This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ok1
Participant
2 weeks ago

Adding different Maestro Dual Site security gateway models. auto-clone state

Hello everyone!

Our customer have encountered an issue when adding security gateways of a different model than those already deployed—in this case, adding 9200 appliances instead of 6600s. The aimed end configuration is 6600x2 and 9200x2 on each site in a dual-site setting. We attempted to add them with the image auto-clone feature enabled.

When adding new SGM 9200 units to the site, we observed unusual behavior. The devices transitioned through the following statuses:
Joining (remaining in this state for up to 10 minutes) → Not Communicating (approximately 5–10 minutes) → Booting (at which point the appliance SGM started appearing as a 6600 on the MHO). While in the Booting state, the device underwent multiple reboots (lasting up to 30 minutes), after which it entered the DOWN state, while the Security Group (SG) continued to display the status as Detached. After the process stalled at this stage, we tried removing the newly added devices from the SG and re-adding them. Following multiple reboots, the node eventually transitioned to the "UNASSIGNED" status.

I suspect the issue stems from the mix and match situation combined with image auto-cloning being enabled. I have prepared the following procedure for correctly adding these gateways:

---

Phase 1: Preparation and Disabling Image Cloning

1. Create system backups:
Take Gaia snapshots of all Orchestrators and all existing Security Group members before making any configuration changes.

2. Disable SMO Image Cloning:
(Known limitation: PMTR-71298)
- Connect to the Security Group (SMO — Single Management Object) command line.
- Enter Gaia gClish.
- Check the current status of the SMO Image Cloning feature:

show smo image auto-clone state

- If the feature is enabled, disable automatic image cloning:

set smo image auto-clone state off

---

Phase 2: Physical Installation and Orchestrator Configuration

1. Install and connect 9200 gateways:
- Install the new 9200 appliances in the racks.
- Verify that the required Line Cards are installed in the new 9200 SGMs (Maestro supports only 10 Gbps ports and higher).
- Connect downlink cables from the new 9200 units to the Downlink ports on both Maestro Orchestrators at the target site (Site 1 or Site 2).
- Important: The number of cables connected to each Orchestrator must be identical across all gateways within the same Security Group (the new 9200s must be connected in the same manner as the existing 6600s).
- Power on the new 9200 gateways.

Here we have a confusion. The customer wants to use 10G cables for 6600s and 25G cables for 9200s. We failed to find clear information about the implications of this combination.

2. Configure Orchestrator ports (if necessary):
- If breakout cables or non-standard port speeds are used, connect to Gaia Clish on the Maestro Orchestrator (MHO).
- Configure the correct QSFP mode for the Downlink ports connected to the 9200s:

set maestro port <Port ID> qsfp-mode {10G | 25G | 40G | 100G}

3. Add 9200 gateways to the Security Group:
- Open the Gaia Portal of one of the Orchestrators in a web browser.
- Log in and navigate to the Security Groups page.
- In the Unassigned Gateways panel, locate the new 9200 gateways.
- Drag and drop them into the Gateways section of the existing Security Group.
- Click Apply to commit the changes.

---

Phase 3: Verification and Policy Installation

1. Monitor the configuration cloning process:
- The Maestro Orchestrator will automatically begin provisioning the new SGMs. After addition, the system synchronizes configuration, policies, and software version to align with the current deployment—this process takes approximately 6 minutes.
- Connect via SSH to the Security Group (SMO) command line.
- Enter Expert mode and run:

asg monitor

- Wait until the new 9200 SGMs complete booting and transition to the ACTIVE state.

2. Install policies:
- Connect to the Security Management Server (SMS) via SmartConsole.
- Install the Access Control Policy and, if needed, the Threat Prevention Policy on the Security Group object.

Hi, could you please review this post? Am I understanding everything correctly?

We know that 6600 annd 9200 appliances are compatible as per sk162373. But we're not sure whether we should install a specific JHF package to the new gateways before adding them to the SG and whether the cable speed combinations are acceptable.

I would love to receive feedback and appreciate any further recommendations and point to be careful about.

@emmap  I know that you're very knowdlegeable in this topic, so I wanted to specifically tag you.

Preview file
188 KB
0 Kudos
4 Replies
Martijn
Advisor
Advisor
2 weeks ago

Hi,

What version are you running? Which hotfix level?

I did the same a couple of weeks ago (replacing 6800 apppliances with 9700 appliances) and had a issue with the cluster state.
6800 where on R81.20 Take 98 and 9700 where on R81.20 with no hotfix.

When adding the 9700 to the Security Group they became active due to lower version and the 6800 went down causing outage.
Could restore quickly by putting the 9700 in a down state (clusterXL_admin down).

After installing take 98 on the 9700 appliances the all appliances remained active and I could remove the 6800 from the Security Group.

I did not use the auto-clone feature.

So make sure the new hardware is on the same level as the old one.

Regards,
Martijn  

0 Kudos
Ok1
Participant
2 weeks ago
In response to Martijn

So, do I need to install the same hotfix as the other group members before adding them? Version R81.20.
We're not replacing existing gateways—we're adding new 9200 gateways to the group, which already contains 6600 gateways.

0 Kudos
Martijn
Advisor
Advisor
2 weeks ago
In response to Ok1

Hi,

Yes, when adding the 9200 appliances to the Security Group without a hotfix, they have a 'lower' version than the 6600 appliances.
This means the 9200 will become Active and the 6600 will go Down. Because the 9200 is still joining the Security Group and is pulling the config from the 6600 it is not capable to handle traffic yet. This will cause an outage.

At least, this was my experience when adding 9700 appliances to a 6800 Security Group.

I advice you to have the LOM interface connected and configured so you always have control of the appliance.

Good luck.

Martijn

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago

Ok, so yes your first statement is correct, you can't use auto-clone here.

Your new procedure is mostly correct. In step 1 of Phase 3, the software version/patching will not align. You will have to manually install the correct JHF onto the new 9200s once they have joined the security group. You can't patch SGMs before they're in a group so you'll have to do it after.

For the downlink speeds, we recommend that all downlinks are the same speed when mixing appliances in a security group. I don't know that it's actually super critical, but you may run into support issues if you mix them up as it's not technically supported. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events