- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters
Round Table session with Maestro experts
On 17th July 2019, we did a TechTalk with @Anatoly, @Maor_Elharar, and Matan Tenenboim on Maestro, doing a deep dive on the technology and answering many of your burning questions.
Materials below are available to CheckMates members who are signed in.
Q&A answered during the session will be posted as comments shortly.
Here are the questions asked during the Q&A:
Not currently compatible with ACI, but it is in the plans.
Once you setup a VLAN on the Orchestrator, only that specific VLAN will be used. Trunk interfaces that allow more than a single VLAN will be supported in the future.
Currently:
We plan to support other gateways in the future. Please contact your local office if such support is required.
No, you can share a management interface between security groups.
It's a Check Point algorithm based on L3/L4 information.
DAC cables are recommended.
R80.20 and above for management. The gateways will run R80.20SP. R80.30SP is planned, as is integration into maintrain.
Not currently, but it is planned.
No, but latency should be kept below 100ms and have no more than 5% packet loss over a Layer 2 link between the sites. This is similar to ClusterXL.
Configuration synchronization will not be possible except via manual means.
Expected end of July for Security gateway. For VSX, expected end of August.
Yes, but we definitely recommend running two orchestrators at each site for redundancy.
3 meters currently. We plan to support longer cables and fiber in the future.
Yes, but VSLS is currently not supported. We plan to support it when dual-site support is released.
The affected security group only.
Each component in the system (like interface or appliance) is assigned a weight. If the remote site total weight is higher, a site failover is performed. You can change the default weight of the components to suit your requirements.
Any Check Point transceivers should work. Check Point currently does not offer 25G transceivers, but Maestro is ready to support them.
The Orchestrator distributes the traffic. The appliances only sees traffic that is relevant for that appliance.
No, the Orchestrator only forwards and balances traffic to the appliances in the security group. It is not involved in Layer 3 routing decisions.
We plan to support it in the future, but plans have not been finalized. If you have this requirement, please contact your local Check Point office.
We have global versions of various troubleshooting commands that gather the relevant data from the relevant appliance.
No traffic will be passed. This is why we recommend running with a second Orchestrator for redundancy.
Yes, we support LACP on two Orchestrators. The Orchestrator is not aware of the bond, however.
You still need to backup the SMO. We do plan to offload deployment/maintenance tasks to the Orchestrator in the future.
Maestro uses standard Check Point interfaces. Each appliance requires a 10G/40G expansion card.
Only one IP is required per security group, regardless of the number of appliances.
Virtual switches are not supported currently with Maestro, but it is in the plans.
ethX
What's about 6900 ?
not (yet) on sk162373
Hi,
Why I am getting the message "You do not have permission to view this asset." when I try to watch the Maestro TechTalk video?
Regards.
Marcos Reis
Hi,
I want to ask
How can I verify sync between Maestro1 and maestro2, for this example i set the cable sync on port 32,
What can I do next step if I have message orcheshtrator id is missing, I read in SK.. Said check connection cable from gateway appliance to maestro, and let said the connection is good jo problem with cable connection
Hi marteen,
Thanks for reference.
In the top discussion said:
Gateway 23800 (require r80.20SP JHF1)
What it means r80.20SP JHF1.. And what happen if the gateways not in r80.20SP, it can connect to maestro(exam MHO170) for example gateway have r80.20.
Or can I change gaia os gateway 23800 r80,20 to r80.20SP JHF1?
Hi maarten,
Thanks for the solution,
I do Install 23800 to r80.20SP,
But if just single site is needed to install hotfix?
The plan is create one SG from thats all gatewayy and create vsx gateway and create 4 virtual system). Where the good step vsx gateway because When I create VSXgateway, after click finish button they process always error said timeout.
Can I create bonding interface managemet in SG?
Hi Maarten_Sjouw,
I currently dont install the JHF, that is good to install JHF 279 from SK155832 ?
and I want to make sure from the table JHF :
Product Orchestrator is using to MHO (MHO170)
product Maestro gateway is using to Gateway appliance (23800)
Hello @PhoneBoy . Any ideas if/when Maestro will be added to DemoPoint for tinkering and/or demo?
thanks for all you do. -GA
@Shay_Levin is a little closer to that action than I am 🙂
In general, I'm not sure how feasible it is to put Maestro in DemoPoint.
hello @Shay_Levin and @PhoneBoy --
After dialog with local CP team and review of these materials, I understand some of information from tech-talk is "old" and/or "dated".
The information, video, and PPTX originally posted in this Maestro thread is fantastic.
How can it be updated to reflect all new features, etc?
Maybe this doesn't require a tech talk #2 but rather a re-release of new Video and PPTX materials? Alternatively, maybe a post of PPTX material that is equivalent of "addendum" to review all new and changes since original post.
Just a thought.
thanks in adv. -GA
The video was, itself, the TechTalk.
We do revisit topics from time to time in TechTalks, so it's not out of the question.
Hi Phoneboy,
Is mixing appliances models within a security group available yet? thanks
Planned for R81.10
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
15 | |
7 | |
5 | |
4 | |
3 | |
2 | |
2 | |
1 | |
1 | |
1 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY