topic Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups in Hyperscale Firewall (Maestro)

Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Kilian_Huber — Tue, 31 Oct 2023 15:56:57 GMT

Hello Maestro Masters,

I have a question regarding the use of bonded interfaces on the MHO for SMO management traffic.

consider the following setup:

Dual Site and Dual Orchestrator Setup (MHO-140)
2 Security Groups, deployed as VSX
Management Port 1 on the Orchestrators connected to a network switch

The following layout illustrates the setup (for simplicity, the layout contains only one site):

In this setup, both security groups share a physical Management port.

According to the Admin Guide, configuring a Bond interface on the Management port is possible. Step 3 of Use Case - Editing an Existing Security Group states:

Connect through the console port to the Security Appliance with Member ID 1 in this Security Group.

This indicates that the Bonding interface is created on the Security Group level. As a consequence, this means that the Bond is only available to one Security Group. When using LACP, this is a known limitation (ID: 02003875 and PMTR-97008).

My question is: is there another way to achieve the desired setup (ACTIVE/BACKUP Bond) or do we need to use physical Mgmt uplinks for every Security Group?

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Wolfgang — Tue, 31 Oct 2023 18:40:39 GMT

@Kilian_Huber Please check your design, are you sure you are running a dual site environment? In dual site environment there is no connection from SGMs to the MHO on the other site. In a dual site environment you have an active/passive MGMT port between one MGMT interface (same interface on both sites). If you need a bond, you have to use only ports from one site, meaning eth1-mgmt & eth2-mgmt from one site. The same bond is created automatically on the other site, but this comes active only if a site failover occurs.

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Kilian_Huber — Wed, 01 Nov 2023 07:32:17 GMT

Thanks @Wolfgang. As I wrote: "for simplicity, the layout contains only one site".

The full setup looks like this:

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Wolfgang — Wed, 01 Nov 2023 07:45:28 GMT

@Kilian_Huber thanks for more detailed description. As I know the limitation PMTR-97008 exist only for a bond with LACP as bonding protocol. active/backup- or XOR-BOND should work.

@Lari_Luoma @Chris_Atkinson please, can you assist and confirm.

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Chris_Atkinson — Wed, 01 Nov 2023 09:39:31 GMT

MAGG (bond of management interfaces) working in LACP mode is supported from R81.10

However, sharing between security group of this MAGG or its slaves is NOT supported you must use an alternate Bond flavor in such cases.

Refer also: MAGG Interfaces (checkpoint.com)

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Kilian_Huber — Wed, 01 Nov 2023 09:32:29 GMT

@CHROthanks for the feedback. What flavor can I use and how/where is the Bond configured?

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Wolfgang — Thu, 02 Nov 2023 20:17:27 GMT

Which flavour of the bond depends on your switch infrastructure. Active/backup does work with most of the switch vendors and setting xmit-hash-polish to MAC address will be fine for the VSX management magg. You can follow the configuration guide mentioned by @Chris_Atkinson . Magg is configured via your SG.

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Kilian_Huber — Thu, 02 Nov 2023 20:20:18 GMT

Okay, and if the magg is shared accross several SGs, it needs to be configured on every SG. Correct?

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Wolfgang — Thu, 02 Nov 2023 20:39:09 GMT

Yes, you have to configure this on every SG. You have to configure an own IP-address for every SecurityGroup and they get assigned an own MAC-address.

Re: Mastro Mgmt Bond (magg) - dual Orchestrator and multiple Security Groups

Tchangoloro — Wed, 29 Oct 2025 01:22:47 GMT

Hello Kilian, Could you make these stencils available in that custom pink color, matching Checkpoint's colors?