This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Uwe_Herkt
Participant
Participant
‎2024-07-25 02:28 AM

How do I extend Maestro single site vsx env. to a dual site, without or minimal downtime?

I am currently planning to expand our Maestro environment:
currently: 2*MHO175 + 3*9700 appliances, single site, one security group, VSX with 4 virtual systems, R81.20

this is to be extended to a second data center, the necessary hardware, i.e. another 2*MHO175 + 3* 9700 appliances is available.

How do I expand Maestro single site to dual site without or with minimal downtime? Unfortunately, I have not found any suitable instructions.

What happens to the existing security group and traffic flow if I run the standard setup for dual site like this:

on each MHO
Orch_1_1> set maestro configuration orchestrator-site-amount 2
Orch_1_2> set maestro configuration orchestrator-site-amount 2
Orch_2_1> set maestro configuration orchestrator-site-amount 2
Orch_2_1> set maestro configuration orchestrator-site-amount 2

on site 1 (currently productive)
Orch_1_1>set maestro configuration orchestrator-site-id 1
Orch_1_1#orchd restart
Orch_1_2>set maestro configuration orchestrator-site-id 1
Orch_1_2#orchd restart

on site 2
Orch_2_1>set maestro configuration orchestrator-site-id 2
Orch_2_1#orchd restart
Orch_2_2>set maestro configuration orchestrator-site-id 2
Orch_2_2#orchd restart

on side 1 - Back up the /etc/maestro
Orch_1_1#cp -v /etc/maestro.json ~/maestro.json_BKP
Orch_1_1#cp -v /etc/maestro_full.json ~/maestro_full.json_BKP
Orch_1_2#cp -v /etc/maestro.json ~/maestro.json_BKP
Orch_1_2#cp -v /etc/maestro_full.json ~/maestro_full.json_BKP

on site 2
Orch_2_1> set maestro port 1/31/1 type site_sync
Orch_2_1#orchd restart
Orch_2_2> set maestro port 2/31/1 type site_sync
Orch_2_2#orchd restart

on site 1
Orch_1_1> set maestro port 1/31/1 type site_sync
Orch_1_1#orchd restart
Orch_1_2> set maestro port 2/31/1 type site_sync
Orch_1_2#orchd restart

on site 2
Orch_2_1#orchd restart
Orch_2_2#orchd restart

on site 1
Orch_1_1>set maestro security-group apply-new-config

In which steps does the traffic flow interrupt?
Has anyone already performed a similar task?

 

Thanks for help

Uwe

0 Kudos
1 Reply
Nir_Shamir
Employee Employee
Employee
‎2024-07-25 02:44 AM

1) prepare site 2 ORCHs in advance with all the relevant configuration (site id, amount of site etc.).

2) make all the physical connectivity between MHO's between the sites. this means stretching VLANS. check this SK:

https://support.checkpoint.com/results/sk/sk168092

also , depending on the architecture, check also this SK:

https://support.checkpoint.com/results/sk/sk181385

3) configure production MHO's for amount of site 2 and restart orchd gradually (per MHO in Production).

to avoid sync between them it's recommended to shutdown local sync port between them.

4) Test connectivity between MHO's between sites:

MHO1-1 to MHO 2-1 - ping 203.0.113.15

MHO2-1 to MHO2-2 - ping 203.0.113.16

5) restart orchd on both site 2 MHO's in order to sync with Site MHO's and get all the SG configuration.

verify under /etc/sgdb.json.

6) activate auto-clone in SG and add SGM's.

when SGM's are added make sure you have connectivity between Site1 SGMs and site2 SGMs by pinging from SGMs to 192.0.2.15, 16 etc. (at least have ARP).

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events