CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: Management interface on webui Gaia

  1. #1
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Management interface on webui Gaia

    Hi guys,

    I have a curiosity about webui on Gaia Advanced view. Network Management \ Network Interfaces at the bottom there's this option Set Management Interface.

    How important is this setting and what are you guys usually use here?

    Thanks in advance!

  2. #2
    Join Date
    2007-06-04
    Posts
    3,312
    Rep Power
    17

    Default Re: Management interface on webui Gaia

    To be honest I have always tended to set this as the Interface that the Object Definition is used on. For which I try and use the registered mac interface, ie mgmt. on 2012 appliances.

    Have seen some weird connectivity issues with boxes when this wasn't done when connecting to the WebUI.
    Seemed to resolve those issues for me.

    As such just got into the habit of doing it

  3. #3
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Management interface on webui Gaia

    Quote Originally Posted by mcnallym View Post
    To be honest I have always tended to set this as the Interface that the Object Definition is used on. For which I try and use the registered mac interface, ie mgmt. on 2012 appliances.

    Have seen some weird connectivity issues with boxes when this wasn't done when connecting to the WebUI.
    Seemed to resolve those issues for me.

    As such just got into the habit of doing it
    I am not sure what you meant by: Object Definition. It's another 2012 appliance that by default uses Mgmt as Management interface.

    When configuring the box I assigned an IP address to this interface, and today I ve cleanup the Mgmt interface. So now Mgmt interface it's no IP address and no link.
    I plan to update the topology and do a FW push and I am just a bit worried of any impact as I don't understand the role of this Management interface from the beginning.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,312
    Rep Power
    17

    Default Re: Management interface on webui Gaia

    Check Point Object for Gateway in the Dashboard is what meant by Object Definition. You give the object an IP, use the Interface for that IP as the Mgmt Interface.

    I would change the Mgmt Interface on the Box so that is the Interface that your Gateway Object is defined on.

  5. #5
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    8

    Default Re: Management interface on webui Gaia

    The concept of a Mgmt IF is not fully grown yet. The idea having a dedicated Mgmt Interface serving just the purpose of managing the box is a good idea.
    But at the same time you need a dedicated (or isolated) routing instance just for that Mgmt interface. Having such a routing instance would allow you to route the Mgmt traffic and the user traffic separately. And with that, you could connect the Mgmt IFs of all your firewalls to a dedicated Security Mgmt VLAN.

  6. #6
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Management interface on webui Gaia

    Quote Originally Posted by slowfood27 View Post
    The concept of a Mgmt IF is not fully grown yet. The idea having a dedicated Mgmt Interface serving just the purpose of managing the box is a good idea.
    But at the same time you need a dedicated (or isolated) routing instance just for that Mgmt interface. Having such a routing instance would allow you to route the Mgmt traffic and the user traffic separately. And with that, you could connect the Mgmt IFs of all your firewalls to a dedicated Security Mgmt VLAN.
    Checkpoint is copy cat this from Cisco and Juniper :-)

  7. #7
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Management interface on webui Gaia

    Quote Originally Posted by cciesec2006 View Post
    Checkpoint is copy cat this from Cisco and Juniper :-)
    Still you guys think it's wise/safe to have Internet/eth1 interface set up as management interface?
    Or should I leave as it is now: Mgmt interface, which by the way it has no link and no IP address.

  8. #8
    Join Date
    2007-06-04
    Posts
    3,312
    Rep Power
    17

    Default Re: Management interface on webui Gaia

    Quote Originally Posted by laf_c View Post
    Still you guys think it's wise/safe to have Internet/eth1 interface set up as management interface?
    Or should I leave as it is now: Mgmt interface, which by the way it has no link and no IP address.
    Mgmt Interface on the Check Point Boxes is NO different to anyother interface.
    It is not a Mgmt Interface as such simply a label on the box. It happens to be the Interface that Check Point take the MAC address from for the purposes of identifying the Appliance.

    One thing I would say however is that seems to affect the host entry for the box as in changing the Set Management Interface changed the Host Entry which could explain why have seen weird issues when the Management Interface isn't set to the Interface of the IP of the Object Definition.

    It doesn't make the interface a dedicated Management Interface used purely for Management.

  9. #9
    Join Date
    2018-04-18
    Posts
    48
    Rep Power
    0

    Default Re: Management interface on webui Gaia

    Hello,

    I am in need of changing the management interface on a cluster of 5800's running R80.10. The current management interface is a production interface and the dedicated management port is not in use. I want to assign IP's to the management ports and then set those to be the management interfaces in Gaia's web GUI.

    My question is, in SmartConsole in the cluster object > network topology do I need to define which interface is used for management there? Do I need to do a "Get Interfaces with Topology" or "Get Interfaces Without Topology"?

    The IP's on the current management interfaces are on the same network as the IP address of the cluster. Will this change confuse the management server? Will I need to reestablish SIC after the management interface and IP is changed?

    Thank you.

  10. #10
    Join Date
    2007-06-04
    Posts
    3,312
    Rep Power
    17

    Default Re: Management interface on webui Gaia

    Quote Originally Posted by mjensen View Post
    Hello,

    I am in need of changing the management interface on a cluster of 5800's running R80.10. The current management interface is a production interface and the dedicated management port is not in use. I want to assign IP's to the management ports and then set those to be the management interfaces in Gaia's web GUI.

    My question is, in SmartConsole in the cluster object > network topology do I need to define which interface is used for management there? Do I need to do a "Get Interfaces with Topology" or "Get Interfaces Without Topology"?

    The IP's on the current management interfaces are on the same network as the IP address of the cluster. Will this change confuse the management server? Will I need to reestablish SIC after the management interface and IP is changed?

    Thank you.
    The interface labelled Mgmt on the Appliance has no significance beyond being the MAC Address that the User Centre recognises the Interface as. Sync Interface as well is NOT a dedicated Interface but simply a label

    In the SmartConsole you don't define which interface is for Managing the Boxes. The IP that the Manager Connects too is the IP defined on the Main Page for the Check Point Gateway.

    You will need to add the new Interface in which just happens to be the Mgmt Interface on the box into topology. The IP on the Object should be the IP that the Box see's itself as under the host entries.

    When you set the management interface in the Gaia Portal or via clash then the host entry for the box changes to be that IP address.

    Make sure you reboot the box after changing this.

    So what you should do is

    1.) Gaia configure the Interface
    2.) Update SmartConsole to tell it about the new Interface
    3.) Install the Security Policy so the Firewall Software knows about the Interface and IP
    4.) Change the IP of the Object to be the new IP on the Gateway Member - make sure that routing etc in place to allow the Management Server to connect to it
    5.) Install the Security Policy to the Cluster
    6.) Update the Set Management Interface on each Cluster Member to be the new interface and reboot. Obviously do on Standby Unit then failover the Cluster and do on Second Box.
    7.) Install Policy again to make sure all connectivity working.

Similar Threads

  1. Gaia R75.47 interface is flapping
    By umaMraju in forum R75.40 (GAiA)
    Replies: 5
    Last Post: 2014-10-31, 10:07
  2. Replies: 2
    Last Post: 2014-05-27, 13:30
  3. GAIA Management VM
    By m-arx in forum R75.40 (GAiA)
    Replies: 2
    Last Post: 2013-06-21, 12:05
  4. GAIA Interface assigment
    By Serji in forum R75.40 (GAiA)
    Replies: 9
    Last Post: 2012-05-15, 09:15
  5. Provider-1 (R70)- WebUI interface as non leading ip
    By Securitysupport in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2009-08-19, 12:09

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •