Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion Champion
Champion

Check Point Maestro - FAQ


Author: Danny Jung

Q: What's the official product site ?
A: Check Point Quantum Maestro | Orchestrator Datasheet | Support Center

Q: What's the recommended version for Security Groups ?
A: Check Point R81 for Scalable Platforms | Release Notes | Known Limitations | Comparison to R81 and other versions

Q: What's the recommended version for Orchestrators ?
A: Check Point R81.10 for Scalable Platforms | Release Notes | Known Limitations

Q: Where's the Getting Started Guides ?
A: Quantum Maestro - Getting Started Guide (PDF) | MHO Quick Start Guide

Q: Where's the Admin Guide ?
A: Quantum Maestro - Admin Guide R81 (PDF)
A: Quantum Scalable Chassis - Admin Guide R81 (PDF)

Q: Where can I get a Maestro Demo ?
A: Right here.

Q: What are the Maestro HyperScale Orchestrators (MHO) based on?
A: MHO-140 Appliance: Nvidia Mellanox SN2410 Ethernet Switch
A: MHO-175 Appliance: Nvidia Mellanox SN3700C Ethernet Switch

Also see Check Point's Declaration of Conformity.
Info: The MHO-170 Appliance is discontinued.

Q: Which transceivers are compatible / supported ?
A:
Compatibility of transceivers for Check Point appliances

Q: What's the port mapping ?
A:
Port mapping for MHO-140 Appliance

Q: How is the m / member command working ?
A:
It's just a SSH wrapper that aims to make it easier to SSH-connect to members of security groups, i.e. Check Point Security Gateways (SGMs). You can also directly use ssh if you know the IP addresses or simply look them up via: lldpneighbors

Q: What's the CIN network ?
A:
The Sync & Chassis Internal Network (CIN) got it's name from Check Point chassis-based 41000 / 61000 appliances. In Maestro it's used for connectivity between the orchestrators and the security gateway modules where they are connected via DAC cables.

Q: How can I check the status of the connected ports on the MHO ?
A:
Simply use this tool from our toolbox or run the command: sx_api_ports_dump.py

Q: Where can I find training for Maestro ?
A:
As a Check Point partner, ask your local Check Point SE for the Maestro Partner Training KIT (PTK) and training dates.
A: Check Point also offers a free Maestro Jumpstart Training (part 2) and this community hosted a Maestro TechTalk.
A: Check Point Education & Certification offers a paid Maestro training & certification.
A: Check Point Partners can view recorded Maestro sessions within the Partner Onboarding Academy.
A: Check Point Maestro Webinars can be found on Eventbrite and BrightTalk.
A: Check Point Professional Services started a documentary on HyperScale solutions: Part 1, Part 2.
A: More training resources can be found here.

Q: How can I verify transceivers in an Orchestrator (MHO) appliance or SGM?
A:
Simply use this tool from our toolbox.

Q: How do I license my Maestro systems?
A:
MHOs don't require a license.
A: SGMs require a local license. Generate it for the 192.0.*.* IP of your SGM. Verify it via cphaprob stat. Your SGM will try to download the license and contract from Check Point's UserCenter. If that doesn't work automatically (verify via g_all cplic print -x), use the g_cplic command to import the license and contract files manually into your SGM.

Verify that the license info in these files is correct:

  • $CPDIR/conf/cp.license
  • $CPDIR/conf/cp.license.smo

Q: How do I identify which SGM is SMO?
A:
Command: asg_blade_config get_smo_ip
A: Command: asg stat -i tasks

Q: How do I identify which SGMs within a SG are active?
A:
Command: gexec -t
A: Command: g_all
A: Command: asg monitor

Q: How many snapshots fit on my Orchestrator?
A:
Disk space is limited on Orchestrators. Mostly just two or three snapshots will fit on the disk.
Best Practice: Create snapshots before downloading new packages. Verify your snapshots within WebUI > Snapshot Management after package installation.

**WORK IN PROGRESS**

7 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador

It's time to update this FAQ...

Here are a few 2024 updates:

Q: What is the Recommended Version for Security Groups and Orchestrators?
A: R81.20

Q: How can I check the status of connected ports in MHO?
A: orch_stat -p  (shows the ports)
A: orch_stat -L (shows the LLDP neighbors)

Q: How do you identify which SGMs within an SG are active?
A: asg monitor

Q: Is 25G supported?
A. Yes, in R81.20
A. Splitters will be supported soon

Q. Is dual-site active-active available?
A. Not yet, but it will be. Stay tuned.

B. What are some best practice performance optimizations in Maestro?
A. If you have hide NAT, use the default auto-topology distribution mode with L4 disabled.
A. If you don't have hide NAT, use general distribution mode with L4 disabled.
A. If you have Internet and east-west traffic in the same SG or the number source or destination IP-addresses is low, and you have performance issues, contact Check Point Support to find the best settings.

A: Where can I find more Maestro FAQs?
sk147853 

Timothy_Hall
Legend Legend
Legend

Any chance that L4 distribution might be disabled by default going forward for new Maestro installations in later releases?  It doesn't seem to me that L4 distribution is desirable in most scenarios.  Obviously for upgrades the state of L4 should be left alone.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Hi Tim! 
This is a good question and in my opinion it would make sense to have it disabled by default. I don't know a specific version or a Jumbo where that would happen, but maybe @Anatoly can advice?

0 Kudos
Timothy_Hall
Legend Legend
Legend

Agreed @ILARIA  & @Anatoly , having L4 distribution off by default would save a lot of TAC calls in my opinion.

