Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Collaborator

Typical Check Point Maestro Project

Hi. Just decided to share our typical Maestro project. Here you can see the topology. I hope it will help someone to create their own project or just for better understanding how Maestro works.

 

L1 scheme:

L1.png

L2 shceme:

L2.png

L3 scheme:

L3.png

If you have any question feel free to ask.

6 Replies
Advisor

Hi Evgeniy, thank you for this valuable information.

You know how it would be a topology with two sites and a single MHO in each? and if the deployment with 3 MHO is supported? (2 in one site and just 1 in the other site)
0 Kudos
Reply
Collaborator

Hi! Thanks for the feedback!
Unfortunately, I don't have the dual site topology. But I know for sure, that it should be symmetrical (1 and 1 or 2 and 2).
Champion
Champion

Dual site with 3 MHO's is not supported at all. The dual site situation is setup with either 1 MHO on each site or 2 on each site. For the Dual site to work you need to duplicate the drawing and make sure all VLAN's are stretched over to the other location. On top of that you need to create portchannels/bonding groups for all ports used in the dual MHO setups, single site-dual MHO or dual site-dual MHO.
Regards, Maarten
Explorer

Hi Evgeniy,

thank you for sharing your topology design and the outstanding diagrams!

In this topology is the Maestro being used to inspect east-west traffic (between local vlans) in addition to north-south traffic (to/from internet)? - or is it used only for north-south traffic inspection ?

If the Maestro is used to inspect east-west traffic, are the local vlans gateways on the core-switch or are they (moved) onto the Maestro (security appliances) ?

Cheers,

Sherif

0 Kudos
Reply

I must have missed this when it was originally posted. Very interesting!

Is the sync between the Maestro boxes directly connected? I know with firewalls this is a very bad idea. Firewall sync should go through a switch to avoid problems when rebooting one of the members (when they're directly connected and you reboot member A, member B sees its interface go down, and has to go into contention to see if its peer failed or it failed; a failure in contention can cause B to refuse to take over). How do the Maestro boxes handle that?

0 Kudos
Reply
Explorer

Hi Evgeniy,

 

Nice diagram. Relatively easy to understand and interpret your diagram. Could you please share what tools you are using to draw this network diagram? 

 

Regards,

Darren

0 Kudos
Reply