CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 7 of 7

Thread: Mgmt and Sync ports

  1. #1
    Join Date
    2014-10-01
    Posts
    23
    Rep Power
    0

    Default Mgmt and Sync ports

    Hello guys,

    I have two questions regarding appliances.

    1. Have you ever faced any issues of using Mgmt interface not only for management but also for production traffic? I have similar setups (Mgmt is still management but it also forwards production traffic) and everything seems to be fine. The traffic passing through the interface is not more than 80Mbps.

    2. Have you ever used Sync interface in bonding with another interface? I remember there was an issue (I can't find SK number) of using two separate Sync interfaces and the recommendation by Check Point was to use two or more interfaces in LACP group instead.

    Thank you!

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Mgmt and Sync ports

    On anything but the Scalable Platforms (e.g. 41k/44k/61k/64k), the Management interfaces are just labeled that way.
    They can be used for production traffic as well.

    If you need multiple sync interfaces, it is recommended to use multiple interfaces in a bond versus defining multiple sync interfaces in SmartDashboard.
    Refer to https://supportcenter.checkpoint.com...tionid=sk92804
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    327
    Rep Power
    14

    Default Re: Mgmt and Sync ports

    To expand on this a little, the LOM interface (if it exists on the box) is special. The main server is not aware of it, and it cannot participate in routing or firewalling.

    All other interfaces are just interfaces. The ports are named Mgmt or Sync, but you can use them for anything. You can even rename them using udev rules if you want.

    Personally, I try not to use interfaces directly in firewall configuration. I prefer to put physical interfaces into bonds, then have the software configuration reference the bonds. That way, I can move them between physical ports more easily. This helps when moving between physical boxes (for example, an IBM server arranges its interfaces one way, and an HP server in a different way).
    Zimmie

  4. #4
    Join Date
    2014-10-01
    Posts
    23
    Rep Power
    0

    Default Re: Mgmt and Sync ports

    Thank you for you replies phoneboy and Bob!

    @Bob, yes - I'm aware about LOM/ILO ports. My concern was more about whether there's some kind of issue of using Sync interface together with another port in bonding. I know with open servers you can change them in the way you want and just wanted to be sure there's no something special with appliances.

    Now after your replies it's clear.

  5. #5
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Mgmt and Sync ports

    Quote Originally Posted by sysroute View Post
    Thank you for you replies phoneboy and Bob!

    @Bob, yes - I'm aware about LOM/ILO ports. My concern was more about whether there's some kind of issue of using Sync interface together with another port in bonding. I know with open servers you can change them in the way you want and just wanted to be sure there's no something special with appliances.

    Now after your replies it's clear.

    It is a stupid design by Checkpoint appliances. the Mgmt and Sync interfaces labeled on the appliances can be used just for about anything. It has no meaning whatsoever. You can combine the Mgmt and Sync interfaces into a bonded interface without any issues.

    I don't know why Checkpoint decides to label interfaces like that on appliances.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    327
    Rep Power
    14

    Default Re: Mgmt and Sync ports

    The very low-end appliances (SG80, 600, 1100, 700, 1400) are ARM boxes running GAiA embedded. The very high-end appliances (44k, 64k) are sort of NUMA clusters. The 21k had some neat hardware internally vaguely like Nokia's old ADP cards, but it has been discontinued. Those lines are actually special for various reasons.

    All of the boxes between those extremes are just overpriced servers with junky LOM, proprietary (and also overpriced) network cards, no cable management, ports on the wrong side, and airflow in the wrong direction.
    Zimmie

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    327
    Rep Power
    14

    Default Re: Mgmt and Sync ports

    Quote Originally Posted by cciesec2006 View Post
    I don't know why Checkpoint decides to label interfaces like that on appliances.
    I'm more interested in why they don't label the slots on boxes which have more than one.
    Zimmie

Similar Threads

  1. any any between two firewall sync ports
    By evanc in forum Firewall Blade
    Replies: 3
    Last Post: 2015-10-28, 17:18
  2. Replies: 10
    Last Post: 2015-10-23, 11:20
  3. Expected sync traffic (sync bandwidth)
    By ChriFeh in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2015-03-24, 09:45
  4. Sync will not function since there aren't any sync(secured) interfaces
    By Wardrivn in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2009-08-17, 17:00
  5. Rulebase problems when mgmt auto-sync enabled
    By ryan_m in forum Management High Availability
    Replies: 0
    Last Post: 2008-03-10, 10:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •