Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion Champion
Champion
Jump to solution

New! R80.30 feature: Management Data Plane Separation (for gateways with 4+ cores)

rs1810300033.png

I really like the all new R80.30 feature for separating management from data traffic via

  • Routing Separation and
  • Resource Separation

as described in sk138672.

 

Did anyone test this already?

98 Replies
Luis_Miguel_Mig
Advisor

Thanks Aviad,
I was wondering if there is any distinction between the  management plane  and the data plane when it comes to cloning groups. You want to share different features in the management and data plane.

0 Kudos
Aviad_Hadarian
Employee
Employee

What for example?

0 Kudos
Luis_Miguel_Mig
Advisor

For example ip routes: in a ClusterXL environment data plane routes need to be in sync but mgmt plane routes can be different.

0 Kudos
M_Ruszkowski
Collaborator

Many of you are going to find that your enterprise tools may have issues with this new "mplane" separation.   We have been deploying on all our firewalls and we have issues with our monitoring.  Basically, in order to get the Interface, routes, stats, etc form the "dplane" you need to add an argument "-n dplane" to your monitoring tool so that it pulls from the proper context.   This is simple enough using a snmpwak.  However none of our tools allow for this.   So when you enable this feature you are only going to get L2/L3 data from the mplane.    You really need to test this out in a lab and then try to discover your gateway via one of your monitoring tools before you deploy this.   

0 Kudos
M_Ruszkowski
Collaborator

I have to say thank you to Aviad. 

We have been working with him and he provided a special Hotfix for R80.40/HFA_156, that has allowed us to move dplane OIDs/MIBs to be proxied via the mplane.  This way our tools work now.  Our tools with SNMPv3 doesn't allow the "-d plane" option.  So this fix was a must.  We are still in EA testing.

After installing the fix we ran these commands to:

/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add .1.3.6.1.2.1.10
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add TCP-MIB
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add UDP-MIB
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add etherStatsTable
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add IP-MIB
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add IF-MIB
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add dot3
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add ifMIB
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add ip
/etc/snmp/vsx-proxy/snmp_vs_do.sh mdps_proxy add rmon

so far so good.

0 Kudos
Nicholas_Moore
Participant

I asked questions about LDAP and TACACS access months ago with no response.  Yes, these should only be available via the management plane and *not* the data plane.  But like I said, I didn't receive any response. 

0 Kudos
azadvinskiy
Explorer
Explorer

Hi Nicholas,

I tested R80.30 JHF 221 in our lab and TACACS traffic goes over Mgmt interface. I believe JHF 221 has a fix for that. Also it looks like you need to make sure confd added to the management plane: add mdps task process confd.

0 Kudos
Luis_Miguel_Mig
Advisor

I have tried to implement cloning groups with mgmt/data plane separation and it doesn't work at all. It hangs and keeps tryng to synchronize.
I also had issues with ip spoofing and mgmt/data plane separation. I kept the default ip spoofing configuration for the management interface and all of the sudden my mgmt traffic was blocked. It seems that the ip spoofing configuration is shared between both planes. Shouldn't be independent or even not have any effect in the mgmt plane?

0 Kudos
Aviad_Hadarian
Employee
Employee
sk169576
0 Kudos
Luis_Miguel_Mig
Advisor

cloning groups is sorted now.
I have noticed that cron runs on the data plane. Can we move it to the mgmt plane? How? I guess it makes more sense, no?

I guess that backups make use of crond, no?

0 Kudos
Luis_Miguel_Mig
Advisor

cpview seems to run only in the data plane but the proxy is usually in the mgmt plane. So cpview can't send directly the data to the user centre

[Expert@hqfw2a:0]# mplane
Context set to Management Plane
[Expert@hqfw2a:1]# cpview
Please run on dplane context

0 Kudos
Luis_Miguel_Mig
Advisor

I have just tested tacacs on R80.40 take 83 and it works well through the mgmt plane.

0 Kudos
frank_chang
Explorer

Has anyone tried to use the Management Data Plane port to create a clusterXL?

I don't know what the IPv4 address of the cluster should be use.

Management Data Plane port same subnet or other?
image.png
Can someone help me ?

Thank you.

0 Kudos
Aviad_Hadarian
Employee
Employee

Hi @frank_chang , You can fill any IP that you wish, mgmt. port can have VIP like any regular data plane interface.

