Dedicated Management Port and Firewall Rules

**fatalXerror** · 2018-12-13

Hi Guys,

I am really a newbie in CheckPoint firewall and I am deploying now a 5800 firewall appliance and I noticed something about the behavior of the CheckPoint firewall specially in the Mgmt port and in its firewall rules compare to other vendors.

I would like to know the following regarding the dedicated Mgmt port:
1. Does it have its own routing table?
2. Does it like any other ethernet ports in the appliance?
3. Does it process traffic to pass through like other ethernet ports?

Regarding the firewall rules, I just want to confirm about my observation:
1. Does it really need to configure a policy even if the traffic is intended for the firewall?
- For example, the firewall needs to have communication to DNS servers so that it can resolve domain names.
- Another example, the firewall needs to sync the time to NTP.

It is really new to me.

Thanks a lot for helping a newbie like me

**Bob_Zimmerman** · 2018-12-13

"Mgmt" is just another interface on the OS. It does not have its own routing table. In fact, there is nothing special about it at all; it's just another Intel e1000 interface which happens to get a weird name from Check Point's udev rules.

Check Point has functionality called VSX which may help you do what you want. The VSX features are implemented using Linux' VRF functionality, which works a lot like Cisco's VRFs. If you are familiar with either of those, VSX isn't too much stranger to deal with. It lets you separate management into VS 0, then put through-traffic in another VS. I don't believe you can have a SmartCenter and a firewall in VSX mode on the same device.

There are four major types of VS:

Switch (no routing table, no firewall policy)
Bridge-mode firewall (no routing table, but has a firewall policy)
Router (routing table, but no firewall policy)
Firewall (routing table and firewall policy)

Virtual switches are free and are used to allow multiple router or firewall contexts to access the same physical interface or VLAN. "VS 0" is used for management, though it can also be used for through-traffic. It does not consume a license slot. All of the other VS types consume license slots. I believe every Check Point firewall license now includes VSX functionality with a cap of a single VS.

As for your policy questions, you should check out how 'fw monitor' works. In short, it is a packet capture which records each packet several times (four by default) as it passes through the firewall. The idea is to let you see how the firewall changes a packet through NAT, routing, and VPN decisions. The default capture points are these:

i — How the packet looked when the firewall got it from the interface
I — How the packet looked after one firewall policy pass
o — After routing, before a second firewall policy pass
O — After the second firewall policy pass, as the packet is about to be handed to the interface driver

The routing is handled by the OS, just like any UNIX-like system with IP forwarding enabled. This means traffic to the firewall itself still has to go through i and I, so it is filtered by the policy. Traffic out from the firewall has to pass o and O, so it is also filtered by the policy.

'fw monitor' and 'fw ctl zdebug drop' are the two biggest tools for troubleshooting normal traffic problems. Add in 'vpn debug ikeon', and you can solve probably 95% of the issues Check Point's call center normally gets.

**mcnallym** · 2018-12-17

Sadly quite a few people get caught up with Check Point's naming of some Interfaces.

Is the same with the larger boxes with the Synch Interface as well. Again that is simply a label and is equal to every other interface in how it handles traffic ( unless of course is used for the Synch, however I always Bond two interfaces together to provide resilience for the Synch between the Cluster Members )

The only thing that is significant about the interface labelled Mgmt is that this is the Interface which has the MAC address that the Check Point User Centre identifies the box as so if you are asked for the MAC of the Unit then is the MAC of the Mgmt Interface that they want.

In terms of rules for traffic for the Firewall then under the Global Properties then there are implied rules for the Firewall.

One of these relates to traffic FROM the Firewall which can be checked and then either be First, Before Last or Last.

If set to be Before Last then the NTP, DNS traffic from the Firewall will be matched with the Implied Rule unless you create a Manual Rule and place above the Last Rule.