topic Re: Route Based VPN with numbered Vti migration from Standard Cluster to Maestro in Hyperscale Firewall (Maestro)

Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

JED — Thu, 10 Jul 2025 10:31:58 GMT

Hi,

We have currently the Route based VPN with the Numbered VTi. This is currently configured on a cluster and is configured using the Vip, Gw1 , Gw2 and the remote address for the formation.

This works correctly and the resiliency between the Gw1 and Gw2 operates correctly upon fail over. ( The Bgp re-establishes when the partner member becomes active).

We are now migrating to a Vs Maestro based deployment.

The main question we have is as follows:

a) Does the configuration from gclish follow the same format with a Vti x on member 1 and then Vti x on member 2. Or does this configuration change? We will have three members in the Vs cluster.

b) Currently referencing (a) above the configuration is specifically performed on the two Cluster Members. How will this be completed on the Maestro. ( the Cluster is a three member unit and they are not physically configured separately as we did in the standard two blade cluster)

c) Having through the Technical documents we have failed to obtain any sample configuration/ scenarios. For us this will be a migration from standard cluster VTi config to a Maestro based deployment.

Any information or details that anyone may have regarding this would be most appreciated.

Regards,

JED

Re: Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

Nir_Shamir — Thu, 10 Jul 2025 10:37:28 GMT

When you configure a Maestro Security Group you consider it as a Single GW. This means that on the Physical interfaces you configure the VIP IP and not the members Physical IP addresses.

Same thing with VTI's. On the Security Group you configure the tunnels local IP address the Tunnel VIP you are using today.

Re: Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

Lesley — Thu, 10 Jul 2025 11:58:58 GMT

Here an config example of Maestro setup:

You do all changes in global clish!

gclish:

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer Name of the interoperable device from smart console

Example of above:

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer FW-Remote-Peer

set interface vpnt1 state on
set interface vpnt1 mtu 1500
set interface vpnt1 comments "VPN tunnel with remote party"

set static-route 172.16.0.0/24 nexthop gateway logical vpnt1 on
set static-route 172.16.0.0/24 comment "VPN tunnel with remote party"

In Smart Console on the SMO object you have to get interface (Get interface without topology)

You only can fetch these type of interfaces not manually create them!

Configure VPN community with empty encryption domains and done.

Re: Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

Nir_Shamir — Thu, 10 Jul 2025 12:11:00 GMT

CLISH and GCLISH commands are the same.

the difference is that when working with GCLISH every command is configured on all SGM's at once because we need the configuration to be consistent on all of them.

so in Maestro only work in GCLISH

Re: Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

JED — Thu, 10 Jul 2025 12:28:20 GMT

Hi Lesley,

Many thanks for the reply.

From what you have demonstrated it is showing the single entry for the VTI ( shown below)

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer FW-Remote-Peer

Therefore I am assuming this is all that is required : as opposed where we had a two blade cluster we would have had the following ( basing on your example) , single VTI config on each blade.

Blade1

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer FW-Remote-Peer

Blade 2

add vpn tunnel 1 type numbered local 1.1.1.3 remote 1.1.1.1 peer FW-Remote-Peer

All I need is the confirmation that it would only be the single entry for the Operation on Maestro.

Re: Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

Lesley — Thu, 10 Jul 2025 12:40:45 GMT

I have 4 gateways in my security group and only 1 IP is needed. All 4 gateways have this interface with the same IP.

Because you change in gclish it will change it on ALL gateways in the security group. In smart console you have only 1 SMO (firewall object) that has one interface