0 Kudos
Luis_Miguel_Mig
Advisor

Hi,0
I have just enabled URL Filtering and I am not able to block anything (only detect) because according to the logs the gateway is failing to reach the OCSP server. I have just noticed some http traffic generated by the gateway going  to the proxy from the data plane.
I see traffic to the proxy server from the control plane and the data plane both. 

Is there anyway to force "url filtering" access to the OCSP server (I guess checkpoint cloud - checkpoint category database) through the management plane? 

0 Kudos
PhoneBoy
Admin
Admin

The OSCP server is specified by the site that your users are connecting to and is part of the TLS/SNI verification process.
More precisely, it's part of the certificate.

Don't believe this traffic can be forced over the management plane, it should be permitted by your proxy.

0 Kudos
Luis_Miguel_Mig
Advisor

I see...
sqs.us-west-2.amazonaws.com (It may be related with the extension for the conf changes diff) - mgmt plane

and these sites over the data plane:

secureupdates.checkpoint.com
cws.checkpoint.com
ocsp.digicert.com
ocsp.int-x3.letsencrypt.org
productcoverage.checkpoint.com

I guess that it would be nice if all this traffic generated from the gw coud go through through the mgmt plane. Also if not possible, it may be user cases that require two different proxies in both planes.

0 Kudos
Luis_Miguel_Mig
Advisor

Not with the OCSP checks resolved I can block categories but I only see a TCP Reset and I don't see any sort of redirect to the usercheck blocked message.

0 Kudos
Aviad_Hadarian
Employee
Employee

@Luis_Miguel_Mig 

The solution you described is already under development.

0 Kudos
Luis_Miguel_Mig
Advisor

Sorry, which one? My fault for writing two messages so quickly 😉

0 Kudos
Aviad_Hadarian
Employee
Employee

first one "I guess that it would be nice if all this traffic generated from the gw coud go through through the mgmt plane. Also if not possible, it may be user cases that require two different proxies in both planes."

0 Kudos
Luis_Miguel_Mig
Advisor

so sending all that traffic through the mgmt plane or different proxies in both planes?

0 Kudos
Aviad_Hadarian
Employee
Employee

Sending traffic for selected hosts (that can be modified) through the management plane

0 Kudos
Luis_Miguel_Mig
Advisor

Same thing with cpd_sched_config. It uses the data plane, but wouldn't it make more sense if it used the mgmt plane?

0 Kudos
Luis_Miguel_Mig
Advisor

I have two gateways running mgmt separtion. All of the sudden one of them doesn't respond to the snmp queries with community+_dplane. The other one,  respond to both snmp queries community and community+_dplane as usual.
I wonder what it has gone wrong and how to troubleshoot it.

0 Kudos
Wajdi
Explorer

Hello,

I have Checkpoint Appliance with 4 CPUs.

I activated MDPS on the Security Gateway.

Everthing is workin well. But my issue is that the MDPS is taking 2 CPUs out of the 4 CPUs!

cpview.PNG

 

Is there a way to disallocate 1 CPU from MDPS and keep only 1?

Thank you for your help.

0 Kudos
_Val_
Admin
Admin

Yes, look into sk138672 for more details

0 Kudos
Luis_Miguel_Mig
Advisor

How does cpview show how mdps is allocated? I only see the SND/Worker allocation at cpview/cpu.

0 Kudos
Aviad_Hadarian
Employee
Employee

@Luis_Miguel_Mig  Under cpview (R80.40 and higher) you will see under "CPU" tab, On the overview/type the purpose of each CPU

0 Kudos
Luis_Miguel_Mig
Advisor

This is what I get, but nothing about MDPS

ˇcpview
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CPVIEW.Overview.Host 23Feb2021 11:34:21 |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Overview SysInfo Network CPU I/O Software-blades Hardware-Health Advanced |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Overview Top-Protocols Top-Connections Spikes |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Host |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Overview: |
| |
| CPU type CPUs Avg utilization |
| CoreXL_SND 3 0% |
| CoreXL_FW 3 11% |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| CPU: |
| |
| CPU Type User System Idle I/O wait Interrupts |
| 0 CoreXL_SND 0% 0% 100% 0% 3,789 |
| 1 CoreXL_SND 0% 0% 100% 0% 3,789 |
| 2 CoreXL_FW 4% 5% 91% 0% 7,579 |
| 3 CoreXL_SND 0% 1% 100% 0% 3,789 |
| 4 CoreXL_FW 6% 5% 89% 0% 7,580 |
| 5 CoreXL_FW 7% 5% 88% 0% 7,581 |
|

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events