Maestro basic setup documentation

Maarten_Sjouw · ‎2019-12-10

Hey guys,

I've been playing around with some Maestro units and a number of gateways. I have been running into a number of problems that caused me to document all the actions that I needed to do for a specific type of installation, the document is about 3 different scenario's:

Single site dual Maestro
Dual site single Maestro
Dual Site dual Maestro

Please check out the document and let me know what you think about it, also if you see things that you don't understand or know that should be different, please let me know.

Updated the document to v1.0, 16 dec 2019.

Updated the document to v1.2, 26 Feb. 2020. Added bonding.

Updated the document to v1.3, 03 Mar. 2020. updated some parts and added commands.

Updated the document to v1.5, 17 Mar. 2020. updated some parts and added commands after training.

Updated the document to v1.6, 25 May 2020. Update regarding HA licenses

Regards, Maarten

FedericoMeiners · ‎2019-12-10

Maarten,
Thank you so much for the document, so far there's a lack of documentation regarding Maestro. This will sure come handy in my upcoming deployments 🙂

____________
https://www.linkedin.com/in/federicomeiners/

Anatoly · ‎2019-12-10

Hi,

I have a few comments and corrections here:

1. Console connection are needed to ALL devices - nice to have, but not must. You can "jump" in between devices using CIN network 198.51.0.0 (or using m command)

2. You also need a 10Gb switch for connecting all Mgmt ports - I guess here we're talking about MHO-140. MHO-140 supports 1Gbps transceivers as well (copper and fiber), so it's not necessary to use 10Gbps switch. With MHO-170 you can use 40Gbps, 100Gbps or 4x10Gbps as well

3. I would not say that the best practice is to use single orchestrator, and then to join second one (actually to move to dual orchestrator environment). If you need dual orchestrator - do it from the beginning, including proper cabling

4. I would not mention take number of JHF. Today it is 178, tomorrow it will be something else. You can mention just GA version of JHF

5. Upgrade to JHF on MHO from WebUI would be much more easier. Not clear why should we do it from command line. However, JHF installation on Security Group is not supported via WebUI, hence we have to do it via gclish

6. Dual site - I'm not sure, the best practice is to glue two separate single-site setups. If you have security groups on both sites before you connect them, one of them will be overwritten.

Please feel free to contact me offline at anatoly@checkpoint.com and I will be happy help you with finalizing this documentation.

Maarten_Sjouw · ‎2019-12-10

Anatoli, thanks for the comments, let me give you my remarks on some of them.
1. I have found serial/USB console during the setups I was working on, to be really invaluable, on top of that the documentation was written from our perspective and staging setup. When you have a non MHO gateway you will need to run the installation from USB anyway, hence a need for console.
2 If you want to connect any test equipment on any network it is just easier if you can connect to a 10GB equiped switch, so it is easier when you have one available.
3 I have been running clean setup at least 10 times now trying different methods and found this to be the easiest for troubleshooting issues.
4 Agree
5 This is true when you staging network is able to directly connect to the internet, next to that it sometimes can take a lot of time before CPUSE has loaded the available packages list.
6 The starting point is all clean machines, so no security groups, but on the first one.

PS in the multisite situation, when you want to jump to another member there is no possibility to jump to a gateway in another site, you can only address the Sec Grp and member.

Regards, Maarten

Anatoly · ‎2019-12-10

Hi Maarten,

I understand your arguments, but this is related to specific case.

Regarding 5 - you should download a package from the internet and upload it offline using "import" in web ui. it takes a seconds.

Regarding "PS in the multisite situation, when you want to jump to another member there is no possibility to jump to a gateway in another site, you can only address the Sec Grp and member." - not true.

You can do "m 1_2" - member 2 on 1st site or "m 2_5" - member 5 on 2nd site, for example

Thank you,

Anatoly

Maarten_Sjouw · ‎2019-12-10

Anatoli,
Regarding 5 its a matter of preference.'
On the other matter, from the MHO:
m 2_2
Move to member
Usage:
member <security_group_id> <member_id>
As I just added the site 2 gateways to the group I need to wait untill they are ready, but now I get this message:
IP address for member 2_2 is unavailable

Is there a way to show the configuration from the command line without cycling through all the different show commands separately?
Something like show configuration maestro?

Regards, Maarten

Anatoly · ‎2019-12-10

In order to use m 2_2 Security group must be dual-sited with JHF installed on it.

Can you see both sites using asg monitor?

Regarding show configuration - you can use "show maestro security-group" command

Anatoly · ‎2019-12-10

... and one more comment: in order to move in between sites, you have to do m 2_2 from the gclish of security group, not from the clish of the orchestrator

Maarten_Sjouw · ‎2019-12-10

Ok the m 2_2 works from members to other members, not from the MHO itself.
Other issue I ran into is the following, I found the Jumbo is not yet installed on the other sites' members and when I try to do that from the first member on site 1:
installer install 1 member_ids 2_1
Querying cluster members...
can't read "down_member_id": no such variable while executing
"writeLog $ping(LOG_ERROR) "[fn]" "The action cannot be performed on the following members due to unexpected state: $down_member_id.\n""
(procedure "verify_and_fix_member_ids_str" line 46)
invoked from within
"verify_and_fix_member_ids_str $ping(gclish_cmd) members_str"
(procedure "main" line 59)
invoked from within
"main $argv"
invoked from within
"if { [info exists argv0] && [info script] eq $argv0 } {
# Call function according to CLI args and Exit
return [main $argv]
}"
(file "/usr/lib/cli/tcl/cli_dawrapper.tcl" line 4438)

Regards, Maarten

Anatoly · ‎2019-12-10

I agree, it looks ugly. However, I suggest to do things in following order:

1. Install JHF on all orchestrators

2. Create security group with GWs from 1st site only

3. Install JHF on GWs from 1st site only

4. Enable dual-site on security group "set smo configuration site-amount 2"

5. Enable image-cloning "set smo image auto-clone state on"

6. Reboot all GWs on the first site

7, Via MHO add GWs from the 2nd site to this security group.

Then you don't need to install JHF on the 2nd site's GWs, because it will clone it automatically

Maarten_Sjouw · ‎2019-12-10

Sorry, I also though it would work this way but it did not, it did not copy the Jumbo along.

Regards, Maarten

Anatoly · ‎2019-12-10

Try this, it works, trust me 😉

Maarten_Sjouw · ‎2019-12-10

Trust me it did not, there is no other way than doing it this way, as you need the setting of multi site before you can add the second sites'members. And to be able to set that setting you need the JHF installed.

Regards, Maarten

Anatoly · ‎2019-12-10

Maarten,

You set dual site ONLY when members of site one are in the security group, after you install JHF on it.

You cannot add members from the second site to the security group before you enable dual-site on it.

That is what I'm actually saying.

After you enable dual-site on the security group that include only members from the first site and reboot them, you will be able to add members from the second site and install JHF on it (using auto-clone or manually).

If you still encounter any issue with this procedure, please open support ticket and we will be happy to do it with you.

Thanks

Anatoly

Maarten_Sjouw · ‎2019-12-10

Anatoly,
I have installed the JHF manually after the gateways were added, all I was asking more or less was how to install a jumbo on members of another site from gclish, did I use the right command or not?
The auto-clone just did not do the job.

Regards, Maarten

Anatoly · ‎2019-12-10

It's strange that auto-clone did not work. But yes, it looks like you used a right command.

In any case, please open support ticket on it and we will investigate it deeper.

Thank you,

Anatoly

Maarten_Sjouw · ‎2019-12-10

one last question, which IP to use for gateway licensing?
192.0.2.x or 198.51.101.x ?

Regards, Maarten

Anatoly · ‎2019-12-11

Please use 192.0.2.0

Ricki_S · ‎2019-12-13

Hi,

How can I create the bonding interface management security group, i create 1 SG.

When i want to create vsx gateway from 1 SG, is needed install jumbo hotfix? M170-2380.R80.20SP

Maarten_Sjouw · ‎2019-12-13

Ricki,
A bonding interface can be created once you create your security group, first of all make sure to install the lates GA Jumbo, them log in to the security group and create the bonding interface.
Just do not understand what you mean by the management in regards to the bonding?

Regards, Maarten

Anatoly · ‎2019-12-13

I can guess, Ricki meant MAGG bond. So, in order to create MAGG bond, you have to use dummy IP and then to change to real one. This procedure is described in documentation. Please beware, MAGG does not support LACP mode.

Anatoly

Ricki_S · ‎2019-12-13

Hi Anatoly,

I have try to this magg,

But not solved stack in gclish command, cannot use gclish command in gateway appliance.

Error is : you can't start interactive session from another interactive session

Anatoly · ‎2019-12-13

Looks like you entered to expert mode from gclish and trying to run gclish again from expert. If this is a case, please use exit instead in order to get back to gclish. Another option - just open another ssh session

Ricki_S · ‎2019-12-13

Hi maarten,

In the doc started guide said when connected 2 maestro sync is only needed one interface (port1 mgmt connect to management server) on maestro1. So I want to make two interface for connected to management server.

Anatoly · ‎2019-12-14

Dear Ricki and All,

In order to avoid any confusions, we strongly suggest to read and use official documentation.

The official documentation is published here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Any feedback on official documentation is welcome!

Anatoly

Maarten_Sjouw · ‎2019-12-14

Anatoly,
I'm really sorry but the problem with the official documentation is that it is to complicated.
Even the quick reference guide does not tel you in simple steps what you need to do.

As said before in this post, I have created this basic setup manual for our own use, but then I just wanted to share it.
It is a Work In progress document. So it will be updated.
Also Laslo told me why the cloning did not work, by default it is not turned on....

Regards, Maarten

shay_solomon · ‎2019-12-14

Hi,

With respect to Maestro doc complexity, I will appreciate if you can email me few points for which you believe we can simplify the doc.
shay_sol@checkpoint.com

10x

Shay

Shay Solomon | Director, Education Services & Gamification

+972-52-3769206 (IL)

+415-2513078 (US)

Tel Aviv, Israel | Irving, TX

Maarten_Sjouw · ‎2019-12-14

Shay,
I will do my best monday to get you some of my idea's, I currently have no easy way to put them next to each other and get my points across.

Regards, Maarten

shay_solomon · ‎2019-12-14

Thanks

Norbert_Bohusch · ‎2020-01-31

@cloning: And it is good that it is not turned on by default. It should only turned on during the setup and for adding new gateways later on. At any other time it should be off.
Because if you install a JHF on site2 and reboot and site2 comes back, than the gateways of site2 see the image off site1 as different and clone it back to old JHF state 😉