Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
starmen2000
Collaborator
Collaborator

Management VLAN for design

Hello mates,

I have a few questions regarding the management segment for the management server and gateway management IPs.

We are planning to deploy a management server and one cluster in the customer environment. The customer already has a management VLAN for servers and other devices. Should the customer use same management segment for the management server and firewalls or should the customer isolate the Check Point management server and gateway from other manageable devices?

If the best practice is to have an isolated VLAN for Check Point devices, is VLAN isolation sufficient, or should additional Cisco router ACLs be implemented? Additionally, I think it requires on the firewall a stealth rule, With a stealth rule, can we protect both gateways and the management server? Keep in mind that the management server's IP and gateways' IPs are in the same subnet, and packets destined for the management server bypass the gateway and go directly to the management server because they are in the same vlan.

What are your thoughts on the best practice for deployment?

0 Kudos
5 Replies
the_rock
Legend
Legend

I had seen many customers do exactly that, just have CP mgmt server and gateway/cluster isolated, no need for additional ACLs. I mean, does not hurt, but its not a must.

Best,

Andy

0 Kudos
emmap
Employee
Employee

What do you mean by "Keep in mind that the management server's IP and gateways' IPs are the same, and packets destined for the management server bypass the gateway and go directly to the management server."? You have the same IP address configured on two different devices?

Generally we like to recommend an isolated VLAN for CP management, just keep in mind that you need to be able to get to the management server in the event of the gateway being down, so don't put yourself in a position where that's going to be painful during a maintenance job or outage.

0 Kudos
starmen2000
Collaborator
Collaborator

Sorry I mistyped. Mgmt server`s IP and Gateway`s IP are on the same VLAN, they have for sure different IPs. In that case, is it recommended to isolate mgmt server from  Gateways or is it ok that IP of mgmt server and mgmt IPs of gateways are on the same subnet?

0 Kudos
emmap
Employee
Employee

It's fine that they're on the same subnet.

0 Kudos
Bob_Zimmerman
Authority
Authority

I strongly recommend against giving the firewalls an interface on a management network. By default, all the interfaces on a Check Point firewall are in the same routing table. Putting multiple firewalls on a given network for management traffic means there are multiple gateways into and out of that network. That's a surefire way to get asymmetric routing, which will lead to weird anti spoofing and stateful inspection drops.

VSX changes this, as it lets you run multiple routing tables on the firewall. It's the same thing as VRF, Fortigate vdom, Palo Alto vsys, and so on.

Another feature, Management Data Plane Separation (MDPS) can also separate management routing from through-traffic routing, though its name is a bit misleading. The management "plane" and the data "plane" are still the same OS running on the same processor. It does not provide true separation like big-iron routers with physically separate cards for management and for passing data. It uses the same underlying technology as VSX, though it is managed differently.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events