https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Create-Maestro-SG-in-remote-site/m-p/104598#M392 <P>Hello all,</P><P>I have a question I didn’t spot the answer to in the documentation. I need to build a Maestro solution in a location remote to the Smart Management Server and I don’t know best to proceed...</P><P>The target site setup is fairly straightforward, an external interface (facing the Internet) and an internal one (facing site). A pair of Maestro orchestrators (140) with a trio of 6600s. Each Maestro will connect to the internal site via interface 5 and the external site via interface 7. The internal links will be a bond, as will the external ones.</P><P>My confusion arises over the management interfaces and the Security Group IP address. As the site is remote, there’s no available address to assign to the management interface/Security Group. Using a regular gateway, I’d use the external interface to connect to but is that a legitimate thing to do in this scenario and if it is, how do I bond the interfaces and apply vlans before I can connect to the SG IP address to do so?</P><P>I hope that makes sense. Links to documentation, solutions, other similar posts would be really appreciated.</P><P>Thanks.</P><P>Aid</P> Mon, 07 Dec 2020 23:18:00 GMT Adrian_Fullerto 2020-12-07T23:18:00Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Create-Maestro-SG-in-remote-site/m-p/104598#M392 <P>Hello all,</P><P>I have a question I didn’t spot the answer to in the documentation. I need to build a Maestro solution in a location remote to the Smart Management Server and I don’t know best to proceed...</P><P>The target site setup is fairly straightforward, an external interface (facing the Internet) and an internal one (facing site). A pair of Maestro orchestrators (140) with a trio of 6600s. Each Maestro will connect to the internal site via interface 5 and the external site via interface 7. The internal links will be a bond, as will the external ones.</P><P>My confusion arises over the management interfaces and the Security Group IP address. As the site is remote, there’s no available address to assign to the management interface/Security Group. Using a regular gateway, I’d use the external interface to connect to but is that a legitimate thing to do in this scenario and if it is, how do I bond the interfaces and apply vlans before I can connect to the SG IP address to do so?</P><P>I hope that makes sense. Links to documentation, solutions, other similar posts would be really appreciated.</P><P>Thanks.</P><P>Aid</P> Mon, 07 Dec 2020 23:18:00 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Create-Maestro-SG-in-remote-site/m-p/104598#M392 Adrian_Fullerto 2020-12-07T23:18:00Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Create-Maestro-SG-in-remote-site/m-p/104879#M393 <P>Hi,</P> <P>Yes, you can manage your security group from external interface. You can just assign some dummy IP for eth1-Mgmt interface and not use it.</P> <P>Please note, Security Group's web services (like WebUI) will work properly only if you disable layer-4 distribution. That is because your connection is expected to be distributed if it comes not from management interface.</P> <P>&nbsp;</P> <P>Thank you,</P> <P>&nbsp;</P> <P>Anatoly</P> Thu, 10 Dec 2020 04:19:06 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Create-Maestro-SG-in-remote-site/m-p/104879#M393 Anatoly 2020-12-10T04:19:06Z