This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alexander_Wilke
Advisor
‎2024-01-16 01:47 PM
Jump to solution

Skyline + MDPS - set mdps task address not working (as expected) - add process ?

Hello CheckPoint,

Hello @Arik_Ovtracht ,

 

we use several Gateways 26000 and Maestro and 64k. All of these Gateways have the "MDPS Feature" enabled. We want to send OpenTelemetry Data through the dedicated mplane interface. To solve this we added an "add mdps task address 10.197.38.11" which is our prometheus server. In general this is working for this specific Gateways where I have this configured.

However I have some loadbalancer devices behind the gateways and I want to monitor these with Prometheus, too.

Prometheus in this situation uses "PULL" to connect to the Loadbalancer API on port 443.

The SYN passing correctly through the dplane of the CheckPoint Gateways but the response (SYN-ACK) from the loadbalancer arrives on a dplane interface of the CheckPoint gateway BUT because of "set mdps task address 10.197.38.11" the CheckPoint Gateway decides to route the SYN-ACK packet through its mplane interface instead of the dplane which results in asynchronous routing.

 

Instead of running into these routing issues because CheckPoint Gateway rediects (in my opinion wrong) traffic through mdps_tun to th" add mdps task address 10.197.38.11" entry I added the service to the mplane:

I added these tasks but I am not sure if this is allowed or which task is really needed:
add mdps task process OTLPAGENT
add mdps task process otelcol
add mdps task process otlpcol

Can you please clarify if it is possible to add the tasks to the mplane or if I lose any metrics or the exporter is not working as it should?

In addition I added two screenshots to demonstrate the behaviour and why it is mandatory to configure the outgoing traffic by something different than port and ip-address to not affect devices which are "behind" the MDPS enabled gateway.

 

 

Preview file
58 KB
Preview file
45 KB
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2024-01-22 03:47 AM
Jump to solution

Please open a TAC case for this.

View solution in original post

0 Kudos
(1)
2 Replies
_Val_
Admin
Admin
‎2024-01-22 03:47 AM
Jump to solution

Please open a TAC case for this.

0 Kudos
(1)
Alexander_Wilke
Advisor
‎2024-01-22 03:53 AM
In response to _Val_
Jump to solution

I already did. Was hoping someone else had similar issues and data center layouts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events