be reached for administration traffic, SmartConsole.

Routing is configured with default gateway pointing to 192.168.1.1 on bond1 interface and with a static route to management subnet through the eth0.

 

If I connect to 10.0.0.1 with SmartConsole I can access MDS environment but if I try to connect to active server of CMA my pc start a new session pointing to CMD IP (ex. 192.168.1.2) and this can’t be valid for security policy.

 

My question is, there is a way to access CMA with SmartConsole through the eth0 and not through the bond1? Otherwise I have asymmetric routing issue.

 

Regards

M

Labels
0 Kudos
4 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-09-28 06:29 AM

If you connect to 10.0.0.1/<DomainName> (or connect to the MDS and pick the domain when it asks you which domain you want to connect to), it should connect SmartConsole to that CMA.

0 Kudos
Marco32
Contributor
Contributor
‎2022-09-28 09:03 AM
In response to Bob_Zimmerman

Hi Bob,

yes I know, but the my client start a new session to the IP 191.168.1.x ...and that network can't be reached from management network (where I have SmartConsole).

There's a way to access only from this inerface?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2022-09-28 11:28 AM

It is not supported to have more than 1 leading interface.

You can deploy new Windows jumpserver (with installed SmartConsole) which will be inside 192.168.1.0/24. Second interface on this new Windows jumpserver can be within 10.0.0.0/24 

Kind regards,
Jozko Mrkvicka
0 Kudos
Marco32
Contributor
Contributor
‎2022-09-30 02:41 AM
In response to JozkoMrkvicka

Thanks all,

documentation says that you need at least one leading interface. In my lab, infact, I created 2 different leading interface.

The bond1 interface (that have the VIP of the Domain) need to be accessed only by gateway

The eth0 intercase need to be the only one used from SmartConsole

There's a way to permit this configuration?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events