Maestro basic setup documentation - Page 2

Maarten_Sjouw · ‎2019-12-10

Hey guys,

I've been playing around with some Maestro units and a number of gateways. I have been running into a number of problems that caused me to document all the actions that I needed to do for a specific type of installation, the document is about 3 different scenario's:

Single site dual Maestro
Dual site single Maestro
Dual Site dual Maestro

Please check out the document and let me know what you think about it, also if you see things that you don't understand or know that should be different, please let me know.

Updated the document to v1.0, 16 dec 2019.

Updated the document to v1.2, 26 Feb. 2020. Added bonding.

Updated the document to v1.3, 03 Mar. 2020. updated some parts and added commands.

Updated the document to v1.5, 17 Mar. 2020. updated some parts and added commands after training.

Updated the document to v1.6, 25 May 2020. Update regarding HA licenses

Regards, Maarten

Maarten_Sjouw · ‎2019-12-14

What would be the reason for doubling the Mgmt port? All it =is used for is management, there is really no need to make it redundant.if the box fails and you only have one box, 2 connections to management will not make it work again.
More important would be to try and get a serial console (out of band) connection so yuou can see what is going on when you loose your management connection.
You would be making it more complicated than needed.

Regards, Maarten

Norbert_Bohusch · ‎2020-01-31

Two mgmt ports are in my opinion relevant for setups where the mgmt port is also a data port ( = non-VSX) and maybe the bandwidth of 10G might be exceeded or you want to use vPC to independent switches

Maarten_Sjouw · ‎2019-12-15

Ricki, My documentation is not stating you use the Mgmt for Sync, you need 1 Sync interface and you need at least 2 Mgmt interfaces, 1 for the Maestro and 1 for the security group(s).
For single site dual Maestro setup, you only need 1 Sync, for dual site single Maestro you need a Remote Sync, for dual site dual Maestro you need a local Sync and a Remote Sync.
If this is not clear from my doc I will need to update that part.

Regards, Maarten

Anatoly · ‎2019-12-15

Hi Maarten,

I would also suggest to use a right terminology in your documentation and discussions. It will avoid any confusions.

There's no such device called "Maestro". Maestro is the complex of products.

What you meant is the MHO = Maestro Hyperscale Orchestrator, or Orchestrator.

Thank you,

Anatoly

Maarten_Sjouw · ‎2019-12-15

Anotoly,

I am reworking the doc as I am reinstalling a dual site single MHO site again and in the process looking at the document to remove the errors. I will update the doc with this info.

Regards, Maarten

Maarten_Sjouw · ‎2019-12-16

Updated the document yesterday after using it to setup a dual site single MHO setup.

@shay_solomon I will be double checking for the differences compared to the official documentation.

Regards, Maarten

vinceneil666 · ‎2020-01-30

Hi,

Tnx for a great document!:)

I got two Orchestrators, this is what I assume is called a MHO ? So one Orchestrator=1 MHO ? And x numbers of orchestrators together with some appliances/gateways make up a Maestro solution ? - Its like Check Point wants to make it hard.. they are big fans of giving stuff name and then never ever use those names in any of the technical components.. they seem to mix up their concepts with tech solutions.

Anyways -

I have two orchestrators, and I have connected them with sync on the correct port (I got 140's). Then I have attached 4 appliances - two cabels from each appliance to each MHO. I power this up and there is absolutley nothing showing in my Gaia portal.. the only interfaces I see are my two mgmt interfaces. No gateways and no nothing... is there something globally I need to configure to get started ?

Maarten_Sjouw · ‎2020-01-30

Did you start with the WebUI of the MHO140? Then in the left choose the Orchestrator (not interfaces) there you should see the SGM's in the left column and the interfaces on the right. Do keep in mind that the gateways need to have the R80.20SP version of the code installed.
MHO = Maestro Hyperscale Orchestrator
SGM = Security Gateway Module
Maestro is a solution consisting of any combination of MHO (currently max 4) and SGM (currently max total 104)

Regards, Maarten

vinceneil666 · ‎2020-01-31

I did start with the WebUI yes - but when logging in I can see no appliances and no interfaces. - I am now having the cabeling rechecked, but it looked correct.

Also, I am confused as to if there are any clish command that need to be run. To state what kin of setup I am running..two site.singe site. redundancy.etc etc.

Maarten_Sjouw · ‎2020-01-31

No special commands for this config, 2xMHO is the default setting. The interface lkist on the Orchestrator page should not be empty at all, there should always be a list, the Interfaces page however is only showing the Mgmt interfaces that are on the back of the unit, and that is where you should connect to gain access to the MHO WebUI.

Regards, Maarten

Maarten_Sjouw · ‎2020-02-11

Some minor updates just for your info.

When you use 1Gb UTP SFP's in a MHO140, just for the management of the Security groups for instance, they will not work with R80.20SP JHF 178, they do work with 191 and higher.

HA Licenses: When you move a existing cluster into a Maestro configuration you might get problems when you're creating the gateway while pushing a policy. This happens with R80.30 when you are using a SmartConsole build lower than 42. For R80.20 I don't know, was not able to test it. R80.40 GA works just fine.

I also uploaded version 1.1 of the document that mentions these limitations.

Regards, Maarten

vinceneil666 · ‎2020-02-13

Great, tnx - that s a nice document to have indeed.

I am still struggeling with not seeing any gateways or interfaces, I have had the guys re-checking this several times and they say it should be fine.

