This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin
‎2022-06-22 05:56 AM

Maestro Masters Round Table - Selected Questions, Part 1

Before our Maestro Masters Round Table event, we have asked you to send us some questions in advance.

We will gradually post those questions and answers to them in this space. Here is the first batch.

Q: What would be the best way to size the Maestro environment?

A: It depends on metrics. Regarding Throughput and connection rate - the penalty is 1% of the total per each additional SGM in the security group. That means, if one SGM is 100%, 2x SGMs would be 200% -2%(200%)=196%

Q: How do I use tcpdump if traffic is being distributed between gateways?

A: In Maestro, we created global commands, such as g_tcpdump and g_fw commands. Using global commands, you can get a result from all SGMs simultaneously.

Q: Do you recommend taking Gaia snapshots of security groups as a best practice?

A: Definitely yes, and there is an option to run a snapshot command. You can also elect to take just a snapshot of a single appliance or to take snapshots of all members of the Security Group. You can use a snapshot from a single appliance of one to restore others.

Q: Is dynamic scaling supported?  If not, when will it be?

A: Auto-scaling will be supported for the next version, which is R81.20.

 

Stay tuned for more!

12 Replies
d1d7baba-eaca-4
Participant
‎2022-07-12 12:14 PM

Hi - From another Maestro Tech Talk, I think, I thought the penalty was 10% per interface that was devoted to MHO information shared with the SGMs.  Am I off on this thought?

 

0 Kudos
_Val_
Admin
Admin
‎2022-07-12 11:44 PM
In response to d1d7baba-eaca-4

@d1d7baba-eaca-4 Penalty on what?

0 Kudos
d1d7baba-eaca-4
Participant
‎2022-07-14 06:39 AM
In response to _Val_

Penalty - Bandwidth use for actual traffic - 90%, if 10% is set aside for MHO to SGM traffic.

0 Kudos
_Val_
Admin
Admin
‎2022-07-14 07:05 AM
In response to d1d7baba-eaca-4

@Lari_Luoma@Anatoly can you advise?

 

0 Kudos
Sidney_Ross
Employee Alumnus
Employee Alumnus
‎2022-07-14 10:23 AM
In response to d1d7baba-eaca-4

@d1d7baba-eaca-4 I think you mean the 10% bandwidth reservation on the downlinks for the MHO - SGM communication. But the penalty Val mentions in the Q&A is the 1% degradation per appliance when adding an appliance(s) to a Security Group. Basically those are two different things: One is a reservation on a downlink and the other is a cumulative penalty on a Security Group's overall performance.

However, as far as I know we don't do the 10% reservation anymore.

0 Kudos
d1d7baba-eaca-4
Participant
‎2022-07-14 10:49 AM
In response to Sidney_Ross

Sidney - Thanks for the clarification.  With respect to 'bandwidth reservation on the downlinks for the MHO - SGM communication', if there is no 10% reservation, do you happen to know what it is, or what has taken it's place?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2022-07-12 10:26 PM

About the snapshots...  Snapshot is a disk image, which means that it is always local to an SGM. They should  be taken in CLISH instead of gclish as usually you don't want to take a snapshot simultaneously of all SGMs. While you do can take a snapshot of each SGM it's usually not necessary. SGMs are clones of each other and as long as you can restore one, the others will clone configuration and binaries including JHF from it. My recommendation typically is to take a snapshot of the SMO and save it on external location. If you want to take snapshots of all your SGMs, that's also fine, but takes a lot of disk space and most of the time is not necessary.

0 Kudos
MtxMan
Contributor
‎2022-07-18 02:52 AM

Hi @_Val_ 

honestly im new on Maestro and i got question from my existing customer :

  1. if they have 2x5200 and wanna implement maestro, is it still possible? because i check on some literature, minimum of fw to implemented hyperscale is 3 fw. so need i buy MHO-140 + one more 5200?

If you have a link basic concept or free training for Maestro, please share with me. Thanks!

0 Kudos
_Val_
Admin
Admin
‎2022-07-18 03:10 AM
In response to MtxMan

Hi @MtxMan, unfortunately, 5200 are not supported with Maestro. You need at least 5600. Please refer to sk162373 for the list of all supported appliances and their combinations.

That said, you can start with MHO and just two GW appliances, and then add them as needed, you do not have to have three of those from the start. 

0 Kudos
MtxMan
Contributor
‎2022-07-18 06:14 AM
In response to _Val_

Hi @_Val_ 

Thankyou so much!

so if customer only have 2 GW, the behaviour just like clusterxl active-active? 

0 Kudos
_Val_
Admin
Admin
‎2022-07-18 07:22 AM
In response to MtxMan

@MtxMan Not "just like", much better than physical active-active clustering, thanks for MHO balancing and hypersync.

0 Kudos
_Val_
Admin
Admin
‎2022-07-18 03:16 AM
In response to MtxMan

Also, @MtxMan 

For the courses, we have Maestro Jump Start courses, available with multiple learning platforms free of charge.

Look here to choose your options: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Free-Online-Training-Choose-Your-O...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events