Support Center > Search Results > SecureKnowledge Details
Management Data Plane Separation Technical Level
Solution

Table of contents:

  1. Introduction
  2. Minimum Requirements
  3. How it works
    1. Routing Separation
    2. Resource Separation
  4. Configuration
  5. Best Practice
  6. Limitations

(1) Introduction

Management Data Plane Separation allows a Security Gateway to have isolated Management and Data networks.

The network system of each domain (plane) is independent and includes interfaces, routes, sockets, and processes.

The Management Plane is a domain, whose purpose is to access, provision, and monitor the Security Gateway. This includes:

  • Access: SSH, FTP, and more
  • Provisioning: Policy installation, Gaia Portal, RestAPI, and more
  • Monitoring: Logs, SNMP, and more

Any Service, Process or Port used by the above is considered a part of the Management Plane. Everything else is considered a part of the Data Plane.

(2) Minimum Requirements for Security Gateways

  • R80.40 or higher
  • R80.30 with kernel 3.10 - R80.30 Jumbo Hotfix Take 136 or higher
  • R80.20SP Scalable Chassis - R80.20SP Jumbo Hotfix Take 210 or higher
  • R80.30SP Maestro - R80.30SP Jumbo Hotfix Take 73 or higher
  • A minimum of 4 CPU cores and 3 CoreXL FireWall instances

(3) How it works

The solution is implemented in software, and can be used on a physical or virtual appliance. It includes the capabilities that can be used independently:

  • Routing Separation
  • Resource Separation

(a) Routing Separation

Routing Separation creates a routing domain (ID 1) that includes an interface that the Security Gateway uses to communicate with Management, and an interface used for the synchronization of cluster members (when using ClusterXL). This domain has its own routing table, in which routing decisions are made. It is not connected with the Data Plane through any virtual adapter. This means that any packet that is inbound to the Security Gateway, whether on the Management plane or the Data plane, cannot cross over from one plane to the other plane. All non-Management related operations should not use the Management plane network. For example: DNS, Proxy, DHCP, and Software Blade portals.

To switch the context to either the Management Plane or the Data Plane in the Expert mode (Bash) or see section (4) for clish, Use these commands:

  • dplane - switches the network context to the Data plane (ID 0).
  • mplane - switches the network context to the Management plane (ID 1)
Tunnel Interface
As Planes are isolated and traffic cannot cross between them, The Tunnel interface (called mdps_tun) will allow only packets originated from the local gateway to a selected destination(s) (see Management plane Tasks below) to be sent via Management plane regardless on which plane the connection was initiated.

* The Tunnel interface is currently available on: R80.40 JHF Take 114 and R81 JHF Take 34 (and higher JHF takes)

(b) Resource Separation

With a Resource Separation, a dedicated CPU core is allocated for a joint use by the Management NIC and a single CoreXL FireWall instance (2 CoreXL FireWall instances, if the Hyper-Threading is enabled). The CoreXL FireWall instance does not receive any traffic from the CoreXL SND, except for packets that are inbound or outbound to the Management NIC. Usually, the number of connections is small, which practically ensures that regardless of how busy the other CoreXL FireWall instances and NICs are, the Security Gateway remains accessible through the Management NIC.

Consider a Security Gateway with 8 CPU cores and a 2-6 split (2 CPU cores work as CoreXL SND and 6 CPU cores work as CoreXL FireWall instances).
The distribution of CPU cores in a Security Gateway looks like this:

When the Resource Separation is enabled, the distribution of CPU cores in a Security Gateway looks like this:

For more information about CoreXL, refer to sk98737.

Notes

  • To enable this option, at least 4 CPU cores and 3 CoreXL FireWall instances are required.
  • When using Routing and Resource separation, the affinity for the Management Plane processes is not automatically set to a dedicated CPU.
  • As the feature uses a dedicated CPU, there are fewer CPU core(s) for Data Plane inspection.
  • On Maestro, this is supported when gateway uses mlx4/mlx5 NICs or i40e NICs. One of the NIC queues will be dedicated for management traffic and the rest of the queue will handle data traffic. If more than one CPU is assigned to management, then one of them will handle traffic of the management queue and the others will be free for user space applications.

