This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
dj0Nz
Advisor
‎2023-02-16 04:01 AM
Jump to solution

Maestro Sync Question

Hi Mates,

received two Maestro Sync questions I'm unsure with (maybe silly questions):

  1. In Dual room setup, if Sync goes down, only first MHO is processing traffic right?
  2. Is it possible to configure Sync redundancy (second link or bonding) in Dual Room single site with two MHO-175 (R81.10)?

Thank you very much!

Bye

Michael

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2023-02-16 08:22 AM
Jump to solution

The Sync interface between Dual MHO's is used for configuration sync operations only, so that if a configuration change is made on one of them it will also be made on the other.  That is it, there is no state table sync or anything else going on that will immediately impact the operation of the MHOs if the Sync interface goes down.  So if the Sync interface goes down both MHO's will continue to pass traffic normally, although if a config change is made on one MHO and not propagated to the other in this state it could definitely cause traffic handling issues.

Yes you can have redundant Sync interfaces, you'd just need to change the type of the second port from whatever it is to type "Sync".  Depending on the Orchestrator model there may be restrictions about what physical ports can be reassigned to be for Sync.  There’s no need to manually create a Bond interface as it will be created automatically by the Orchestrator when the second Sync interface is defined. The bond link aggregation will operate in XOR mode.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

emmap
Employee
Employee
‎2024-12-06 01:27 AM
In response to Arnost_Odvalil
Jump to solution

Yes you can also have two site_sync interfaces per MHO.

View solution in original post

0 Kudos
6 Replies
Timothy_Hall
Legend Legend
Legend
‎2023-02-16 08:22 AM
Jump to solution

The Sync interface between Dual MHO's is used for configuration sync operations only, so that if a configuration change is made on one of them it will also be made on the other.  That is it, there is no state table sync or anything else going on that will immediately impact the operation of the MHOs if the Sync interface goes down.  So if the Sync interface goes down both MHO's will continue to pass traffic normally, although if a config change is made on one MHO and not propagated to the other in this state it could definitely cause traffic handling issues.

Yes you can have redundant Sync interfaces, you'd just need to change the type of the second port from whatever it is to type "Sync".  Depending on the Orchestrator model there may be restrictions about what physical ports can be reassigned to be for Sync.  There’s no need to manually create a Bond interface as it will be created automatically by the Orchestrator when the second Sync interface is defined. The bond link aggregation will operate in XOR mode.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
dj0Nz
Advisor
‎2023-02-16 08:56 AM
In response to Timothy_Hall
Jump to solution

Ah yes, now that you mention it, indeed that was a topic in one of the workshops but I wasn't sure any more. Thank your very much for explaining!

Bye
Michael

0 Kudos
Michal_Gans
Contributor
Contributor
‎2024-12-05 07:15 AM
In response to Timothy_Hall
Jump to solution

Because we would like to use this at one installation, I would like to ask if this solution is approved by Check Point? I was not able to verify that by any Check Point official documentation and don't want to end with unsupported configuration.

Thanks

0 Kudos
emmap
Employee
Employee
‎2024-12-05 10:21 PM
In response to Michal_Gans
Jump to solution

Dual 'ssm_sync' interfaces are 100% supported. 

0 Kudos
Arnost_Odvalil
Explorer
Explorer
‎2024-12-05 10:42 PM
In response to emmap
Jump to solution

Hi, does that mean that dual sync interfaces are supported even for external sync in dual site deployment?

Thanks

0 Kudos
emmap
Employee
Employee
‎2024-12-06 01:27 AM
In response to Arnost_Odvalil
Jump to solution

Yes you can also have two site_sync interfaces per MHO.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    li.common.scroll-to.top