Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Anthony_Kahwati
Collaborator

Maestro - Well received?

Hi Checkmates

We've recently been introduced to Maestro and on the face of it, it looks like the way forward for quite a few reason.

Mainly, the scalability.

What are thoughts in the real world about this product? Has it been well received?

Thanks

0 Kudos
14 Replies
Vincent_Bacher
Advisor
Advisor

Depends on the use case, i assume.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Anthony_Kahwati
Collaborator

We don't have an overly large environment but can see a potential need for a dedicated hardware firewall in the future. The kit we bought went EOL announcement 6 months after we bought it so refresh would be made easier (it's not yet racked so we could install Maestro and attach the gateways to it as it is compatible), patching into the rest of the network is no longer based on a factor of the number of gw devices you have, you could potentially borrow resources from another security cluster short term if needed etc. I see a lot of benefits, just wondered if anyone has deployed it and feels it delivers. 

I'm guessing it does to be honest as it's been around for over a year.... 

Vincent_Bacher
Advisor
Advisor

As vinceneil already mentioned, Maestro is getting better and in R81.10 it's planned to use different hardware types in same SG, so you could use almost any gateways you already have.
Maestro has similar pros and cons as scalable platform and the possibility to just borrow another device and extend the sg is wha checkpoint is advertising and what could meet your needs. Has similar pros and cons as scalable platforms, i think.
We have just a testing environment based on maestro but someday we'll have maestroe in the field as well, i think.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Anthony_Kahwati
Collaborator

Thanks... the avility to be able to mix hardware is a massive selling point when we go through obsolescence cycles. Obviously the MHO's them selves will have EOL dates as well so if they can just allow the MHO's to build clusters of greater than 2 and mix hardware it will be a perfect solution for hardware refreshes.

vinceneil666
Advisor

I have implemented 3 different Meastro solutions for customers. We have been swamped in bugs and fixes - a bit of a nightmare to be honest.

The latest jumboes on r80.20sp (the 309) has improved and fixed quite a lot - and we have high hopes for R81 (have not tested that on Maestro yet). 

Last year I would have told you to just run as fast as you could. But there has been great improvements for sure. 

Anthony_Kahwati
Collaborator

Thanks for your account of things... this is what our rep told us as well, that it had some teething problems but the latest releases, R80.40 particularly, resolved a lot and that also in R81 it is in an even better state.

Ruan_Kotze
Advisor

This echoes our experience as well.  It's a fantastic concept and I really love the architecture.  We've unfortunately been bit hard by vpnd bugs, and the other big one is memory leaks - we've been working with TAC for about 3 months now on that and it seems they have identified root cause and are working on a fix.  On the upside, we now know which memory stacks to monitor so we can reboot preemptively before there is an outage:-)

vinceneil666
Advisor

I did some months on memory leaks to - got this resolved by a private fix in the end. Of course, when applying private fix'es to the Maestro - the upgrade process when moving to new jumbos and versions do get a bit tedious and time consuming.  I think that for a lot of my customers an upgrade to , say R81, will be a hard sell - since we have spent so much time on debug and tshoot.

For the implementation of the solution there has been some great improvement. Starting out with r80.20sp there was limitationon max vlans pr bond - and also a lot of manual work when creating 50-60 interfaces, as it could not be scriptes. As of now, with the 307 or 309 (I cant remember) we are at least able to just create the interfaces on the sec.group itself - and then this gets auto populated to the orchs. That was a nice fix/feature.

Placing the Maestro solution into a legacy / old network - where you have 10-15-20 years of history with fix's and patches, special nat, and maybe a bit messy network design - is a hard task. We got into major issues with the use of the MAGG interface and the rules/design concerning this, just as an example. Check Point do want the MAGG interface to pretty much be directly attached to at least the SMS, but it do not support routing/nat så if you have anything else there - lets say a radius server og a vmware box - this stuff will get issues with its production traffic.

Just to say - that I think planning/design is a big part of Maestro solution - I see to many customers just thinking to do a copy/paste of the old setup - and this will bring them in to issues for sure. Migrating from an old CheckPoint setup to Maestro should probably trigger at least a network design review, and in many cases a redesign.

Putting up the Maestro as a new solution in paralell to the "old", and then move stuff over in batches seems to be the best. But this is time consuming and also have a high cost, since you need to have two systems running and operated at the same time.

Alex_Shpilman
Collaborator

Hi @vinceneil666 ,

Can you please elaborate on the issues you have experienced? I am starting a project which involves a replacement of 30+ open servers with MHO-140 + 6600's, there are number of VPNs and NAT...

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

Remember that Maestro is merely an extension of the chassis, which has been around for several years already.
It certainly is more scalable than an Active/Active cluster.
You also get the benefit of simpler cabling and less “gateway objects” to manage (one per security group versus one per physical appliance).

PhoneBoy
Admin
Admin

It's also worth highlighting a couple of public reference customers on Maestro:

Anthony_Kahwati
Collaborator

Ah... I saw both of these videos when looking into this... definitely encouraging. I'm trying to convince the right people that it's worth the spend ("we have no budget for it"), especially as our new kit has already gone EOS and is in it's EOL stage! I feel that it's difficult to justify not buying it personally 🙂

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Maestro is Check Poin't next generation clustering technology and in my opinion combines the best features of regular cluster and chassis. I have been working with chassis since it came out almost 10 years ago and Maestro for the last couple of years and have been impressed on Maestro's capabilities. It's much easier to install and handle than chassis and also has a bunch of new features coming in R81.10 and beyond like mix and match appliances and dynamic scalability. Maestro can run up to eight security groups in security gateway or VSX mode and is definitely worth considering when you are refreshing or consolidating your security devices next time.

Check Point Professional Services has been involved in most Maestro projects since day one. If you need any more info, drop me a mail.

0 Kudos
Kim_Moberg
Advisor

I am running Maestro bases on single site with two MHO.

Most of my issues were due to misunderstanding and misconfiguration.
Eg. our ISP uses BGP and places two separate routers and they end with a normal copper cable.

How do you get this to work when you have two Orchestrators that needs to have uplink and failover features?
We had to build a MLAG from because the Orchestrators only uses the sync for synchronizing the configuration and doesn't work as cluster with its VIP addresses.

So now this part is working I have redundancy both on the Orchestrator and internet out.

My best recommendation is if you consider implementing and deploying Maestro Hyper Scale Cluster.
Coordinate with your local Check Point team to order 1-2 days Professional Services and let them configure the setup.
I know this is going against a real technician heart of understanding and configuring and gets your hands dirty but it was all the money worth doing so.
Secondly team up with your network team and make sure everyone understands how the orchestrators and the Maestro setup works - loadsharing etc. 
Third sign up for Maestro Expert course and watch the jumpstart videos from Check Point.

I believe this is the way to go and you will succeed.

We are running R81 and from a new installation it seems quite stable.

Best Regards
Kim