(4) Configuration

  • All configurations are done in Gaia Clish.
  • On Scalable Platforms, all configurations are done in Global Clish (gclish).
  • Commands are '{set | add | delete | show} mdps ...'
  • Important: Each plane has its own configuration.
    Therefore, you must run these commands in each plane:
    save configuration <Name of Script>
    load configuration <Name of Script>
This applies to:
R81 Jumbo Hotfix Accumulator Take 34 and higher
R80.40 Jumbo Hotfix Accumulator Take 114 and higher

  • Enabling and disabling the routing separation:

    clish> set mdps mgmt plane {on | off}

    Notes:

    • It is recommended that the enable/disable routing separation be done during a Maintenance window. The procedure needs to be done through the serial console port because the connectivity through the Management interface will be lost. A reboot is required to complete the operation.
    • In Scalable Platforms, follow these steps after enabling or disabling of MDPS:
      1. Reboot the Standby Chassis
      2. Fail-over to the Standby Chassis
      3. Reboot the Standby Chassis
  • Changing the Gaia Clish context:

    To view or edit the Gaia Clish options in a similar way to the Expert mode commands "mplane" or "dplane".

    clish> set mdps environment {mplane | dplane}

  • Enabling and disabling the resource separation:

    clish> set mdps mgmt resource {on | off}

    Notes:

    • It is recommended that enable/disable resource separation be done during a Maintenance window. The procedure needs to be done via a serial port, as connectivity through the Management interface will be lost for a short time. A reboot is required to complete the operation.
    • First, you need to configure the network interface, then enable the MDPS.
  • Controlling the number of CPU cores for the resource separation:

    clish> set mdps resource cpus <1-4>

  • Setting the 'Management' interface.

    When you use either the Routing or the Resource Separation, you must define the Management interface. The interface are used for communication with the Management Server and to access the Security Gateway.

    clish> set mdps interface <NAME> management {on | off}

  • Setting the 'sync' interface.

    When you use Routing Separation and ClusterXL, you must set the Sync interface on the Management Plane. The interface is used for ClusterXL synchronization between members.

    clish> set mdps interface <NAME> sync {on | off}

Notes:
    • Setting a Sync interface is not supported on Scalable Platforms.
  • Adding or deleting routes in the Management plane

clish> {add | delete} mdps route <ADDRESS> nexthop <ADDRESS>

Notes:
    • Starting R81, This option is deprecated. Switch to the relevant 'clish' context and use the routing commands to set, modify, or show the routes.
  • Adding or deleting Tasks from the Management plane
With this option, It is possible to choose where to place tasks that the Security Gateway runs - either in the Management plane or the Data Plane context.
A "Task" can be one of these:
    • Port, Protocol:
      A specific port and protocol from any process is bound to the Management plane. The process itself remains in the Data plane context. This option works only for Check Point known ports.
    • Process:
      A specific process name is bound to the Management plane, including all ports that the process opens.
    • Service:
      OS service may include several processes, All of which are bound to the Management plane.
    • Address:
      Network or hostname to use with the tunnel interface, Any outgoing packets to the selected addresses will be outbound via Management plane routing table.

When enabling the Routing separation, a set of default tasks bounds to the Management plane. All other tasks remain in the Data plane. A task cannot be bound to both planes.

clish> {add | delete} mdps task <OPTIONS>

Notes:

    • Added/Deleted tasks are applied upon the next restart of the task.
  • List of default tasks when Routing Separation is used:
For more information about the relevant Check Point processes and ports, refer to sk97638 and sk52421.

Type Name, URL, Port Number
Address updates.checkpoint.com
Address te.checkpoint.com
Address teadv.checkpoint.com
Address cws.checkpoint.com
Address usercenter.checkpoint.com
Address avupdates.checkpoint.com
Service cpri_d
Service sshd
Service syslog
Process AutoUpdater
Process DAService
Process cloningd
Process confd
Process cprid
Process httpd2
Process ntpd
Process rest_api_docs
Process rest_api_run
Process snmpd
Process snmpmonitor
Process start_celery
Process start_redis
Port - Protocol 256 - tcp
Port - Protocol 257 - tcp
Port - Protocol 263 - tcp
Port - Protocol 2010 - tcp
Port - Protocol 5432 - tcp
Port - Protocol 8989 - tcp
Port - Protocol 18181 - tcp
Port - Protocol 18183 - tcp
Port - Protocol 18184 - tcp
Port - Protocol 18187 - tcp
Port - Protocol 18191 - tcp
Port - Protocol 18192 - tcp
Port - Protocol 18195 - tcp
Port - Protocol 18210 - tcp
Port - Protocol 18211 - tcp
Port - Protocol 18264 - tcp


(5) Best Practices

When using Routing Separation

  • Do not include Management Plane subnets on any Software blade portal.

