Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Maestro TechTalk

On 17th July 2019, we did a TechTalk with @Anatoly@Maor_Elharar, and Matan Tenenboim on Maestro, doing a deep dive on the technology and answering many of your burning questions. 

Materials below are available to CheckMates members who are signed in.

Q&A answered during the session will be posted as comments shortly.

18 Replies
PhoneBoy
Admin
Admin

Here are the questions asked during the Q&A:

Is Maestro compatible with CloudGuard for ACI/NSX?

Not currently compatible with ACI, but it is in the plans.

When creating VLANs on the Orchestrator, only tagged VLANs can be used. How about VLAN 1?

Once you setup a VLAN on the Orchestrator, only that specific VLAN will be used. Trunk interfaces that allow more than a single VLAN will be supported in the future.

What gateways does Maestro work with?

Currently:

  • 5900
  • 6500
  • 6800
  • 23800 (requires R80.20SP JHF1)
  • 23900

We plan to support other gateways in the future. Please contact your local office if such support is required.

Is a dedicated management port for each security group needed?

No, you can share a management interface between security groups.

What is the transmit hash policy on the portchannel between the orchestrator and appliances?

It's a Check Point algorithm based on L3/L4 information.

What cables are needed for downlinks between Orchestrator and appliances?

DAC cables are recommended.

What is the minimum version of Check Point required with Maestro?

R80.20 and above for management. The gateways will run R80.20SP. R80.30SP is planned, as is integration into maintrain.

Can different appliance types be used in the same security group?

Not currently, but it is planned.

Distance limitations for dual site?

No, but latency should be kept below 100ms and have no more than 5% packet loss over a Layer 2 link between the sites. This is similar to ClusterXL.

What happens (other than mass chaos) when the Orchestrator sync cable is broken?

Configuration synchronization will not be possible except via manual means.

When will dual-site support be available?

Expected end of July for Security gateway. For VSX, expected end of August.

Can you run a single Orchestrator at two sites and run this as a dual-site configuration?

Yes, but we definitely recommend running two orchestrators at each site for redundancy.

How long can the DAC cables be?

3 meters currently. We plan to support longer cables and fiber in the future.

Is it possible to use VSX with Maestro?

Yes, but VSLS is currently not supported. We plan to support it when dual-site support is released.

Will the dual-site Security Group failover be for all gateways in the site or for the affected security group only?

The affected security group only.

I have four appliances, two in site A and two in site B in the same security group. One appliance in this group goes down. Can I configure it so if one appliance in the security group is down at site A, it will switch to site B?

Each component in the system (like interface or appliance) is assigned a weight. If the remote site total weight is higher, a site failover is performed. You can change the default weight of the components to suit your requirements.

What transceivers are supported? The slides mentioned 25G transceivers but sk92755 doesn't list it.

Any Check Point transceivers should work. Check Point currently does not offer 25G transceivers, but Maestro is ready to support them.

Are all appliances seeing every packet, or is it the job of the Orchestrator to distribute packets?

The Orchestrator distributes the traffic. The appliances only sees traffic that is relevant for that appliance.

Does the Orchestrator handle routing for the various members as wel?

No, the Orchestrator only forwards and balances traffic to the appliances in the security group. It is not involved in Layer 3 routing decisions.

Does Maestro support ICAP?

We plan to support it in the future, but plans have not been finalized. If you have this requirement, please contact your local Check Point office.

How do you troubleshoot a traffic flow with Maestro?

We have global versions of various troubleshooting commands that gather the relevant data from the relevant appliance.

What happens if you're running with a single Orchestrator and that fails?

No traffic will be passed. This is why we recommend running with a second Orchestrator for redundancy.

Are dual Orchestrator uplinks capable of LACP/Multi-Chassis Link Aggregation?

Yes, we support LACP on two Orchestrators. The Orchestrator is not aware of the bond, however.

Is it necessary to perform configuration backups from the SMO or will everything be restored/redeployed from the Orchestrator?

You still need to backup the SMO. We do plan to offload deployment/maintenance tasks to the Orchestrator in the future.

Will all the data between appliances and orchestrators pass on the dedicated link? Meaning, no specific interface modules are required on the appliance?

Maestro uses standard Check Point interfaces. Each appliance requires a 10G/40G expansion card. 

Regarding management: which IP is the manager talking to? Do we need a management network large enough for the maximum number of appliances?

Only one IP is required per security group, regardless of the number of appliances.

Can you create virtual switches to represent network connectivity to the Orchestrator the same as VSX?

Virtual switches are not supported currently with Maestro, but it is in the plans.

