This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Graham1
Contributor
‎2024-08-13 01:40 PM
Jump to solution

Management interface

I have recently made teh switch froma standalone 6700 firewall to a HA cluster of two 6700's
as part of this process we are also starting use the MGMT interface for ... management!!

Previously our management was set to our LAN interface eth1-04 (10GbE).

To complicate matters we are migrating to a new network during renovation construction.
The management network is 10.x.50.0/24 which we get to via a bond10 L3 interface (eth1-02 & eth1-03) that connects the the L3 of our core switch stack.
The problem I am facing is that the management interfaces of both cluster nodes is also on 10.x.50.0 network.
The managment interface for each node is set to Private. Sync is set to a seprate interface and dedicated for that purpose.

This is causing an inconsistent routing issue and traffic is being drop by the MGMT interface, others are going through the bond10 interface.>>>>>
ip route
..
10.x.50.0/24 dev Mgmt proto kernel scope link src 10.x.50.31
..

Wondering what other could be doing?
Is my only option be to disable this management port and use my LAN port instead like before and isolate with rules?
I am aware the licensing may need to be re-worked since I am using that IP for the license.

0 Kudos
1 Solution

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-13 07:08 PM
Jump to solution

The Mgmt interface is 'just another interface' on the box, so you can't have it in the same subnet as another interface on there. It's also all part of the same routing table as everything else by default. If you want to separate routing you can look at MDPS or VSX but there's no harm in using one of the prod interfaces to manage the box, it's quite common and 100% supported.

View solution in original post

(1)
3 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-13 07:08 PM
Jump to solution

The Mgmt interface is 'just another interface' on the box, so you can't have it in the same subnet as another interface on there. It's also all part of the same routing table as everything else by default. If you want to separate routing you can look at MDPS or VSX but there's no harm in using one of the prod interfaces to manage the box, it's quite common and 100% supported.

(1)
Graham1
Contributor
‎2024-08-14 02:57 PM
In response to emmap
Jump to solution

Thanks for the clarification.  Looks like I am heading in "prod interface" direction.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-08-15 07:48 AM
In response to Graham1
Jump to solution

That makes sense, I know lots of people doing it that way.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events