- Products
- Learn
- Local User Groups
- Partners
- More
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Eastern Africa
- Israel
- Nordics
- Middle East and Africa
- Balkans
- Italy
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
Maestro Masters
Round Table session with Maestro experts
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- Products
- :
- Quantum
- :
- Maestro Masters
- :
- Maestro Masters Round Table - Selected Questions, ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
_Val_
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-06-22
05:56 AM
Maestro Masters Round Table - Selected Questions, Part 1
Before our Maestro Masters Round Table event, we have asked you to send us some questions in advance.
We will gradually post those questions and answers to them in this space. Here is the first batch.
Q: What would be the best way to size the Maestro environment?
A: It depends on metrics. Regarding Throughput and connection rate - the penalty is 1% of the total per each additional SGM in the security group. That means, if one SGM is 100%, 2x SGMs would be 200% -2%(200%)=196%
Q: How do I use tcpdump if traffic is being distributed between gateways?
A: In Maestro, we created global commands, such as g_tcpdump and g_fw commands. Using global commands, you can get a result from all SGMs simultaneously.
Q: Do you recommend taking Gaia snapshots of security groups as a best practice?
A: Definitely yes, and there is an option to run a snapshot command. You can also elect to take just a snapshot of a single appliance or to take snapshots of all members of the Security Group. You can use a snapshot from a single appliance of one to restore others.
Q: Is dynamic scaling supported? If not, when will it be?
A: Auto-scaling will be supported for the next version, which is R81.20.
Stay tuned for more!
12 Replies
d1d7baba-eaca-4
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-12
12:14 PM
Hi - From another Maestro Tech Talk, I think, I thought the penalty was 10% per interface that was devoted to MHO information shared with the SGMs. Am I off on this thought?
_Val_
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-12
11:44 PM
@d1d7baba-eaca-4 Penalty on what?
d1d7baba-eaca-4
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-14
06:39 AM
Penalty - Bandwidth use for actual traffic - 90%, if 10% is set aside for MHO to SGM traffic.
_Val_
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-14
07:05 AM
@Lari_Luoma, @Anatoly can you advise?
Sidney_Ross
Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-14
10:23 AM
@d1d7baba-eaca-4 I think you mean the 10% bandwidth reservation on the downlinks for the MHO - SGM communication. But the penalty Val mentions in the Q&A is the 1% degradation per appliance when adding an appliance(s) to a Security Group. Basically those are two different things: One is a reservation on a downlink and the other is a cumulative penalty on a Security Group's overall performance.
However, as far as I know we don't do the 10% reservation anymore.
d1d7baba-eaca-4
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-14
10:49 AM
Sidney - Thanks for the clarification. With respect to 'bandwidth reservation on the downlinks for the MHO - SGM communication', if there is no 10% reservation, do you happen to know what it is, or what has taken it's place?
Lari_Luoma
Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-12
10:26 PM
About the snapshots... Snapshot is a disk image, which means that it is always local to an SGM. They should be taken in CLISH instead of gclish as usually you don't want to take a snapshot simultaneously of all SGMs. While you do can take a snapshot of each SGM it's usually not necessary. SGMs are clones of each other and as long as you can restore one, the others will clone configuration and binaries including JHF from it. My recommendation typically is to take a snapshot of the SMO and save it on external location. If you want to take snapshots of all your SGMs, that's also fine, but takes a lot of disk space and most of the time is not necessary.
MtxMan
Contributor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-18
02:52 AM
Hi @_Val_
honestly im new on Maestro and i got question from my existing customer :
- if they have 2x5200 and wanna implement maestro, is it still possible? because i check on some literature, minimum of fw to implemented hyperscale is 3 fw. so need i buy MHO-140 + one more 5200?
If you have a link basic concept or free training for Maestro, please share with me. Thanks!
_Val_
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-18
03:10 AM
Hi @MtxMan, unfortunately, 5200 are not supported with Maestro. You need at least 5600. Please refer to sk162373 for the list of all supported appliances and their combinations.
That said, you can start with MHO and just two GW appliances, and then add them as needed, you do not have to have three of those from the start.
MtxMan
Contributor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-18
06:14 AM
Hi @_Val_
Thankyou so much!
so if customer only have 2 GW, the behaviour just like clusterxl active-active?
_Val_
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-18
07:22 AM
@MtxMan Not "just like", much better than physical active-active clustering, thanks for MHO balancing and hypersync.
_Val_
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2022-07-18
03:16 AM
Also, @MtxMan
For the courses, we have Maestro Jump Start courses, available with multiple learning platforms free of charge.
Look here to choose your options: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Free-Online-Training-Choose-Your-O...
Maestro Masters Round Table - Selected Questions, Part 1
Before our Maestro Masters Round Table event, we have asked you to send us some questions in advance.
We will gradually post those questions and answers to them in this space. Here is the first batch.
Q: What would be the best way to size the Maestro environment?
A: It depends on metrics. Regarding Throughput and connection rate - the penalty is 1% of the total per each additional SGM in the security group. That means, if one SGM is 100%, 2x SGMs would be 200% -2%(200%)=196%
Q: How do I use tcpdump if traffic is being distributed between gateways?
A: In Maestro, we created global commands, such as g_tcpdump and g_fw commands. Using global commands, you can get a result from all SGMs simultaneously.
Q: Do you recommend taking Gaia snapshots of security groups as a best practice?
A: Definitely yes, and there is an option to run a snapshot command. You can also elect to take just a snapshot of a single appliance or to take snapshots of all members of the Security Group. You can use a snapshot from a single appliance of one to restore others.
Q: Is dynamic scaling supported? If not, when will it be?
A: Auto-scaling will be supported for the next version,
...About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
©1994-2022 Check Point Software Technologies Ltd. All rights reserved.
Copyright
Privacy Policy
Facts at a Glance
User Center