Thanks for the response.

If I understand correctly, let's say I assigned 10.10.10.10/24 to the MGMT interface and 192.168.1.10/24 to eth1/2 interface. Let's assume I also have a static route of 0.0.0.0/0 with the next hop of 192.168.1.1. So, If I connect to the security gateway from a subnet other than 10.10.10.0/24 then the traffic will leave the security gateway via eth1/2 interface right?

With Palo, I can assign 10.10.10.10/24 to the MGMT interface (management plane) and set the default gateway to 10.10.10.1. At the same time, I can have a 0.0.0.0/0 (data plane) pointing to a different interface/next hop. So, all the management traffic will ingress and egress via the MGMT only. 

Is there a reason why Check Point doesn't have a management plane separation?  

Regards

Suresh

Yes, your assumption about routing is correct is correct. The reason why is mostly related to the origin of the company tech. You can read this article for starters.

Technically, you can have multiple options for management plane separation with Check Point today, but it overcomplicate things, actually.

Imagine you have your management network routed through a security GW. With Palo, you have to define it twice: once on mgmt interface and another time on data plane, and also connect two cables leading to the same network two times to the same appliance. With Check Point you do not have that complexity. 

Once again, the reason PAN has data plane separate is in their HW structure. With Check Point, the same code runs on open server and CP appliance.

Thanks for the explanation, it started to make sense now.

Check Point does offer the ability to separate management and data forwarding. The main option for this is called VSX. It's just VRFs (implemented using Linux network namespaces on R80.40 and later), which are multiple routing tables (called FIBs) under one OS. Last time I checked, every firewall license includes the ability to run one additional VS specifically for this reason. When set up this way, VS 0 handles to-traffic, while the additional VS (commonly VS 1, but might be VS 2 or more if you add some switch contexts first) handles through-traffic.

Ehhhh ... most Palo Alto boxes don't actually have physically separate management plane and data plane. Their data plane has something a bit like an old Nokia ADP card, but the software part of data forwarding runs on specific cores on the same CPU as management. You can get a similar result with Check Point by limiting the number of load-bearing CoreXL instances and pinning them to certain cores with process affinity. As far as I can tell, PAN does their forwarding with UML, as opposed to multi-kernel like CoreXL, but it's definitely not on physically separate hardware on anything but their blade frames. If the OS wedges, you lose both data forwarding and management.

>>>Their data plane has something a bit like an old Nokia ADP card, but the software part of data forwarding runs on specific cores on the same CPU as management

That's not exactly 100% accurate, but you are close to what I said. Your ADP card analogy is what I imply - separate from the main computation unit piece of HW dedicated to traffic filtering.

Sure, but it can't continue filtering and forwarding traffic in isolation for more than a few seconds. It has to interact with processes running on the main CPU. My point is mostly that if the OS running the "management plane" hangs, you lose both management and traffic forwarding. If you lose a stick of RAM, you lose both management and traffic forwarding. It's not like it computes a new FPGA LUT for each rule change.