topic Re: Maestro Masters Round Table - Selected Questions, Part 1 in Hyperscale Firewall (Maestro)

Maestro Masters Round Table - Selected Questions, Part 1

_Val_ — Wed, 22 Jun 2022 12:57:41 GMT

Before our Maestro Masters Round Table event, we have asked you to send us some questions in advance.

We will gradually post those questions and answers to them in this space. Here is the first batch.

Q: What would be the best way to size the Maestro environment?

A: It depends on metrics. Regarding Throughput and connection rate - the penalty is 1% of the total per each additional SGM in the security group. That means, if one SGM is 100%, 2x SGMs would be 200% -2%(200%)=196%

Q: How do I use tcpdump if traffic is being distributed between gateways?

A: In Maestro, we created global commands, such as g_tcpdump and g_fw commands. Using global commands, you can get a result from all SGMs simultaneously.

Q: Do you recommend taking Gaia snapshots of security groups as a best practice?

A: Definitely yes, and there is an option to run a snapshot command. You can also elect to take just a snapshot of a single appliance or to take snapshots of all members of the Security Group. You can use a snapshot from a single appliance of one to restore others.

Q: Is dynamic scaling supported? If not, when will it be?

A: Auto-scaling will be supported for the next version, which is R81.20.

Stay tuned for more!

Re: Maestro Masters Round Table - Selected Questions, Part 1

d1d7baba-eaca-4 — Tue, 12 Jul 2022 19:14:27 GMT

Hi - From another Maestro Tech Talk, I think, I thought the penalty was 10% per interface that was devoted to MHO information shared with the SGMs. Am I off on this thought?

Re: Maestro Masters Round Table - Selected Questions, Part 1

Lari_Luoma — Wed, 13 Jul 2022 05:26:59 GMT

About the snapshots... Snapshot is a disk image, which means that it is always local to an SGM. They should be taken in CLISH instead of gclish as usually you don't want to take a snapshot simultaneously of all SGMs. While you do can take a snapshot of each SGM it's usually not necessary. SGMs are clones of each other and as long as you can restore one, the others will clone configuration and binaries including JHF from it. My recommendation typically is to take a snapshot of the SMO and save it on external location. If you want to take snapshots of all your SGMs, that's also fine, but takes a lot of disk space and most of the time is not necessary.

Re: Maestro Masters Round Table - Selected Questions, Part 1

_Val_ — Wed, 13 Jul 2022 06:44:16 GMT

@d1d7baba-eaca-4 Penalty on what?

Re: Maestro Masters Round Table - Selected Questions, Part 1

d1d7baba-eaca-4 — Thu, 14 Jul 2022 13:39:14 GMT

Penalty - Bandwidth use for actual traffic - 90%, if 10% is set aside for MHO to SGM traffic.

Re: Maestro Masters Round Table - Selected Questions, Part 1

_Val_ — Thu, 14 Jul 2022 14:05:17 GMT

@Lari_Luoma, @Anatoly can you advise?

Re: Maestro Masters Round Table - Selected Questions, Part 1

Sidney_Ross — Thu, 14 Jul 2022 17:23:44 GMT

@d1d7baba-eaca-4 I think you mean the 10% bandwidth reservation on the downlinks for the MHO - SGM communication. But the penalty Val mentions in the Q&A is the 1% degradation per appliance when adding an appliance(s) to a Security Group. Basically those are two different things: One is a reservation on a downlink and the other is a cumulative penalty on a Security Group's overall performance.

However, as far as I know we don't do the 10% reservation anymore.

Re: Maestro Masters Round Table - Selected Questions, Part 1

d1d7baba-eaca-4 — Thu, 14 Jul 2022 17:49:41 GMT

Sidney - Thanks for the clarification. With respect to 'bandwidth reservation on the downlinks for the MHO - SGM communication', if there is no 10% reservation, do you happen to know what it is, or what has taken it's place?

Re: Maestro Masters Round Table - Selected Questions, Part 1

MtxMan — Mon, 18 Jul 2022 09:52:56 GMT

Hi @_Val_

honestly im new on Maestro and i got question from my existing customer :

if they have 2x5200 and wanna implement maestro, is it still possible? because i check on some literature, minimum of fw to implemented hyperscale is 3 fw. so need i buy MHO-140 + one more 5200?

If you have a link basic concept or free training for Maestro, please share with me. Thanks!

Re: Maestro Masters Round Table - Selected Questions, Part 1

_Val_ — Mon, 18 Jul 2022 10:10:14 GMT

Hi @MtxMan, unfortunately, 5200 are not supported with Maestro. You need at least 5600. Please refer to sk162373 for the list of all supported appliances and their combinations.

That said, you can start with MHO and just two GW appliances, and then add them as needed, you do not have to have three of those from the start.

Re: Maestro Masters Round Table - Selected Questions, Part 1

_Val_ — Mon, 18 Jul 2022 10:16:22 GMT

Also, @MtxMan

For the courses, we have Maestro Jump Start courses, available with multiple learning platforms free of charge.

Look here to choose your options: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Free-Online-Training-Choose-Your-Options/ba-p/89766?cat=10

Re: Maestro Masters Round Table - Selected Questions, Part 1

MtxMan — Mon, 18 Jul 2022 13:14:42 GMT

Hi @_Val_

Thankyou so much!

so if customer only have 2 GW, the behaviour just like clusterxl active-active?

Re: Maestro Masters Round Table - Selected Questions, Part 1

_Val_ — Mon, 18 Jul 2022 14:22:56 GMT

@MtxMan Not "just like", much better than physical active-active clustering, thanks for MHO balancing and hypersync.