Agreed @ILARIA & @Anatoly , having L4 distribution off by default would save a lot of TAC calls in my opinion.
As I'm looking over the updates for Maestro R81.20, I have a few more questions if you don't mind. I've been asked to provide updates for the Maestro Expert training course and the answers to these would be very helpful:
1) For GNAT, with auto-topology all SG members potentially have access to all source ports for a particular Hide NAT address.
a) How is allocation for the available 50,000 source ports for a Hide NAT address coordinated among the SG members? By the SMO Master or do the individual SGs figure it out themselves with a hash function or something, or do they need to wait for an assignment from the SMO Master?
b) Are they only allocated one Hide NAT source port at a time or could they request more than one at a time?
c) Is there any way to see that most utilized Hide NAT pools for the entire security group, similar to the cpview screen Advanced...NAT showing the top 2 utilized High Port NAT pools on non-Maestro gateways?
2) Normally with Dynamic Balancing/Split enabled all members of a standard non-Maestro ClusterXL cluster must have the same split at all times due to state sync.
a) I assume this is not the case for Maestro HyperSync and different SG members can be running with a different split based on their own individual load?
b) How does HyperSync handle this exactly?
c) Also how is the new R81.20 support for MVC is impacted by this?
3) For accelerated policy installs, I assume the SMO Master just receives the Access Control policy deltas/changes from the SMS as expected.
a) When the policy is then propagated to the individual SG members from the SMO Master, is that also accelerated or does the SMO Master just send the full Access Control policy to the other SG members?
b) Does forcing a full policy installation by r-clicking the gateway on the Install Policy screen of the SmartConsole and setting that hidden option apply to only the policy installation to the SMO Master, or does it apply to the other SG members as well when they receive the policy from the SMO?
4) In previous presentations it was stated that a correction of rate of up to 100% was not a concern. However in the latest tips it was stated that the correction rate should be no more than 10%.
a) Is this a hard and fast rule or more of a guideline? Can you please elaborate?
b) Can it be assumed that if the correction rate is very high the distribution settings should be verified as appropriate for the traffic mix, usually in coordination with TAC? Also we should check for excessive Management to Data plane traffic as a possible cause? (sk179005)
c) How does one compute the correction percentage from the output of g_all cphaprob corr? Or would the Corrected line of g_fwaccel stats -s be more appropriate to do this?
5) Are there any special considerations for using AutoScale in combination with Hyperflow, mainly:
a) If AutoScale is set to trigger at 50% and Hyperflow kicks off and drives the overall CPU average to 55%, I assume another member will be added to the SG as expected? I'm aware that if by default the overall CPU utilization of a gateway exceeds 60% Hyperflow will not activate.
b) Any best practices for what AutoScale thresholds should be used taking into consideration Hyperflow?
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com