This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Rabin
Contributor
‎2024-08-29 10:37 AM
Jump to solution

Different Management server in maestro environment

Hi Everyone,

I just want to know is it possible to use different checkpoint management server for managing the SMO of different security Group created in same Maestro Orchestrator and what challenges or issue it might occur in production environment ??

Thank You.

 

 

0 Kudos
1 Solution

Accepted Solutions
AkosBakos
MVP Silver
MVP Silver
‎2024-08-30 12:56 AM
In response to Rabin
Jump to solution

Hi @Rabin 

That was not clear for me, that you have two managements. In this case I understand you. As you mentioned, one Management would be enough is a far future, and budget-proof. 🙂

I would addressed two questions here:

Cluster and Active Active setup:

Az I think you are in the plannig phase. Please read the limitations here.

Two Managament into one:

From what you have written, this tool would be useful for you. This helps you in the hardest part -> migrating the policy. 

https://support.checkpoint.com/results/sk/sk180923

About the Smart-1 600S and the VM license

Hard to compare the physical appliance with the VM, because both have advantages and disadvantages too.
 
The largest difference is for me:
 
The Smart-1 has a hard limit in performace, and yo can't extend it. Datasheet here
 
The VM does not have such kind of limit, because the resources of the host are always extendable. An another feature of the VM, is the snapshot. By upgrades it is a huge feature, and extend the safety.
 
These are my opinions, from the small amount of information that I have. 
I hope this helps you to find the right way.
I have installation with Smart-1 and VM too. Somewhere was requirement that, the Management must be a physical appliance in HA... 
 
Akos

 

 

----------------
\m/_(>_<)_\m/

View solution in original post

(1)
4 Replies
AkosBakos
MVP Silver
MVP Silver
‎2024-08-29 11:04 AM
Jump to solution

Hi @Rabin 

Let me clarify this a litle bit with my words:

Every Security Group has one SMO which one is dedicated SGM among the SGM-s. This is the "boss". 

One Security Group -> one SMO -> and the simple SGMs

Segmentation:

I prefer to create a new LAN for the MAESTRO management, to mix it with other traffic (other cluster management stc.) This was a prerequisite earlier.

To create a new Management server:

I don't think so. Why should I build a new SMS (think about the license cost only) for managing the Security Groups? Not necessary. I have implementations where 10+ cluster and MAESTRO are handled by one SmartCenter.

Except:

  • the hardware is not able to handle the inceased log quantity (high lograte)
    • to small Smart-1 hardware
  • security concerns
  • HA is not implemented, and necessary

If only the LOGrate is the issue consider to buy a logserver software license only and install it on a VM. In this case the resources almost endless. 🙂

It is only the surface, to make a decision about the architecture, more info needed.

If you have any question just drop an update on this, then we can go into details.

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Rabin
Contributor
‎2024-08-29 06:44 PM
In response to AkosBakos
Jump to solution

Hi Akos,

Thank You for your insight, we have two management server(Smart -1 600S in core and one in VM for perimeter for maestro) and licenses. The perimeter environment is of maestro  orchestrator with SMO,SGM's and SMS whereas in core we have CP-Cluster in Active standby deployment, now we are planning to migrate this in perimeter to achieve active-active load balancing by segregating the traffic using different security group or lets say different SMO.

To achieve this we were planning to use management server of core to manage new SMO integrated in maestro orchestrator.

As you suggested using same management server for deployment, in long run it would be easy to handle and minimize the cost as well. To achieve this either we need to manually create database or as far as i know migrating database would be easy but it might have issue in production environment considering all the configuration will be replicated.

So what would you suggest in this scenario, also if you know how to migrate policy and objects only without using migrate database tool, please let me know. Also kindly suggest which approach would be better in this situation.

Again, thank you for your response.

Rabin

 

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-08-30 12:56 AM
In response to Rabin
Jump to solution

Hi @Rabin 

That was not clear for me, that you have two managements. In this case I understand you. As you mentioned, one Management would be enough is a far future, and budget-proof. 🙂

I would addressed two questions here:

Cluster and Active Active setup:

Az I think you are in the plannig phase. Please read the limitations here.

Two Managament into one:

From what you have written, this tool would be useful for you. This helps you in the hardest part -> migrating the policy. 

https://support.checkpoint.com/results/sk/sk180923

About the Smart-1 600S and the VM license

Hard to compare the physical appliance with the VM, because both have advantages and disadvantages too.
 
The largest difference is for me:
 
The Smart-1 has a hard limit in performace, and yo can't extend it. Datasheet here
 
The VM does not have such kind of limit, because the resources of the host are always extendable. An another feature of the VM, is the snapshot. By upgrades it is a huge feature, and extend the safety.
 
These are my opinions, from the small amount of information that I have. 
I hope this helps you to find the right way.
I have installation with Smart-1 and VM too. Somewhere was requirement that, the Management must be a physical appliance in HA... 
 
Akos

 

 

----------------
\m/_(>_<)_\m/
(1)
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-29 06:59 PM
Jump to solution

Yes, each security group is a separate entity with separate SIC and hence security groups sharing MHOs can be managed by different management servers. There's no additional challenges or issues expected in this scenario, it's fully supported, it's the same as having two different gateway clusters on two different management servers. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events