This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2021-06-21 02:31 AM

mdps management separation and management access rule

I am a fan of the mdps feature but I miss the ability to have a policy package dedicated to the management plane and separated from the data plane. Could this be a new feature in the future?

In the meanwhile, I was wondering if it would make sense to have an ordered layer just dedicated to the management rule and stealth rule.

I think it could simplify it and be more visual but I was wondering if there could be any drawback.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-06-23 07:49 AM

In terms of performance, it should make no difference.
It's also an example of where Policy Layers can be useful, though I might personally use an inline layer instead.
Horses for courses, though 🙂

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-06-24 07:10 AM
In response to PhoneBoy

Even though I think it is a good idea to have a separate layer for mgmt just for clarity, just realizing that in order to work it would need to be the last order layer and it defeats the purpose because we  want the mgmt rule to be matched at the begining.

I think you are right and I will leave it as an inline layer within the general data plane ordered layer

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-24 07:39 AM
In response to Luis_Miguel_Mig

If you wanted to do it with ordered layers, why couldn't it be the first one?
That first layer would just have to accept traffic not destined for the gateway.
That said, it might create some issues with logging since, when multiple ordered layers are used, I believe it shows only the rule number in the first layer in the various tables.
That suggests an inline layer is probably the better option.

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-06-24 07:54 AM
In response to PhoneBoy

It is okay for traffic not destined for the gateway.

The problem is for traffic destined for the gateway.

The mgmt rule basically accepts specific traffic to the gateway like ssh for example but if you get a hit in an ordered layer you move to the next ordered layer until you get a drop or until the get to an accept in the last ordered layer, no?

As far as I understand you can't get an accept in the first ordered layer and stop there

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-24 08:00 AM
In response to Luis_Miguel_Mig

If you use ordered layers, then the traffic must hit an accept rule in each layer, you are correct.

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-06-25 02:25 AM
In response to PhoneBoy

Going back to one of your comments. Why do we show the rule number of the first layer? 
The rule that really matters is the rule hit in the last ordered layer, no? It would way more useful if it was that way.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-25 02:52 PM
In response to Luis_Miguel_Mig

Why it does this I'm not sure, but that's the behavior I've observed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events