topic Re: Different Management server in maestro environment in Hyperscale Firewall (Maestro)

Different Management server in maestro environment

Rabin — Thu, 29 Aug 2024 17:40:13 GMT

Hi Everyone,

I just want to know is it possible to use different checkpoint management server for managing the SMO of different security Group created in same Maestro Orchestrator and what challenges or issue it might occur in production environment ??

Thank You.

Re: Different Management server in maestro environment

AkosBakos — Thu, 29 Aug 2024 18:06:48 GMT

Hi @Rabin

Let me clarify this a litle bit with my words:

Every Security Group has one SMO which one is dedicated SGM among the SGM-s. This is the "boss".

One Security Group -> one SMO -> and the simple SGMs

Segmentation:

I prefer to create a new LAN for the MAESTRO management, to mix it with other traffic (other cluster management stc.) This was a prerequisite earlier.

To create a new Management server:

I don't think so. Why should I build a new SMS (think about the license cost only) for managing the Security Groups? Not necessary. I have implementations where 10+ cluster and MAESTRO are handled by one SmartCenter.

Except:

the hardware is not able to handle the inceased log quantity (high lograte)
- to small Smart-1 hardware
security concerns
HA is not implemented, and necessary

If only the LOGrate is the issue consider to buy a logserver software license only and install it on a VM. In this case the resources almost endless. 🙂

It is only the surface, to make a decision about the architecture, more info needed.

If you have any question just drop an update on this, then we can go into details.

Akos

Re: Different Management server in maestro environment

Rabin — Fri, 30 Aug 2024 01:44:04 GMT

Hi Akos,

Thank You for your insight, we have two management server(Smart -1 600S in core and one in VM for perimeter for maestro) and licenses. The perimeter environment is of maestro orchestrator with SMO,SGM's and SMS whereas in core we have CP-Cluster in Active standby deployment, now we are planning to migrate this in perimeter to achieve active-active load balancing by segregating the traffic using different security group or lets say different SMO.

To achieve this we were planning to use management server of core to manage new SMO integrated in maestro orchestrator.

As you suggested using same management server for deployment, in long run it would be easy to handle and minimize the cost as well. To achieve this either we need to manually create database or as far as i know migrating database would be easy but it might have issue in production environment considering all the configuration will be replicated.

So what would you suggest in this scenario, also if you know how to migrate policy and objects only without using migrate database tool, please let me know. Also kindly suggest which approach would be better in this situation.

Again, thank you for your response.

Rabin

Re: Different Management server in maestro environment

emmap — Fri, 30 Aug 2024 01:59:20 GMT

Yes, each security group is a separate entity with separate SIC and hence security groups sharing MHOs can be managed by different management servers. There's no additional challenges or issues expected in this scenario, it's fully supported, it's the same as having two different gateway clusters on two different management servers.

Re: Different Management server in maestro environment

AkosBakos — Fri, 30 Aug 2024 07:56:49 GMT

Hi @Rabin

That was not clear for me, that you have two managements. In this case I understand you. As you mentioned, one Management would be enough is a far future, and budget-proof. 🙂

I would addressed two questions here:

Cluster and Active Active setup:

Az I think you are in the plannig phase. Please read the limitations here.

Two Managament into one:

From what you have written, this tool would be useful for you. This helps you in the hardest part -> migrating the policy.

https://support.checkpoint.com/results/sk/sk180923

About the Smart-1 600S and the VM license

Hard to compare the physical appliance with the VM, because both have advantages and disadvantages too.

The largest difference is for me:

The Smart-1 has a hard limit in performace, and yo can't extend it. Datasheet here

The VM does not have such kind of limit, because the resources of the host are always extendable. An another feature of the VM, is the snapshot. By upgrades it is a huge feature, and extend the safety.

These are my opinions, from the small amount of information that I have.

I hope this helps you to find the right way.

I have installation with Smart-1 and VM too. Somewhere was requirement that, the Management must be a physical appliance in HA...

Akos