As I'm looking over the updates for Maestro R81.20, I have a few more questions if you don't mind.  I've been asked to provide updates for the Maestro Expert training course and the answers to these would be very helpful:

1) For GNAT, with auto-topology all SG members potentially have access to all source ports for a particular Hide NAT address. 

a) How is allocation for the available 50,000 source ports for a Hide NAT address coordinated among the SG members?  By the SMO Master or do the individual SGs figure it out themselves with a hash function or something, or do they need to wait for an assignment from the SMO Master? 

b) Are they only allocated one Hide NAT source port at a time or could they request more than one at a time?

c) Is there any way to see that most utilized Hide NAT pools for the entire security group, similar to the cpview screen Advanced...NAT showing the top 2 utilized High Port NAT pools on non-Maestro gateways?

 

2) Normally with Dynamic Balancing/Split enabled all members of a standard non-Maestro ClusterXL cluster must have the same split at all times due to state sync. 

a) I assume this is not the case for Maestro HyperSync and different SG members can be running with a different split based on their own individual load? 

b) How does HyperSync handle this exactly? 

c) Also how is the new R81.20 support for MVC is impacted by this?

 

3) For accelerated policy installs, I assume the SMO Master just receives the Access Control policy deltas/changes from the SMS as expected. 

a) When the policy is then propagated to the individual SG members from the SMO Master, is that also accelerated or does the SMO Master just send the full Access Control policy to the other SG members?  

b) Does forcing a full policy installation by r-clicking the gateway on the Install Policy screen of the SmartConsole and setting that hidden option apply to only the policy installation to the SMO Master, or does it apply to the other SG members as well when they receive the policy from the SMO?

 

4) In previous presentations it was stated that a correction of rate of up to 100% was not a concern.  However in the latest tips it was stated that the correction rate should be no more than 10%. 

a) Is this a hard and fast rule or more of a guideline? Can you please elaborate?

b) Can it be assumed that if the correction rate is very high the distribution settings should be verified as appropriate for the traffic mix, usually in coordination with TAC?  Also we should check for excessive  Management to Data plane traffic as a possible cause?  (sk179005)

c) How does one compute the correction percentage from the output of g_all cphaprob corr?  Or would the Corrected line of g_fwaccel stats -s be more appropriate to do this?

 

5) Are there any special considerations for using AutoScale in combination with Hyperflow, mainly:

a) If AutoScale is set to trigger at 50% and Hyperflow kicks off and drives the overall CPU average to 55%, I assume another member will be added to the SG as expected?  I'm aware that if by default the overall CPU utilization of a gateway exceeds 60% Hyperflow will not activate.

b) Any best practices for what AutoScale thresholds should be used taking into consideration Hyperflow?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Anatoly
Employee
Employee

Hi,

We're gathering answers, so we will provide it as it is received:

1) For GNAT, with auto-topology all SG members potentially have access to all source ports for a particular Hide NAT address. 

Actually GNAT avoids the division of ports between instances (Not between members) and hence better utilization of ports per member.

Regardless to GNAT:

  1. Auto-topology L3 assures are ports available on each members (see a below as to why)
  2. Auto-topology L4 will just divide the ports per active members (each member will allocate port according to distribution function making sure s2c packet will be distributed to it – to make sure connection is symmetric from distribution aspect)
    1. a) How is allocation for the available 50,000 source ports for a Hide NAT address coordinated among the SG members?  By the SMO Master or do the individual SGs figure it out themselves with a hash function or something, or do they need to wait for an assignment from the SMO Master? 

    In auto-topology L3 we assure that each destination arrives to a single SGM. Due to that, we can know for certain each SGM can use all ports for hide and not collide with other SGMs (as the potential collision can happen if allocating to the same pool <source_port, hide_ip, dest_ip, dport, ip_p> by different members).

    1. b) Are they only allocated one Hide NAT source port at a time or could they request more than one at a time?

    Members can allocate source port for same hide IP (and NAT pool  – hide_ip, dest_ip, dport, ip_p ) at the same time.

    However, in Auto-topology L3 this won’t have allocation for same pool on different members

    1. c) Is there any way to see that most utilized Hide NAT pools for the entire security group, similar to the cpview screen Advanced...NAT showing the top 2 utilized High Port NAT pools on non-Maestro gateways?

    Cpview allows monitoring of pools utilization.

    In auto-topology l3 – pool is unique per member. So the stat of a single pool on one of the GWs is actually the global stat.

    For other distributions need to aggregate the cpview stats from all members.

Anatoly
Employee
Employee

3) For accelerated policy installs, I assume the SMO Master just receives the Access Control policy deltas/changes from the SMS as expected. 

  1. a) When the policy is then propagated to the individual SG members from the SMO Master, is that also accelerated or does the SMO Master just send the full Access Control policy to the other SG members?  

Accelerated on all members.

  1. b) Does forcing a full policy installation by r-clicking the gateway on the Install Policy screen of the SmartConsole and setting that hidden option apply to only the policy installation to the SMO Master, or does it apply to the other SG members as well when they receive the policy from the SMO?

Apply to all

Anatoly
Employee
Employee

 Normally with Dynamic Balancing/Split enabled all members of a standard non-Maestro ClusterXL cluster must have the same split at all times due to state sync. 

  1. a) I assume this is not the case for Maestro HyperSync and different SG members can be running with a different split based on their own individual load? 

“different SG members can be running with a different split based on their own individual load”- correct

Split is only synced to backup site so once site failover happens we will have better split as initial point to start with then the default.

b) How does HyperSync handle this exactly? 

fw instances amount is same on all members (default corexl) and DS can only "stop" fw instances in order to free the cpu for SND or “start” stopped fw instances (once fw is stopped it will continue handling old connections but won`t get new ones). This is how it is working on cluster and SP and not breaking the sync.

c) Also how is the new R81.20 support for MVC is impacted by this?

 works same way.