There is no basic setup I am missing ? Do I need to put a lic on the orchestrators? - as far as I can see only the appliances should need lic's.

When i go into the gaia portal of either of the orchestrators I just get this:

Failed to load Security Groups:
Failed to get remote Orchestrator interfaces.

Norbert_Bohusch · ‎2020-02-13

How many orchestrators do you have the gateways connected to?
If it is only one (or one per site), then you should set orchestrator amount accordingly:
clish> set maestro configuration orchestrator-amount 1

If you have two (or two per site), are you seeing the second orchestrator on CLI (expert mode) using lldpctl.

lldpctl also should show the connected gateways!

Maarten_Sjouw · ‎2020-02-13

That is the error you get when you have the number of Orchestrators set wrong, keep in mind the default value = 2!!
From the bottom of page 1:
Before you continue execute this command from the MHO clish:
'set maestro configuration orchestrator-amount 1'
Otherwise it just will not work the default value is 2.

The orchestrator itself does not require a license but the gateways do, based on the IP 192.0.2.x

Regards, Maarten

vinceneil666 · ‎2020-02-13

I have two orchestrators, and 4 appliances.
Currentley my orchestrator-amount is set to 2 (the default)

Maarten_Sjouw · ‎2020-02-13

Both are turned on with a DAC between ports 48 (140) or ports 32 (170)? Are you able to connect to both devices with the WebUI?

Regards, Maarten

vinceneil666 · ‎2020-02-13

I have a MHO140, and yes. Both are connected on port 48 - but not with a DAC.. SFP and regluar fiber conn. (not going trough switches)

vinceneil666 · ‎2020-02-13

2 orchestrators, 4 appliances (140 and 6500's)

Only 1 of the appliances are turned on.

I have this set up as a single site, but the solution is installed in two different rooms. So I have a mix of fiber and dacs - all cabeling should be ok... But I am unsure now..

Running lldctl on both orchestrators.:

orch1: showing a 6500 appliance - nothing else.

orch2: shows nothing

So, I assume this is an issue related to the sync cable between the orchestrators.

Norbert_Bohusch · ‎2020-02-13

how is the cabling, on 140 it should be
naming-sample: orch<site>-<id>

orch1-1 port 48 to orch1-2 port 48
orch2-1 port 48 to orch2-2 port 48
orch1-1 port 47 to orch2-1 port 47 (has to be configured for site_sync after JHF>= 163)
orch1-2 port 47 to orch2-2 port 47 (has to be configured for site_sync after JHF>= 163)
6500 appliance eth1-01 to orch1-1
6500 appliance eth1-02 to orch1-2

vinceneil666 · ‎2020-02-13

I am not using port 47 for anything - I have only connected port 48

Maarten_Sjouw · ‎2020-02-13

So you are looking at dual site single MHO, which means you have 1 orchestrator not 2 (per site), when you power up only 1 MHO (the number of6500's is not relevant here) and it is NOT connected to the other MHO on port 48 it is a single MHO setup. Issue this command and you will see it will start to work:
set maestro configuration orchestrator-amount 1

Regards, Maarten

Norbert_Bohusch · ‎2020-02-13

please post output of # lldpctl of both orchestrators on primary site

vinceneil666 · ‎2020-02-13

Norbert_Bohusch · ‎2020-02-13

Is this your topology, so it looks like a (stretched) single site, which I don't know if it is officially supported.

In any case, can you provide descriptions which cable to which appliance is connected to which port.
So is Appliance-1 in room A conntected to same orchestrator port in both rooms and are only eth1-01 and eth1-02 used for this?

vinceneil666 · ‎2020-02-13

One of the orchestrators shows no output at all.
The other one just shows one appliance.

Maarten_Sjouw · ‎2020-02-13

When you are doing Dual Site DO NOT use port 48 for sync!!
Only use port 47 and follow the setup guide.

Regards, Maarten

vinceneil666 · ‎2020-02-13

I would consider this a single site setup - but as a stretched. The hardware is just a few meters apart, so the only real differnece as far as I can see it is that I do not use DAC all the way,.

Talking to checkpoint, when ordering sfp's and dac's - they said this setup should be fine.

I am a bit usure about port 48 vs. port 47. As of now I am using the 48 port.

For the cabeling of the appliances, I have made sure the same ports are used for all appliances and all the cross connects. So all use same ports on both orchs.

Maarten_Sjouw · ‎2020-02-13

Ok, to simplify things, make sure only 1 MHO is turned on and the 6500 is connected and turned on. Set the orchestrator number to 1 and disconnect port 48.
Now in expert type: orchd restart
When finished open the WebUI.

Regards, Maarten

vinceneil666 · ‎2020-02-13

I had the guys do a triple check of cabeling, and now it looks better.

Using lldpctl I get neighbors from both appliances and maestro.

The two maestros are connected on p48, that port is in sync state. But I still dont get any infercaes or anything else in Gaia. But I have requested a reboot - lets see 🙂

Update-> yeah, now all is good ! 🙂 Thanx for the help guys!!

Lari_Luoma · ‎2020-02-14

Guys,

Regarding the ports 47 and 48. Port 48 is the default sync-port between the orchestrators on the same site. 47 is the recommended site-sync port between the sites. However, you have to define the port 47 as the site-sync in orchestrator with the command:

set maestro port 1/47/1 type site_sync