Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor

MGMT port on appliance confusion with clusterXL

Do you want your SIC and management traffic going to your MGMT port on your gateway?   It seems logical that MGMT port would be for managment SIC traffic, but  I strongly suspect that's not  case.   With clusterXL my gw's internal interface is defined with a VIP.  So, the MGMT port seems a bit unnecessary, extraneous, and redundant.   Now, I see you can set the MGMT port network type up as 'cluster' & not 'private'.  Is everyone setting up MGMT as 'cluster' or 'private'?   I was planning to set it up as 'private' with a different  network, different from my management network & maybe different from anything in my internal network thuse far (altogher new)  (because I wouldn't want that traffic going in INT and out MGMT).

0 Kudos
3 Replies
Danny
Champion Champion
Champion

A Check Point Security Management (SmartCenter Server or Multi-Domain Security Management) is typically put into a separate Firewall Management Network which is connected to the firewall cluster nodes via their MGMT port. This ensures that all traffic going to the central firewall security management is first inspected by the firewall environments' enforcement modules (cluster nodes, firewall gateways). This is an integral part of any firewalls' self-protection strategy.

If you configure the MGMT port as 'cluster' it becomes a typical cluster interface and VIP and gets monitored by ClusterXL. If you don't want that you may also configure this port as a 'Non-monitored private' interface. I've seen both methods being used by many customers.

Daniel_Kavan
Advisor

How will that work between datacenters?   If 10.10.10/24 is the MGMT network, including Smart Center and one gateway at datacenter A.  Now another gateway in a different city/datacenter needs 10.10.10.30 & 31.  We'll need 10.10.10.30/31 route to get the traffic over to datacenter B?

Also, how does SmartCenter know a gw that is defined by and EXT interface with a FQDN which resolves to the EXT interface's IP, recognize a gateway based on the MGMT IP?   I guess because the MGMT is defined in the gw object.  But still you would think the communication would default to the INT interface.   When you establish SIC does it know to look for a MGMT interface?

Currently, my MGMT network is also defined as part of my internal network, which it is.

0 Kudos
PhoneBoy
Admin
Admin

There is nothing special about the Mgmt interface other than the name.
It can be used for any sort of traffic.
The OS routing table is used to determine which interface specific traffic goes over, management or otherwise.

If you want the Mgmt port to be used only for management traffic, Management Data Plane Separation must be enabled.
This enables, among other things, a separate routing table for management traffic. 
It has some limitations/restrictions, which is why it is not enabled by default.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events