- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters Series 2026
WATCH NOWDear Experts,
I have one question that i didn't get to resolve yet.
There is two server, SERVER-A(192.168.10.100) whose gateway is SGM with IP address 192.168.10.1 and SERVER-B(192.168.20.100) gateway ip 192.168.20.1. SERVER-A and SERVER-B both connected to CORE-SWITCH-1 and CORE-SWITCH-2 and Core switches are in stack and LAG is done between Core switch and server. From same core switch, MHO-1 up link port 5 is connected to CORE-SWITCH-1 and MHO-2 uplink port 5 is connected to CORE-SWITCH-2 and lacp is done. There is two SGM, from SGM-1 port 1 is connected to MHO-1(Port-27) and Port-2 is connected to MHO-2(Port-27). From SGM-2 port 1 is connected to MHO-1(PORT-28) and port-2 is connected to MHO-2(PORT-28). This is the connection part. Now my question is.
Server-A need to connect Server-B. Packet from Server_A generate and reach to core switch. From core switch LACP load balance and packet reaches to MHO-1 uplink, now MHO-1 perform distribution and send that packet to SGM-1. SGM-1 process that packet and now my question is, From SGM-1 there is two downlink connected to MHO-1 and MHO-2, toward which link does SGM forward that processed traffic so that it reaches to Server-B.
Request you to provide me answer with why traffic flow to that specific downlink along with exact reason.
Thank you
Good day!
I understood the sentence "SGM-1 port 1 is connected to MHO-1(Port-27) and Port-2 is connected to MHO-2(Port-27)" as MHO1 Port27 and MHO2 Port27 are part of the same Bond interface from SGM perspective. If the statement above is correct, then reply packet will be sent to Server B according to Bond interface xmit-hash-policy (set to Layer2 in the example below):
set bonding group 1 mode 8023AD
set bonding group 1 lacp-rate slow
set bonding group 1 min-links 0
set bonding group 1 mii-interval 100
set bonding group 1 down-delay 200
set bonding group 1 up-delay 200
set bonding group 1 xmit-hash-policy layer2
- MHO distribution matrix regulates which SGM receives a packet
- Bong interface xmit-hash-policy regulates which uplink port an SGM uses to send a packet
Hi,
I think the key point is that the Security Group behaves as one logical firewall, not as individual gateways tied to a specific orchestrator.
In your example:
The important thing is that the SGM is not deciding whether to use MHO-1 or MHO-2. The Security Group sees the network as a single logical system.
The actual egress path depends primarily on the uplink and bond configuration. If the uplinks are part of an LACP bond, the connected switches will apply their hashing algorithm and determine which physical link carries the traffic. As a result, traffic may leave through either orchestrator depending on how the bond is built and how the switch calculates the outbound path.
In other words, it is not:
Packet entered MHO-1 → therefore packet must leave through MHO-1.
Instead, it is:
Packet enters through an orchestrator, is distributed to the appropriate SGM for inspection, and after processing is forwarded toward the destination network. The actual physical egress link is determined by the uplink design, bonding configuration, and switching infrastructure.
A useful way to think about Maestro is that the orchestrators form a forwarding fabric in front of a single logical firewall. Your focus should be on how traffic is distributed to the correct SGM and how the uplink bonds are designed, rather than which specific orchestrator received the original packet.
If your goal is to predict the exact egress interface, then the answer is: look at the LACP/bond hashing algorithm and switch configuration, because that ultimately determines which physical uplink carries the packet toward SERVER-B.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 9 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY