Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Maestro Masters Round Table June 2022: Video, Slides, and Q&A

Q&A and slides are below.



sk138672 says that MDPS is already supported. Is it already supported or it will be supported only from R81.20?

It is not included in R81 and R81.10. We will add it to R81.20. The best place to check for Maestro feature parity with main train is sk173183

Is there/will there be documentation on the "sp_upgrade" command/script mentioned in the admin guides?

It's already there for R81.10 as part of the admin guide and we will include the specific steps for MVC upgrade.

How about the limitation with Identity Awareness (external running PDP needed, sk175587) Will this be solved in future releases?

This is on the road map for the future, not sure on the exact release but it is planned.

For the upgrade with MVC with Maestro, based on testing, will there be connectivity drop for example 1-2 ping drop?

It will operate similar to regular ClusterXL and will depend on traffic load. That means there can be a drop of connections that weren't synced (due to short connection for example) or protocols that do not survive fail-overs. Ping loss should be very low to none (usually none - depends on ping rate of course).

When will be full VPN Link Selection supported?

Since R81 JHF 34, and in R81.10 GA, you have these extra features as described in sk174228

Any development going on to reduce the impact of the NAT required for the correction layer?

Support for GNAT will be added in R81.20, which will improve things substantially.

Any improvements to improve throughput with Maestro?

Maestro Fastforward (available in R81.20) will significantly improve throughput and latency for trusted connections:

  • Fastforward will offload Accept/Drop rules to the Maestro Orchestrator for hardware acceleration
  • Sub-second latency
  • Port line-rate throughput for a single connection

Is there any roadmap for Dynamic Split/Dynamic Balancing of cores in Maestro?

R81.20 will include this support.

Will this Fastforward still log traffic in the Log server?

Yes, will be a firewall only log. The first packet of a connection will be passed to the gateway for logging purposes.

If Fastforward is not possible, then will Hyperflow be supported with Maestro in the future?

Hyperflow is a different feature geared toward handling Elephant Flows. It will be integrated with Maestro when it is ready. Fastforward is not focused on Deep Packet Inspection and is intended for trusted connections. Both features will co-exist.

Does Fastforward support Layer 2?

Not currently, but it is on the roadmap.

Is this fast accelerated rules are stateful or stateless?

In general, stateless. The only exception is the initial SYN packet being passed thru to the gateway.

Will be possible to use REST API manually to setup similar ACL rule on the orchestrator?

You can use REST APIs with the management server and create rules/install policy.

Would this Fastforward matching traffic show up if one were running a tcpdump on the Security Gateway?

The only packet you would see on the Security Gateway would be the initial SYN packet. The correct place to monitor these connections would be on the MHO, and we are currently evaluating what tools will be available for monitoring there.

How it handle the return traffic for the same TCP connection? does it require bi-directional fast-accel rule in policy in case it is stateless?

No need, the gateway will take care of this.

The current process to upgrade security group from R80.30 sp to R81.10 is complex and need multiple manual steps, is there any roadmaps to improve the upgrade progress via MHO or SmartConsole?

Once on R81.10, the upgrade process is smoother, and with R81.20 it will be much better with MVC upgrade. Upgrades from SmartConsole are on the roadmap to align with main train.

Is Skyline compatibility on this roadmap or on the Skyline roadmap?

Skyline support is coming shortly.

Do we still need to use QinQ VLAN for dual site Maestro configurations?

QinQ is not required as of R81.10.

When will Maestro will be supported by Smart-1 Cloud?

Expected as part of R81.30.

At the moment, MAESTRO supports two sites installation, the ability to manage more than two sites (three for example) is in roadmap?

It's in the roadmap, yes.

Any enhance for monitoring traffic connection among the member, like from SmartConsole?

We have better (per appliance) SNMP monitoring coming, which is currently available in a private fix for R81.10 T45. There are also enhancements for R81.20 and later planned (around SNMP). Also enhancements for monitoring through the Skyline project

Can we use automation tools like Ansible to configure security groups etc.

Check Point Professional Services can assist with this task.

When will be the route engine be distributed so we don't lose the routes during the failover event?

graceful-restart feature is an industry standard and Maestro supports it for both OSPF and BGP. That way you don't lose routes. graceful-restart must be supported by the peer and timers need to be in sync. The routes will stay while peering is built up after failover.

Would Fastforward provide a benefit on top of MLS (Lightspeed) devices? Would they co-exist?

They can coexist. Fast forwarding provides ultra-low latency for trusted connections and UDP packets. LightSpeed (MLS) is to have low latency and high throughput with stateful inspection.

What about elephant flow in VPN?

We are working to address it with Lightspeed technology, which will also be supported with Maestro.

What is the best route to get Maestro certified?

Get CCSA and CCSE first, then certify for CCME.

When will be available the Maestro light speed MLS200, etc?

Currently planned for Q3 2022.

Do you plan better traffic troubleshooting for Maestro?

For troubleshooting traffic we support tcpdump, fw monitor and cppcap. You can also use asg search to find out the blade the traffic is hitting and run your monitoring there. The same debugs are supported in Maestro as in other appliances.

Will the 64K systems be further developed or should only Maestro be used?

The 44000 and 64000 chassis went End of Sale in January 2022 per the Support Life Cycle Policy. Maestro is recommended for new deployments were Scalable Platform chassis were used previously. 

When will Active/Active Maestro be supported between two different datacenters?

R81.30 is the expected release that will support this.

Are there any plans to make a Maestro stack compatible with CDT?

Yes, this is planned for R81.30.

Edge-case question: If resources are dynamically assigned from one group (A) to another (B) and where they are needed and traffic on the original group (A) spikes, are they reassigned back, leading to connections being dropped on the second resource (B)?

Already assigned resource won't be taken away. Free resources (scale-up nodes) can be used.

Are you guys planning to release any virtual version for MHO?

No, but there is a planned solution for Scalable Platform without MHO for lower scale deployments.

Is there any documentation available to instruct how to mitigate excessive correction traffic (traffic that is re-routed from one SGM to another)?

If you have lots of corrections, you likely have problems with your distribution. So, you "correct", because the traffic is being sent to the "wrong" (different) devices for example in either direction. So, it's probably worth looking into that area, to find out your heaviest flows, and then use the tools like "dxl calc" to confirm if you are handling traffic on different units (and therefore a change to distribution (mode, or the setting for the interface) is needed.

When will traffic forwarding from the oob/mgmt interface be possible back and forth?

R81.20 should provide this ability. R81.10 can also be an option (not by default) - if needed support can be approached

What is the plan for mix and match? Will there be more models support?

Mix and match is supported with appliance models with similar specs. Not every appliance combination is supported. If you have a specific need, please approach your local Check Point office.

0 Kudos
1 Reply
Chris_DeBaggis
Employee
Employee

Thank you for posting this. Does the Fastforward feature get configured in the CLI or in SmartConsole. I did see they said it was configured in the access policy, but it would be great to tag access rules in SmartConsole. 

0 Kudos