topic Re: Typical Check Point Maestro Project in Hyperscale Firewall (Maestro)

Typical Check Point Maestro Project

Evgeniy_Olkov — Mon, 23 Mar 2020 07:06:05 GMT

Hi. Just decided to share our typical Maestro project. Here you can see the topology. I hope it will help someone to create their own project or just for better understanding how Maestro works.

L1 scheme:

L2 shceme:

L3 scheme:

If you have any question feel free to ask.

Re: Typical Check Point Maestro Project

MikeB — Thu, 30 Apr 2020 14:21:34 GMT

Hi Evgeniy, thank you for this valuable information.

You know how it would be a topology with two sites and a single MHO in each? and if the deployment with 3 MHO is supported? (2 in one site and just 1 in the other site)

Re: Typical Check Point Maestro Project

Evgeniy_Olkov — Sat, 02 May 2020 03:48:15 GMT

Hi! Thanks for the feedback!
Unfortunately, I don't have the dual site topology. But I know for sure, that it should be symmetrical (1 and 1 or 2 and 2).

Re: Typical Check Point Maestro Project

Maarten_Sjouw — Sat, 02 May 2020 17:59:07 GMT

Dual site with 3 MHO's is not supported at all. The dual site situation is setup with either 1 MHO on each site or 2 on each site. For the Dual site to work you need to duplicate the drawing and make sure all VLAN's are stretched over to the other location. On top of that you need to create portchannels/bonding groups for all ports used in the dual MHO setups, single site-dual MHO or dual site-dual MHO.

Re: Typical Check Point Maestro Project

Sherif — Sat, 28 Nov 2020 18:21:43 GMT

Hi Evgeniy,

thank you for sharing your topology design and the outstanding diagrams!

In this topology is the Maestro being used to inspect east-west traffic (between local vlans) in addition to north-south traffic (to/from internet)? - or is it used only for north-south traffic inspection ?

If the Maestro is used to inspect east-west traffic, are the local vlans gateways on the core-switch or are they (moved) onto the Maestro (security appliances) ?

Cheers,

Sherif

Re: Typical Check Point Maestro Project

Bob_Zimmerman — Sun, 29 Nov 2020 15:02:50 GMT

I must have missed this when it was originally posted. Very interesting!

Is the sync between the Maestro boxes directly connected? I know with firewalls this is a very bad idea. Firewall sync should go through a switch to avoid problems when rebooting one of the members (when they're directly connected and you reboot member A, member B sees its interface go down, and has to go into contention to see if its peer failed or it failed; a failure in contention can cause B to refuse to take over). How do the Maestro boxes handle that?

Re: Typical Check Point Maestro Project

Darren_Phang — Mon, 30 Nov 2020 04:08:31 GMT

Hi Evgeniy,

Nice diagram. Relatively easy to understand and interpret your diagram. Could you please share what tools you are using to draw this network diagram?

Regards,

Darren

Re: Typical Check Point Maestro Project

Outis — Fri, 09 Jun 2023 04:41:13 GMT

Hi Evgeniy,

I have used this topology with VSX, and I have issues with connection between security group (SG) with VSX. I have config one VSX for management zone (include SG management and others management devices), and all devices have default gateway is IP of VSX. All devices on management zone could ping and connect but only IP of SG couldn't ping or connect to IP of VSX. I have show arp on SG and see mac address of VSX but on I don't see mac address of SG on VSX.

Re: Typical Check Point Maestro Project

_Val_ — Fri, 09 Jun 2023 12:52:57 GMT

@Outis, this is a very old post. I suggest you to open a new discussion and ask community for help