CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: Dedicated Management Port and Firewall Rules

  1. #1
    Join Date
    Rep Power

    Lightbulb Dedicated Management Port and Firewall Rules

    Hi Guys,

    I am really a newbie in CheckPoint firewall and I am deploying now a 5800 firewall appliance and I noticed something about the behavior of the CheckPoint firewall specially in the Mgmt port and in its firewall rules compare to other vendors.

    I would like to know the following regarding the dedicated Mgmt port:
    1. Does it have its own routing table?
    2. Does it like any other ethernet ports in the appliance?
    3. Does it process traffic to pass through like other ethernet ports?

    Regarding the firewall rules, I just want to confirm about my observation:
    1. Does it really need to configure a policy even if the traffic is intended for the firewall?
    - For example, the firewall needs to have communication to DNS servers so that it can resolve domain names.
    - Another example, the firewall needs to sync the time to NTP.

    It is really new to me.

    Thanks a lot for helping a newbie like me

  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: Dedicated Management Port and Firewall Rules

    "Mgmt" is just another interface on the OS. It does not have its own routing table. In fact, there is nothing special about it at all; it's just another Intel e1000 interface which happens to get a weird name from Check Point's udev rules.

    Check Point has functionality called VSX which may help you do what you want. The VSX features are implemented using Linux' VRF functionality, which works a lot like Cisco's VRFs. If you are familiar with either of those, VSX isn't too much stranger to deal with. It lets you separate management into VS 0, then put through-traffic in another VS. I don't believe you can have a SmartCenter and a firewall in VSX mode on the same device.

    There are four major types of VS:
    • Switch (no routing table, no firewall policy)
    • Bridge-mode firewall (no routing table, but has a firewall policy)
    • Router (routing table, but no firewall policy)
    • Firewall (routing table and firewall policy)

    Virtual switches are free and are used to allow multiple router or firewall contexts to access the same physical interface or VLAN. "VS 0" is used for management, though it can also be used for through-traffic. It does not consume a license slot. All of the other VS types consume license slots. I believe every Check Point firewall license now includes VSX functionality with a cap of a single VS.

    As for your policy questions, you should check out how 'fw monitor' works. In short, it is a packet capture which records each packet several times (four by default) as it passes through the firewall. The idea is to let you see how the firewall changes a packet through NAT, routing, and VPN decisions. The default capture points are these:
    1. i How the packet looked when the firewall got it from the interface
    2. I How the packet looked after one firewall policy pass
    3. o After routing, before a second firewall policy pass
    4. O After the second firewall policy pass, as the packet is about to be handed to the interface driver

    The routing is handled by the OS, just like any UNIX-like system with IP forwarding enabled. This means traffic to the firewall itself still has to go through i and I, so it is filtered by the policy. Traffic out from the firewall has to pass o and O, so it is also filtered by the policy.

    'fw monitor' and 'fw ctl zdebug drop' are the two biggest tools for troubleshooting normal traffic problems. Add in 'vpn debug ikeon', and you can solve probably 95% of the issues Check Point's call center normally gets.

  3. #3
    Join Date
    Rep Power

    Default Re: Dedicated Management Port and Firewall Rules

    Sadly quite a few people get caught up with Check Point's naming of some Interfaces.

    Is the same with the larger boxes with the Synch Interface as well. Again that is simply a label and is equal to every other interface in how it handles traffic ( unless of course is used for the Synch, however I always Bond two interfaces together to provide resilience for the Synch between the Cluster Members )

    The only thing that is significant about the interface labelled Mgmt is that this is the Interface which has the MAC address that the Check Point User Centre identifies the box as so if you are asked for the MAC of the Unit then is the MAC of the Mgmt Interface that they want.

    In terms of rules for traffic for the Firewall then under the Global Properties then there are implied rules for the Firewall.

    One of these relates to traffic FROM the Firewall which can be checked and then either be First, Before Last or Last.

    If set to be Before Last then the NTP, DNS traffic from the Firewall will be matched with the Implied Rule unless you create a Manual Rule and place above the Last Rule.

Similar Threads

  1. Replies: 1
    Last Post: 2017-03-30, 12:39
  2. VPN Firewall Rules
    By laf_c in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2014-11-01, 06:46
  3. Layer 2 connectivity problem on management port
    By anbu013 in forum Check Point Power-1 Appliances
    Replies: 0
    Last Post: 2012-08-18, 06:21
  4. Wishing to create interface dedicated to IP management in IPSO 6.2
    By tkitzky in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2011-02-24, 17:01
  5. Connections between gateway and management console on port FW1_ela
    By eschreque in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 1
    Last Post: 2008-06-26, 14:03

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts