topic First step with MHO and few questions about it in Hyperscale Firewall (Maestro) https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/First-step-with-MHO-and-few-questions-about-it/m-p/99352#M337 <P>hi maestro expert <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>i am making my first step to implemant maetro then i have some question about it :</P><P>Q1 : If i am correct there is no need to configure Sync interface for the gateway and in the maestro object in management server and in the mho security group . It will be automaticly use network 192.0.2.X on a virtual interface named Sync like in my lab :</P><P>Virtual cluster interfaces: 10</P><P>eth1-05 10.20.0.1 VMAC address: 00:1C:7F:81:05:C1<BR />eth1-06 81.255.188.1 VMAC address: 00:1C:7F:81:06:C1<BR />eth1-07 192.168.4.4 VMAC address: 00:1C:7F:81:07:C1<BR />eth1-08 81.255.188.253 VMAC address: 00:1C:7F:81:08:C1<BR />eth1-09 10.10.0.254 VMAC address: 00:1C:7F:81:09:C1<BR />eth1-10 10.0.50.1 VMAC address: 00:1C:7F:81:0A:C1<BR />eth1-Mgmt1 217.109.182.193<BR />eth1-CIN 198.51.101.2<BR />eth2-CIN 198.51.101.202<BR />Sync 192.0.2.2</P><P>[Expert@OIF-ch01-02:0]# ifconfig Sync<BR />Sync Link encap:Ethernet HWaddr 00:1C:7F:02:04:FE<BR />inet addr:192.0.2.2 Bcast:192.0.2.255 Mask:255.255.255.0<BR />UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<BR />RX packets:136664 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:62063 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:30427407 (29.0 MiB) TX bytes:5948091 (5.6 MiB)<BR /><BR /></P><P><BR />Q2 : all members are in active state and the first gateway in the security group will be the pivot like in A/A with cluster XL or how traffic is handle when you have 3 gateway or more in the security group ?</P><P>Cluster Mode: HA Over LS</P><P>ID Unique Address Assigned Load State</P><P>1 (local) 192.0.2.1 33% ACTIVE<BR />2 192.0.2.2 33% ACTIVE<BR />3 192.0.2.3 33% ACTIVE</P><P>Q3 : on the Smartcenter there is no way to check the HA status for the gateway in the secutiry group on the MHO config ?</P><P>Q4 : if i am correct with maestro there is only a virtual ip address configure in the smartcenter on the network management and no need to configure reel ip per node and define the interface as a cluster interface</P><P>Q5 : What is interface eth1-CIN and eth2-CIN with and adress IP in : 198.51.101.X ? none of this interface are set up on the mho security group :</P><P>In clish they not appear :</P><P>[Global] OIF-ch01-01 &gt; show interface</P><P>eth1-05 eth1-06 eth1-07 eth1-08 eth1-09 eth1-10<BR />eth1-11 eth1-12 eth1-Mgmt1 lo BPEth0 BPEth1</P><P>In Expert :</P><P>eth1-CIN Link encap:Ethernet HWaddr 00:1C:7F:81:42:01<BR />inet addr:198.51.101.1 Bcast:198.51.101.127 Mask:255.255.255.128<BR />UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<BR />RX packets:741356 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:894418 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:226692007 (216.1 MiB) TX bytes:99844561 (95.2 MiB)</P><P><BR />eth2-CIN Link encap:Ethernet HWaddr 00:1C:7F:82:42:01<BR />inet addr:198.51.101.201 Bcast:198.51.101.255 Mask:255.255.255.128<BR />UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<BR />RX packets:0 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:67704 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:0 (0.0 b) TX bytes:2843568 (2.7 MiB)</P><P><BR />[Expert@OIF-ch01-01:0]# ethtool eth2-CIN<BR />Settings for eth2-CIN:<BR />Supported ports: [ FIBRE ]<BR />Supported link modes: 10000baseT/Full<BR />Supported pause frame use: Symmetric Receive-only<BR />Supports auto-negotiation: Yes<BR />Supported FEC modes: Not reported<BR />Advertised link modes: 10000baseT/Full<BR />Advertised pause frame use: Symmetric Receive-only<BR />Advertised auto-negotiation: Yes<BR />Advertised FEC modes: Not reported<BR />Speed: 10000Mb/s<BR />Duplex: Full<BR />Port: FIBRE<BR />PHYAD: 0<BR />Transceiver: internal<BR />Auto-negotiation: on<BR />Current message level: 0x00000000 (0)<BR /><BR />thank you for reading</P><P>&nbsp;</P> Sat, 17 Oct 2020 13:24:38 GMT Lkge 2020-10-17T13:24:38Z First step with MHO and few questions about it https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/First-step-with-MHO-and-few-questions-about-it/m-p/99352#M337 <P>hi maestro expert <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>i am making my first step to implemant maetro then i have some question about it :</P><P>Q1 : If i am correct there is no need to configure Sync interface for the gateway and in the maestro object in management server and in the mho security group . It will be automaticly use network 192.0.2.X on a virtual interface named Sync like in my lab :</P><P>Virtual cluster interfaces: 10</P><P>eth1-05 10.20.0.1 VMAC address: 00:1C:7F:81:05:C1<BR />eth1-06 81.255.188.1 VMAC address: 00:1C:7F:81:06:C1<BR />eth1-07 192.168.4.4 VMAC address: 00:1C:7F:81:07:C1<BR />eth1-08 81.255.188.253 VMAC address: 00:1C:7F:81:08:C1<BR />eth1-09 10.10.0.254 VMAC address: 00:1C:7F:81:09:C1<BR />eth1-10 10.0.50.1 VMAC address: 00:1C:7F:81:0A:C1<BR />eth1-Mgmt1 217.109.182.193<BR />eth1-CIN 198.51.101.2<BR />eth2-CIN 198.51.101.202<BR />Sync 192.0.2.2</P><P>[Expert@OIF-ch01-02:0]# ifconfig Sync<BR />Sync Link encap:Ethernet HWaddr 00:1C:7F:02:04:FE<BR />inet addr:192.0.2.2 Bcast:192.0.2.255 Mask:255.255.255.0<BR />UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<BR />RX packets:136664 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:62063 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:30427407 (29.0 MiB) TX bytes:5948091 (5.6 MiB)<BR /><BR /></P><P><BR />Q2 : all members are in active state and the first gateway in the security group will be the pivot like in A/A with cluster XL or how traffic is handle when you have 3 gateway or more in the security group ?</P><P>Cluster Mode: HA Over LS</P><P>ID Unique Address Assigned Load State</P><P>1 (local) 192.0.2.1 33% ACTIVE<BR />2 192.0.2.2 33% ACTIVE<BR />3 192.0.2.3 33% ACTIVE</P><P>Q3 : on the Smartcenter there is no way to check the HA status for the gateway in the secutiry group on the MHO config ?</P><P>Q4 : if i am correct with maestro there is only a virtual ip address configure in the smartcenter on the network management and no need to configure reel ip per node and define the interface as a cluster interface</P><P>Q5 : What is interface eth1-CIN and eth2-CIN with and adress IP in : 198.51.101.X ? none of this interface are set up on the mho security group :</P><P>In clish they not appear :</P><P>[Global] OIF-ch01-01 &gt; show interface</P><P>eth1-05 eth1-06 eth1-07 eth1-08 eth1-09 eth1-10<BR />eth1-11 eth1-12 eth1-Mgmt1 lo BPEth0 BPEth1</P><P>In Expert :</P><P>eth1-CIN Link encap:Ethernet HWaddr 00:1C:7F:81:42:01<BR />inet addr:198.51.101.1 Bcast:198.51.101.127 Mask:255.255.255.128<BR />UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<BR />RX packets:741356 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:894418 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:226692007 (216.1 MiB) TX bytes:99844561 (95.2 MiB)</P><P><BR />eth2-CIN Link encap:Ethernet HWaddr 00:1C:7F:82:42:01<BR />inet addr:198.51.101.201 Bcast:198.51.101.255 Mask:255.255.255.128<BR />UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<BR />RX packets:0 errors:0 dropped:0 overruns:0 frame:0<BR />TX packets:67704 errors:0 dropped:0 overruns:0 carrier:0<BR />collisions:0 txqueuelen:1000<BR />RX bytes:0 (0.0 b) TX bytes:2843568 (2.7 MiB)</P><P><BR />[Expert@OIF-ch01-01:0]# ethtool eth2-CIN<BR />Settings for eth2-CIN:<BR />Supported ports: [ FIBRE ]<BR />Supported link modes: 10000baseT/Full<BR />Supported pause frame use: Symmetric Receive-only<BR />Supports auto-negotiation: Yes<BR />Supported FEC modes: Not reported<BR />Advertised link modes: 10000baseT/Full<BR />Advertised pause frame use: Symmetric Receive-only<BR />Advertised auto-negotiation: Yes<BR />Advertised FEC modes: Not reported<BR />Speed: 10000Mb/s<BR />Duplex: Full<BR />Port: FIBRE<BR />PHYAD: 0<BR />Transceiver: internal<BR />Auto-negotiation: on<BR />Current message level: 0x00000000 (0)<BR /><BR />thank you for reading</P><P>&nbsp;</P> Sat, 17 Oct 2020 13:24:38 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/First-step-with-MHO-and-few-questions-about-it/m-p/99352#M337 Lkge 2020-10-17T13:24:38Z Re: First step with MHO and few questions about it https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/First-step-with-MHO-and-few-questions-about-it/m-p/99360#M338 <P>Hello,</P><P>Based on little experience I have with Maestro I can try and answer some of your questions:</P><P>Q1:&nbsp;<SPAN>192.0.2/24 is reserved for synchronization traffic</SPAN></P><P>Q3: There is not way to monitor the state in SmartConsole</P><P>Q4: In SmartConsole, you should add the IP of the Security Group and no need to add any other peer/node vIP ( globally, all appliances share the same network configuration received from the Security Group, only the Orchestrator in charge of the appliances, has/should have a different IP from the SG )</P><P>Q5:&nbsp;<SPAN>198.51.101/24 is reserved for chassis internal networking messages</SPAN></P><P>Maybe this&nbsp;<A href="https://community.checkpoint.com/t5/Maestro-Hyperscale-Security/Maestro-basic-setup-documentation/td-p/69907" target="_self">post</A>&nbsp;will help and answer more of your questions.</P> Sat, 17 Oct 2020 15:01:54 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/First-step-with-MHO-and-few-questions-about-it/m-p/99360#M338 funkylicious 2020-10-17T15:01:54Z