What is the interface naming convention for the Orchestrator?

ethX

Maarten_Sjouw
Champion
Champion

5800 is now also added as supported model.
Regards, Maarten
Mika
Participant

What's about 6900 ?

not (yet) on sk162373

0 Kudos
Marcos_Reis1
Explorer

Hi,

Why I am getting the message "You do not have permission to view this asset." when I try to watch the Maestro TechTalk video?

Regards.

Marcos Reis

Marcos Ferreira dos Reis
Ricki_S
Participant

Hi,

 

I want to ask

How can I verify sync between Maestro1 and maestro2, for this example i set the cable sync on port 32, 

What can I do next step if I have message orcheshtrator id is missing, I read in SK.. Said check connection cable from gateway appliance to maestro, and let said the connection is good jo problem with cable connection

0 Kudos
Maarten_Sjouw
Champion
Champion

Ricki,

I just uploaded a document on howto do a basic setup of the Maestro's in different configurations:
Single site dual Maestro
Dual site single Maestro
Dual Site dual Maestro
It contains the specific commands for all the different settings to get all your Maestros talking.
You can find it here:
https://community.checkpoint.com/t5/Maestro/Maestro-basic-setup-documentation/td-p/69907
Regards, Maarten
Ricki_S
Participant

Hi marteen,

 

Thanks for reference.

In the top discussion said:

Gateway 23800 (require r80.20SP JHF1)

What it means r80.20SP JHF1.. And what happen if the gateways not in r80.20SP, it can connect to maestro(exam MHO170) for example gateway have r80.20.

Or can I change gaia os gateway 23800 r80,20 to r80.20SP JHF1?

0 Kudos
Maarten_Sjouw
Champion
Champion

You will need to download R80.20SP and use Isomorphic to create a USB stick, reboot the gateway with the stick and through the console install that version on the 23800.
I don't think you can use cpuse to do a clean install with R80.20SP I don't have a 23800 available to see that.
once the R80.20SP is on it the gateway will show up in the Orchestrator page. With multisite implementations you need Jumbo 178 as it will not know the site depending commands without it. Same goes for the Maestro itself, begin with installing the jumbo.
Regards, Maarten
0 Kudos
Ricki_S
Participant

 

Hi maarten,

Thanks for the solution,

 

I do  Install 23800 to r80.20SP,

But if just single site is needed to install hotfix?

 

The plan is create one SG from thats all gatewayy and create vsx gateway and create 4 virtual system). Where the good step vsx gateway because When I create VSXgateway, after click finish button they process always error said timeout.

 

Can I create bonding interface managemet in SG? 

 

 

 

 

0 Kudos
Maarten_Sjouw
Champion
Champion

Ricki, keep in mind that it is just best to install the JHF 178.
There are a number of features that are not supported when you do not have the 178 installed, one of them being vSwitch.
Also when you make changes in the WebUI to the number of gateways in a SG leave it for 10 minutes before you do anything else. On top of that while you create the VSX Gateway the appliances will try to collect their licenses from the user center. You need to make sure that you have them ready for the 192.0.2.x address.
Regards, Maarten
0 Kudos
Ricki_S
Participant

Hi Maarten_Sjouw,

 

I currently dont install the JHF, that is good to install JHF 279 from SK155832 ?

and I want to make sure from the table JHF :

Product Orchestrator is using to MHO (MHO170)

product Maestro gateway is using to Gateway appliance (23800)

0 Kudos
Garrett_DirSec
Advisor

Hello @PhoneBoy .    Any ideas if/when Maestro will be added to DemoPoint for tinkering and/or demo?

thanks for all you do.  -GA

0 Kudos
PhoneBoy
Admin
Admin

@Shay_Levin is a little closer to that action than I am 🙂

In general, I'm not sure how feasible it is to put Maestro in DemoPoint.

0 Kudos
Shay_Levin
Admin
Admin

Hi,
As the physical device is required, it's too complicated.
It's not in the roadmap.
0 Kudos
Garrett_DirSec
Advisor

hello @Shay_Levin and @PhoneBoy -- 

After dialog with local CP team and review of these materials, I understand some of information from tech-talk is "old" and/or "dated". 

The information, video, and PPTX originally posted in this Maestro thread is fantastic.

How can it be updated to reflect all new features, etc? 

Maybe this doesn't require a tech talk #2 but rather a re-release of new Video and PPTX materials?   Alternatively, maybe a post of PPTX material that is equivalent of "addendum" to review all new and changes since original post. 

Just a thought. 

thanks in adv. -GA

0 Kudos
PhoneBoy
Admin
Admin

The video was, itself, the TechTalk.
We do revisit topics from time to time in TechTalks, so it's not out of the question.

0 Kudos
Quantum_090
Explorer

Hi Phoneboy, 

Is  mixing appliances models within a security group available yet?  thanks

 

 

0 Kudos
PhoneBoy
Admin
Admin

Planned for R81.10