- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters
Round Table session with Maestro experts
Hi Everyone,
I just want to know is it possible to use different checkpoint management server for managing the SMO of different security Group created in same Maestro Orchestrator and what challenges or issue it might occur in production environment ??
Thank You.
Hi @Rabin
That was not clear for me, that you have two managements. In this case I understand you. As you mentioned, one Management would be enough is a far future, and budget-proof. 🙂
I would addressed two questions here:
Cluster and Active Active setup:
Az I think you are in the plannig phase. Please read the limitations here.
Two Managament into one:
From what you have written, this tool would be useful for you. This helps you in the hardest part -> migrating the policy.
https://support.checkpoint.com/results/sk/sk180923
About the Smart-1 600S and the VM license
Hi @Rabin
Let me clarify this a litle bit with my words:
Every Security Group has one SMO which one is dedicated SGM among the SGM-s. This is the "boss".
One Security Group -> one SMO -> and the simple SGMs
Segmentation:
I prefer to create a new LAN for the MAESTRO management, to mix it with other traffic (other cluster management stc.) This was a prerequisite earlier.
To create a new Management server:
I don't think so. Why should I build a new SMS (think about the license cost only) for managing the Security Groups? Not necessary. I have implementations where 10+ cluster and MAESTRO are handled by one SmartCenter.
Except:
If only the LOGrate is the issue consider to buy a logserver software license only and install it on a VM. In this case the resources almost endless. 🙂
It is only the surface, to make a decision about the architecture, more info needed.
If you have any question just drop an update on this, then we can go into details.
Akos
Hi Akos,
Thank You for your insight, we have two management server(Smart -1 600S in core and one in VM for perimeter for maestro) and licenses. The perimeter environment is of maestro orchestrator with SMO,SGM's and SMS whereas in core we have CP-Cluster in Active standby deployment, now we are planning to migrate this in perimeter to achieve active-active load balancing by segregating the traffic using different security group or lets say different SMO.
To achieve this we were planning to use management server of core to manage new SMO integrated in maestro orchestrator.
As you suggested using same management server for deployment, in long run it would be easy to handle and minimize the cost as well. To achieve this either we need to manually create database or as far as i know migrating database would be easy but it might have issue in production environment considering all the configuration will be replicated.
So what would you suggest in this scenario, also if you know how to migrate policy and objects only without using migrate database tool, please let me know. Also kindly suggest which approach would be better in this situation.
Again, thank you for your response.
Rabin
Hi @Rabin
That was not clear for me, that you have two managements. In this case I understand you. As you mentioned, one Management would be enough is a far future, and budget-proof. 🙂
I would addressed two questions here:
Cluster and Active Active setup:
Az I think you are in the plannig phase. Please read the limitations here.
Two Managament into one:
From what you have written, this tool would be useful for you. This helps you in the hardest part -> migrating the policy.
https://support.checkpoint.com/results/sk/sk180923
About the Smart-1 600S and the VM license
Yes, each security group is a separate entity with separate SIC and hence security groups sharing MHOs can be managed by different management servers. There's no additional challenges or issues expected in this scenario, it's fully supported, it's the same as having two different gateway clusters on two different management servers.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
19 | |
4 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY