https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/How-do-I-extend-Maestro-single-site-vsx-env-to-a-dual-site/m-p/221877#M2777 <P>1) prepare site 2 ORCHs in advance with all the relevant configuration (site id, amount of site etc.).</P> <P>2) make all the physical connectivity between MHO's between the sites. this means stretching VLANS. check this SK:</P> <P><A href="https://support.checkpoint.com/results/sk/sk168092" target="_blank">https://support.checkpoint.com/results/sk/sk168092</A></P> <P>also , depending on the architecture, check also this SK:</P> <P><A href="https://support.checkpoint.com/results/sk/sk181385" target="_blank">https://support.checkpoint.com/results/sk/sk181385</A></P> <P>3) configure production MHO's for amount of site 2 and restart orchd gradually (per MHO in Production).</P> <P>to avoid sync between them it's recommended to shutdown local sync port between them.</P> <P>4) Test connectivity between MHO's between sites:</P> <P>MHO1-1 to MHO 2-1 - ping&nbsp;203.0.113.15</P> <P>MHO2-1 to MHO2-2 - ping 203.0.113.16</P> <P>5) restart orchd on both site 2 MHO's in order to sync with Site MHO's and get all the SG configuration.</P> <P>verify under /etc/sgdb.json.</P> <P>6) activate auto-clone in SG and add SGM's.</P> <P>when SGM's are added make sure you have connectivity between Site1 SGMs and site2 SGMs by pinging from SGMs to 192.0.2.15, 16 etc. (at least have ARP).</P> <P>&nbsp;</P> Thu, 25 Jul 2024 09:44:36 GMT Nir_Shamir 2024-07-25T09:44:36Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/How-do-I-extend-Maestro-single-site-vsx-env-to-a-dual-site/m-p/221875#M2776 <P>I am currently planning to expand our Maestro environment:<BR />currently: 2*MHO175 + 3*9700 appliances, single site, one security group, VSX with 4 virtual systems, R81.20</P><P>this is to be extended to a second data center, the necessary hardware, i.e. another 2*MHO175 + 3* 9700 appliances is available.</P><P>How do I expand Maestro single site to dual site without or with minimal downtime? Unfortunately, I have not found any suitable instructions.</P><P>What happens to the existing security group and traffic flow if I run the standard setup for dual site like this:</P><P>on each MHO<BR />Orch_1_1&gt; set maestro configuration orchestrator-site-amount 2<BR />Orch_1_2&gt; set maestro configuration orchestrator-site-amount 2<BR />Orch_2_1&gt; set maestro configuration orchestrator-site-amount 2<BR />Orch_2_1&gt; set maestro configuration orchestrator-site-amount 2</P><P>on site 1 (currently productive)<BR />Orch_1_1&gt;set maestro configuration orchestrator-site-id 1<BR />Orch_1_1#orchd restart<BR />Orch_1_2&gt;set maestro configuration orchestrator-site-id 1<BR />Orch_1_2#orchd restart</P><P>on site 2<BR />Orch_2_1&gt;set maestro configuration orchestrator-site-id 2<BR />Orch_2_1#orchd restart<BR />Orch_2_2&gt;set maestro configuration orchestrator-site-id 2<BR />Orch_2_2#orchd restart</P><P>on side 1 - Back up the /etc/maestro<BR />Orch_1_1#cp -v /etc/maestro.json ~/maestro.json_BKP<BR />Orch_1_1#cp -v /etc/maestro_full.json ~/maestro_full.json_BKP<BR />Orch_1_2#cp -v /etc/maestro.json ~/maestro.json_BKP<BR />Orch_1_2#cp -v /etc/maestro_full.json ~/maestro_full.json_BKP</P><P>on site 2<BR />Orch_2_1&gt; set maestro port 1/31/1 type site_sync<BR />Orch_2_1#orchd restart<BR />Orch_2_2&gt; set maestro port 2/31/1 type site_sync<BR />Orch_2_2#orchd restart</P><P>on site 1<BR />Orch_1_1&gt; set maestro port 1/31/1 type site_sync<BR />Orch_1_1#orchd restart<BR />Orch_1_2&gt; set maestro port 2/31/1 type site_sync<BR />Orch_1_2#orchd restart</P><P>on site 2<BR />Orch_2_1#orchd restart<BR />Orch_2_2#orchd restart</P><P>on site 1<BR />Orch_1_1&gt;set maestro security-group apply-new-config</P><P>In which steps does the traffic flow interrupt?<BR />Has anyone already performed a similar task?</P><P>&nbsp;</P><P>Thanks for help</P><P>Uwe</P> Thu, 25 Jul 2024 09:28:45 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/How-do-I-extend-Maestro-single-site-vsx-env-to-a-dual-site/m-p/221875#M2776 Uwe_Herkt 2024-07-25T09:28:45Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/How-do-I-extend-Maestro-single-site-vsx-env-to-a-dual-site/m-p/221877#M2777 <P>1) prepare site 2 ORCHs in advance with all the relevant configuration (site id, amount of site etc.).</P> <P>2) make all the physical connectivity between MHO's between the sites. this means stretching VLANS. check this SK:</P> <P><A href="https://support.checkpoint.com/results/sk/sk168092" target="_blank">https://support.checkpoint.com/results/sk/sk168092</A></P> <P>also , depending on the architecture, check also this SK:</P> <P><A href="https://support.checkpoint.com/results/sk/sk181385" target="_blank">https://support.checkpoint.com/results/sk/sk181385</A></P> <P>3) configure production MHO's for amount of site 2 and restart orchd gradually (per MHO in Production).</P> <P>to avoid sync between them it's recommended to shutdown local sync port between them.</P> <P>4) Test connectivity between MHO's between sites:</P> <P>MHO1-1 to MHO 2-1 - ping&nbsp;203.0.113.15</P> <P>MHO2-1 to MHO2-2 - ping 203.0.113.16</P> <P>5) restart orchd on both site 2 MHO's in order to sync with Site MHO's and get all the SG configuration.</P> <P>verify under /etc/sgdb.json.</P> <P>6) activate auto-clone in SG and add SGM's.</P> <P>when SGM's are added make sure you have connectivity between Site1 SGMs and site2 SGMs by pinging from SGMs to 192.0.2.15, 16 etc. (at least have ARP).</P> <P>&nbsp;</P> Thu, 25 Jul 2024 09:44:36 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/How-do-I-extend-Maestro-single-site-vsx-env-to-a-dual-site/m-p/221877#M2777 Nir_Shamir 2024-07-25T09:44:36Z