This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nicholas_rowe
Participant
‎2018-05-18 10:48 AM

Smart-1 5050 best practice guidance

We are currently looking at deploying 3 Smart-1 5050 Mgmt svr appliances in an Active/standby/standby posture. We've been looking through the checkpoint documentation looking for guidance on how best to use the multiple network interfaces (1 mgmt and 3 others Gig ports). Specifically of concern is what is the dedicated Mgmt port to be used for? Is it just for smart console to access the Mgmt server? if so the Mgmt server object IP will be tied to the dedicated Mgmt interface? If that's the case how can we best use the 3 other Gig interfaces......How can we establish SIC with a remote gateway through the other interfaces if the Mgmt server IP is tied to the dedicated Mgmt port.....Just looking for best practice and maybe some recommended architectures that best use all 4 ports.

5 Replies
PhoneBoy
Admin
Admin
‎2018-05-18 04:21 PM

The management interfaces are just labeled this way on the Smart-1 and most gateways (44000/64000 being the notable exception).

You can theoretically use any interface for management-related traffic (be it SIC, SmartConsole traffic, etc).

0 Kudos
AlekseiShelepov
Advisor
‎2018-05-21 12:28 AM

I would recommend to aggreagte two-three physical interfaces into one logical bond interface. HA or LoadSharing bond that's your choice, but I think 1 Gb/s interface is enough for management usually. Maybe in some cases with very heavily used environments it would be useful to increase maximum speed and for backup purposes.

This bond interface can be used as the main interface for everything, IP address of the bond can be used in the management server object. Physical Mgmt port can be disabled, added to the bond interface or used later for some additional purposes. As Dameon mention, all ports are the same, just Mgmt interface is usually used for initial config with pre-configured IP.

0 Kudos
nicholas_rowe
Participant
‎2018-05-22 05:30 AM
In response to AlekseiShelepov

Ok, so basically what your saying is that there is no real use case for having multiple IP's on the smart-1 mgmt server, as a Mgmt server should always have a single IP address.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-22 09:16 PM
In response to nicholas_rowe

There is no requirement (from the Check Point perspective) to utilize more than a single interface.

You may have environment-specific requirements that dictate the use of multiple interfaces (either thru bonding or using secondary IP/interfaces).

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-06-12 01:36 PM
In response to PhoneBoy

The only reason to add a management network would be to offload the transfer of your backup file to the backup server so it will not interfere with logging when under heavy load of the gateways.

Just out of curiosity, why are you deploying 3 units? To spread a large number of domains over 3 boxes or really as HA?

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events