  • Connectivity to the LDAP and similar servers from the Gateway should be done via the Data plane (Applies for versions without Tunnel Interface)

  • All commands in expert mode or clish should be executed in the context of the Data Plane (ID 0) except commands which are network dependent, such as 'ip ...', 'ifconfig', 'netstat', etc.

  • SNMP queries:

    • When using SNMP v2/v2c:
      To query the Security Gateway's Data plane OIDs, add the name suffix "_dplane" to the SNMP community name. For example, if the community name is "test," then the Data plane community name is "test_dplane".

    • When using SNMP v3:
      To query the Security Gateway's Data plane OIDs, the context argument must be added. The context name is "dplane".

  • When using a local license, the license must be issued for the IP address of the Management interface on the Security Gateway.
  • Using Deployment Agent commands (CPUSE) on clish must be done on Management plane context (use 'set mdps environment mplane').

When using Management Resource

  • Do not configure the CPU affinity (manually or with the 'sim affinity' command) for the Management interface.

(6) Known Limitations

Issue ID Description
PMTR-25365 IPv6 is not supported on the Management interface when using Resource Separation.
PMTR-25369 Configuration of Routing or Resource Separation can be done only in Gaia Clish.
PMTR-29698 The use of logical interfaces is not supported on the Management interface (Alias, Bridge, VPN Tunnel, 6in4 Tunnel, PPPoE, Bond, VLAN). 

Note: This limitation was resolved in the latest Jumbo Hotfix Accumulator Takes for R80.40 and R81. It is supported in R81.10. 
"Authentication failure: check your username and password" message on a Security Gateway when raising the "TACP" privileges of a TACACS user in the following scenario:
  1. Configured the Management Data Plane Separation (MDPS) as described in this article.
  2. Configured Gaia OS roles with different privileges for TACACS users.
  3. Configured a TACACS server.
  4. Logged in with a TACACS user.
  5. Raised the "TACP" privileges in the Gaia Portal (at the top of the "Overview" page, clicked "Enable") or in Gaia Clish (with the command "tacacs_enable <Role>")
  6. Entered the TACACS user password.
To resolve: 
  1. Connect to the command line on the Security Gateway.
  2. Log in to Gaia Clish.
  3. Add the Gaia OS "confd" process to the Management Plane. Run: add mdps task process confd
  4. Save changes. Run: save config
When using ClusterXL and Routing separation, configuring the same subnet for the Management and Data interface is not supported.
In SmartConsole, in the Security Gateway object > Topology, the "Get interfaces with topology" operation fetches only the data plane interfaces.
When using Routing separation, you must collect a Backup/Snapshot on a remote host only through the Management plane.
TM-13547 When adding the loopback interface on SNMP Agent Interfaces in MDPS, it causes the issue "The snmpd not listening - No Response".
The solution is to remove the "lo" interface or add as "Any".
PMTR-66296 The Gaia OS "LLDP" feature is not supported when the MDPS is enabled (applies only to R81.00).
MBS-14161 Scalable Platforms R81 and R81.10 (Maestro and Chassis) do not support MDPS.
On Scalable Platforms:
  • Sync & Chassis Internal Network (CIN) interfaces are not considered part of the Management Plane.
  • All members on a Security Group must be Up and ACTIVE when enabling or disabling the MDPS.
  • Configuration of Routing Separation can be done only in Gaia Global Clish (gclish).
  • Only Management interfaces and MAGG can be used as a Management interface in the MDPS.
  • When configuring a Syslog server, it must be in the Management interface's subnet.
  • In SmartConsole, in the SMO Security Gateway object, the operation "Get Interfaces with Topology" is not supported. Therefore, any topology modifications must be done manually in the SMO Security Gateway object.
  • Before you install or uninstall a Jumbo Hotfix Accumulator, make sure to disable the MDPS feature and enable it again after the Security Group Members reboot.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment