Maestro Masters
Round Table session with Maestro experts
Before our Maestro Masters Round Table event, we have asked you to send us some questions in advance.
We will gradually post those questions and answers to them in this space. Here is the first batch.
Q: What would be the best way to size the Maestro environment?
A: It depends on metrics. Regarding Throughput and connection rate - the penalty is 1% of the total per each additional SGM in the security group. That means, if one SGM is 100%, 2x SGMs would be 200% -2%(200%)=196%
Q: How do I use tcpdump if traffic is being distributed between gateways?
A: In Maestro, we created global commands, such as g_tcpdump and g_fw commands. Using global commands, you can get a result from all SGMs simultaneously.
Q: Do you recommend taking Gaia snapshots of security groups as a best practice?
A: Definitely yes, and there is an option to run a snapshot command. You can also elect to take just a snapshot of a single appliance or to take snapshots of all members of the Security Group. You can use a snapshot from a single appliance of one to restore others.
Q: Is dynamic scaling supported? If not, when will it be?
A: Auto-scaling will be supported for the next version, which is R81.20.
Stay tuned for more!
Hi - From another Maestro Tech Talk, I think, I thought the penalty was 10% per interface that was devoted to MHO information shared with the SGMs. Am I off on this thought?
@d1d7baba-eaca-4 Penalty on what?
Penalty - Bandwidth use for actual traffic - 90%, if 10% is set aside for MHO to SGM traffic.
@Lari_Luoma, @Anatoly can you advise?
@d1d7baba-eaca-4 I think you mean the 10% bandwidth reservation on the downlinks for the MHO - SGM communication. But the penalty Val mentions in the Q&A is the 1% degradation per appliance when adding an appliance(s) to a Security Group. Basically those are two different things: One is a reservation on a downlink and the other is a cumulative penalty on a Security Group's overall performance.
However, as far as I know we don't do the 10% reservation anymore.
Sidney - Thanks for the clarification. With respect to 'bandwidth reservation on the downlinks for the MHO - SGM communication', if there is no 10% reservation, do you happen to know what it is, or what has taken it's place?
About the snapshots... Snapshot is a disk image, which means that it is always local to an SGM. They should be taken in CLISH instead of gclish as usually you don't want to take a snapshot simultaneously of all SGMs. While you do can take a snapshot of each SGM it's usually not necessary. SGMs are clones of each other and as long as you can restore one, the others will clone configuration and binaries including JHF from it. My recommendation typically is to take a snapshot of the SMO and save it on external location. If you want to take snapshots of all your SGMs, that's also fine, but takes a lot of disk space and most of the time is not necessary.
Hi @_Val_
honestly im new on Maestro and i got question from my existing customer :
If you have a link basic concept or free training for Maestro, please share with me. Thanks!
Hi @MtxMan, unfortunately, 5200 are not supported with Maestro. You need at least 5600. Please refer to sk162373 for the list of all supported appliances and their combinations.
That said, you can start with MHO and just two GW appliances, and then add them as needed, you do not have to have three of those from the start.
Hi @_Val_
Thankyou so much!
so if customer only have 2 GW, the behaviour just like clusterxl active-active?
@MtxMan Not "just like", much better than physical active-active clustering, thanks for MHO balancing and hypersync.
Also, @MtxMan
For the courses, we have Maestro Jump Start courses, available with multiple learning platforms free of charge.
Look here to choose your options: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Free-Online-Training-Choose-Your-O...
Before our Maestro Masters Round Table event, we have asked you to send us some questions in advance.
We will gradually post those questions and answers to them in this space. Here is the first batch.
Q: What would be the best way to size the Maestro environment?
A: It depends on metrics. Regarding Throughput and connection rate - the penalty is 1% of the total per each additional SGM in the security group. That means, if one SGM is 100%, 2x SGMs would be 200% -2%(200%)=196%
Q: How do I use tcpdump if traffic is being distributed between gateways?
A: In Maestro, we created global commands, such as g_tcpdump and g_fw commands. Using global commands, you can get a result from all SGMs simultaneously.
Q: Do you recommend taking Gaia snapshots of security groups as a best practice?
A: Definitely yes, and there is an option to run a snapshot command. You can also elect to take just a snapshot of a single appliance or to take snapshots of all members of the Security Group. You can use a snapshot from a single appliance of one to restore others.
Q: Is dynamic scaling supported? If not, when will it be?
A: Auto-scaling will be supported for the next version,
...Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 3 | |
| 3 | |
| 3 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
.png "Wolfgang"){kind=avatar}
