This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stephan_Lache
Participant
‎2022-12-14 02:19 PM
Jump to solution

Best Practice-Management Interfaces

Dear Checkmates,

i have a question regarding Management Interfaces.

Would you recommend to use dedicated Mgmt Interfaces for the Secure Internal Communication

( for logging, policy installation) and mgmt traffic ( https - Gaia Portal ,ssh )  or better keep it simple

and use the LAN (internal) interface for transit and management traffic ?

 

thanks in advance

 

Stephan

0 Kudos
1 Solution

Accepted Solutions
Alexander_Wilke
Advisor
‎2022-12-16 03:48 AM
Jump to solution

Dedicated Management Interface is a good thing I think but it is only usefull with MDPS enabled so you have your own routing domain.

 

Unfortunately this feature is very buggy and many limitations. You have issues with upgrades because you have to disable MDPS before this, sometimes services run not through MDPS like Identity Awareness.

 

Other big issue is that you can not use "get topology" from SmartConsole because it only fetches the mplane interfaces and not the relevant dataplane interfaces.

View solution in original post

0 Kudos
10 Replies
the_rock
MVP Gold
MVP Gold
‎2022-12-14 03:01 PM
Jump to solution

Either works, but I dont see lots of people using Mgmt interface for that, mostly LAN interface.

0 Kudos
Stephan_Lache
Participant
‎2022-12-17 03:37 AM
In response to the_rock
Jump to solution

Thanks you for your assessment.

Stephan

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-12-14 04:09 PM
Jump to solution

Either works but just note that it is a single (common) routing domain unless you implement MDPS or VSX.

CCSM R77/R80/ELITE
0 Kudos
Stephan_Lache
Participant
‎2022-12-17 03:40 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

thanks for your reply.

Yes, i ran into many issues , because of the missing dedicated VRF for the mgmt interface.

And MDPS seems to have man issues and limitations.

So i am going to use the LAN interface for all traffic.

 

Thanks 

Stephan

0 Kudos
Alexander_Wilke
Advisor
‎2022-12-16 03:48 AM
Jump to solution

Dedicated Management Interface is a good thing I think but it is only usefull with MDPS enabled so you have your own routing domain.

 

Unfortunately this feature is very buggy and many limitations. You have issues with upgrades because you have to disable MDPS before this, sometimes services run not through MDPS like Identity Awareness.

 

Other big issue is that you can not use "get topology" from SmartConsole because it only fetches the mplane interfaces and not the relevant dataplane interfaces.

0 Kudos
Stephan_Lache
Participant
‎2022-12-17 03:41 AM
In response to Alexander_Wilke
Jump to solution

Hi Alexander,

thanks for your very informative reply!

 

Stephan

 

 

 

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2022-12-17 06:54 AM
In response to Stephan_Lache
Jump to solution

As the other have said Checkpoint does have a software-based solution which is not commonly used due to the limitations.

I totally believe the control/management-plane traffic should be separated out from data-plane traffic, and it would be useful if checkpoint actually consider this for the next generation of hardware so that the control/management-plane traffic is truley separated without the need for software configuration.

I've mentioned in a few posts now that I personally feel that the hardware Checkpoint utilises is behind the times and they need a solution which truly has the ability to run all blades including https inspect from the bottom up rather than the current range which in reality would be high end devices which is not best fit for regional office from a pricing point of view. 

This is somewhat of a challenge for Checkpoint considering they are software-based company, yes lightspeed card has been released and this mostly likely works well in high-end devices, but this does not address low/medium end deployments which most companies have.

Stephan_Lache
Participant
‎2022-12-17 08:13 AM
In response to genisis__
Jump to solution

I totally agree .

I am using 6200 appliances in this case.

Even most low cost switches does have a real management interface.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-12-18 08:15 AM
In response to Stephan_Lache
Jump to solution

In case you aren’t aware, every firewall license includes the ability to run one VS. This is so you can have a management VRF (VS0) and a traffic VRF. VSX requires a separate management server (can’t be run as a standalone deployment), but it sounds like you already have that.

If you think you might want to deploy VSX to separate management routing from through-traffic routing, ask around here for advice from people who have run it for a while. I highly recommend only ever telling VSX about bonds, and never giving it physical interfaces. Bonds can have one member.

The interface named Mgmt is not special in any way beyond having a funny name.

0 Kudos
TomasP1
Explorer
‎2024-10-08 01:00 AM
In response to Bob_Zimmerman
Jump to solution

Go for such complex stuff as VSX for doing something so elegant , simple and useful -and  implemented by every normal network company is nonsense

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events