Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dj0Nz
Advisor
Jump to solution

Maestro Sync Question

Hi Mates,

received two Maestro Sync questions I'm unsure with (maybe silly questions):

  1. In Dual room setup, if Sync goes down, only first MHO is processing traffic right?
  2. Is it possible to configure Sync redundancy (second link or bonding) in Dual Room single site with two MHO-175 (R81.10)?

Thank you very much!

Bye

Michael

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

The Sync interface between Dual MHO's is used for configuration sync operations only, so that if a configuration change is made on one of them it will also be made on the other.  That is it, there is no state table sync or anything else going on that will immediately impact the operation of the MHOs if the Sync interface goes down.  So if the Sync interface goes down both MHO's will continue to pass traffic normally, although if a config change is made on one MHO and not propagated to the other in this state it could definitely cause traffic handling issues.

Yes you can have redundant Sync interfaces, you'd just need to change the type of the second port from whatever it is to type "Sync".  Depending on the Orchestrator model there may be restrictions about what physical ports can be reassigned to be for Sync.  There’s no need to manually create a Bond interface as it will be created automatically by the Orchestrator when the second Sync interface is defined. The bond link aggregation will operate in XOR mode.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

emmap
Employee
Employee

Yes you can also have two site_sync interfaces per MHO.

View solution in original post

0 Kudos
(1)
6 Replies
Timothy_Hall
Legend Legend
Legend

The Sync interface between Dual MHO's is used for configuration sync operations only, so that if a configuration change is made on one of them it will also be made on the other.  That is it, there is no state table sync or anything else going on that will immediately impact the operation of the MHOs if the Sync interface goes down.  So if the Sync interface goes down both MHO's will continue to pass traffic normally, although if a config change is made on one MHO and not propagated to the other in this state it could definitely cause traffic handling issues.

Yes you can have redundant Sync interfaces, you'd just need to change the type of the second port from whatever it is to type "Sync".  Depending on the Orchestrator model there may be restrictions about what physical ports can be reassigned to be for Sync.  There’s no need to manually create a Bond interface as it will be created automatically by the Orchestrator when the second Sync interface is defined. The bond link aggregation will operate in XOR mode.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
dj0Nz
Advisor

Ah yes, now that you mention it, indeed that was a topic in one of the workshops but I wasn't sure any more. Thank your very much for explaining!

Bye
Michael

0 Kudos
Michal_Gans
Contributor
Contributor

Because we would like to use this at one installation, I would like to ask if this solution is approved by Check Point? I was not able to verify that by any Check Point official documentation and don't want to end with unsupported configuration.

Thanks

0 Kudos
emmap
Employee
Employee

Dual 'ssm_sync' interfaces are 100% supported. 

0 Kudos
Arnost_Odvalil
Explorer
Explorer

Hi, does that mean that dual sync interfaces are supported even for external sync in dual site deployment?

Thanks

0 Kudos
emmap
Employee
Employee

Yes you can also have two site_sync interfaces per MHO.

0 Kudos
(1)