This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
FenZ45
Participant
‎2023-09-13 01:04 PM
Jump to solution

Maestro Dual Site - different SGM per site

Hello.

We have the following scenario for a maestro deployment.

One single site with two mho-140 and two 28600HS appliances, working as vsx gateway.

Another single site with two mho-140 and two 16600HS appliances, working as vsx gateway.

It's posible to configure a dual site (only one security group) with this mix of applainces?

SITE 1:

two 28600HS appliances

SITE 2

two 16600HS appliances

 

If it's posible, how does the diference in capacity affects the traffic, vsx, and distribution? 

Could be posible that if we buy another 16600HS for the site 2, this one can work with 3 appliances?

 

Regards!

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2023-09-14 06:04 PM
Jump to solution

Hi

There's a long answer to this question that is best discussed with your local CP office Maestro expert, but the short version is:

Dual site security groups should mirror each other in terms of hardware, as this ensures proper HA as both sites have the same capability. If you do want to mix different hardware in a security group we can do that, but there are limits as to what's supported. Details are in this SK. Even if you mix models, the two sites should mirror each other in terms of SGM makeup. Details on how mix and match work are in the admin guides.

In short, it's not supported to do a dual-site security group with 28600HSs on one side and 16600HSs on the other side, even if you add more smaller appliances. More small appliances do not scale the same as fewer large appliances, especially when it comes to VSX due to the nature of the scaling - all VSs are active across all SGMs, and will share the same CoreXL per VS config. Hence, if you have a VS with 4CXLs configured, they will have 4CXLs per SGM - so if one site has 2 SGMs and the other 3, the VS will have more instances running on the site with more (smaller in this example) appliances. 

View solution in original post

3 Replies
emmap
Employee
Employee
‎2023-09-14 06:04 PM
Jump to solution

Hi

There's a long answer to this question that is best discussed with your local CP office Maestro expert, but the short version is:

Dual site security groups should mirror each other in terms of hardware, as this ensures proper HA as both sites have the same capability. If you do want to mix different hardware in a security group we can do that, but there are limits as to what's supported. Details are in this SK. Even if you mix models, the two sites should mirror each other in terms of SGM makeup. Details on how mix and match work are in the admin guides.

In short, it's not supported to do a dual-site security group with 28600HSs on one side and 16600HSs on the other side, even if you add more smaller appliances. More small appliances do not scale the same as fewer large appliances, especially when it comes to VSX due to the nature of the scaling - all VSs are active across all SGMs, and will share the same CoreXL per VS config. Hence, if you have a VS with 4CXLs configured, they will have 4CXLs per SGM - so if one site has 2 SGMs and the other 3, the VS will have more instances running on the site with more (smaller in this example) appliances. 

FenZ45
Participant
‎2023-09-17 09:53 AM
In response to emmap
Jump to solution

Hi @emmap .

Thanks for your answer. This is just an intellectual curiosity for a maestro deployment.

My plan is not to install something like this, i just wanted to know if it's posible or not. Also, my local checkpoint representatives have told to me that this is not recommended.

Regards.

0 Kudos
Sven_Glock
Advisor
‎2023-09-19 05:00 AM
Jump to solution

Hi,

as described from @emmap it is not supported to run sites with different sgm hardware like described above.

I tried it for a specific szenario where it worked for me flawless.
In my szenario I wanted to migrate a security group from 7000 appliances to 16200 appliances.
I removed all 7000er appliances from backup chassis, added 16200 appliances to security group and installed everything manually without imagecloning. The failover to to backup chassis was possible without any impact even under load.
After failover I exchanged 7000 appliances from second chassis with 16200 and installed them with image cloning.

Of course - the hardware difference between sites was only a short period of time. 
For a longer time period I would always choose to have the same haredware.

Regards
Sven




0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events