Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SriniKrish
Collaborator
Jump to solution

Maestro queries

Hi Guys,

I have few queries on MAestro, more from a knowledge and exam perspective.  I have sat for the CP official course for Maestro and also have done a deployment with vsx. But In the exam I came across contents that weren't covered in Maestro lab nor in the course ware. I also checked the admin guide and our forum but not many indicators.

Could you please address the below ?

1. do we have any documentation on Layer 4 distribution and what factors affect it and when should be turned on/off.  For example does NAT, OSPF have any effect on them.

2. On correction layer for asymmetric routes, where is the owner information stored ? is it only on the OWner SGM's connection table or is there a reference for every other SGM in the SG ? The documentation states the correction layer will forward to the right SGM, but no mention on where its stored.

3. Can you share some commands on the correction to see its utilization and is there a concern on its utilization level ? I did ran asg_blade_stat corr but it shows only packet count info

Appreciate any insights or documentation on the same as I couldnt find any in the lab or course wares or admin guides.

 

Thank you!

regards

Srini

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

You probably took the R80.20SP version of the Maestro course which was quite outdated and lacking in detail.  The R81.10 version of the Check Point Certified Maestro Expert course answers all your questions. I cannot post excerpts from the course material as I do not own the rights to do so.  But to answer your specific queries in a general fashion:

1) In most cases Layer 4 distribution should be turned off in Maestro even though it is on by default.  Layer 4 distribution will interfere with UserChecks and the Identity Awareness Captive Portal.  There are some situations described in the courseware that will cause a dramatic imbalance between SGMs of the same Security Group if L4 distribution is disabled, and only in those cases should Layer 4 distribution be enabled.

2)  IP routing has nothing to do with Maestro distribution.  Maestro uses prediction to ensure that the information about connections is only sync'ed to the members that need it via a process called Hypersync; this avoids the 5 cluster member limit for the original ClusterXL Load Sharing.  Basically in Maestro the original connection owner SGM determines where the forward path (c2s) for the connection would go as determined by the Maestro Hyperscale Orchestrator (MHO) if that SGM were to fail, and only syncs the connection to that one backup member.  The connection owner also determines where the return path of traffic (s2c) will go as determined by the MHO, and syncs only that member with that connection.  That subsequent member then determines which SGM would receive the s2c flow if it were to then fail, and only syncs that member.

3) cphaprob corr will show you correction statistics.  The correction process is quite efficient, and even a correction rate of up to 100% is not necessarily cause for concern, as the correction rate is heavily influenced by the presence of NAT and VPNs.

The R81.10 version of the CCME exam has been updated to sync with the new courseware, it is possible you took the R81.10 version of the exam after attending the R80.20SP version of the course which would be a problem as the R81.10 version of CCME was heavily revamped.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

4 Replies
Timothy_Hall
Legend Legend
Legend

You probably took the R80.20SP version of the Maestro course which was quite outdated and lacking in detail.  The R81.10 version of the Check Point Certified Maestro Expert course answers all your questions. I cannot post excerpts from the course material as I do not own the rights to do so.  But to answer your specific queries in a general fashion:

1) In most cases Layer 4 distribution should be turned off in Maestro even though it is on by default.  Layer 4 distribution will interfere with UserChecks and the Identity Awareness Captive Portal.  There are some situations described in the courseware that will cause a dramatic imbalance between SGMs of the same Security Group if L4 distribution is disabled, and only in those cases should Layer 4 distribution be enabled.

2)  IP routing has nothing to do with Maestro distribution.  Maestro uses prediction to ensure that the information about connections is only sync'ed to the members that need it via a process called Hypersync; this avoids the 5 cluster member limit for the original ClusterXL Load Sharing.  Basically in Maestro the original connection owner SGM determines where the forward path (c2s) for the connection would go as determined by the Maestro Hyperscale Orchestrator (MHO) if that SGM were to fail, and only syncs the connection to that one backup member.  The connection owner also determines where the return path of traffic (s2c) will go as determined by the MHO, and syncs only that member with that connection.  That subsequent member then determines which SGM would receive the s2c flow if it were to then fail, and only syncs that member.

3) cphaprob corr will show you correction statistics.  The correction process is quite efficient, and even a correction rate of up to 100% is not necessarily cause for concern, as the correction rate is heavily influenced by the presence of NAT and VPNs.

The R81.10 version of the CCME exam has been updated to sync with the new courseware, it is possible you took the R81.10 version of the exam after attending the R80.20SP version of the course which would be a problem as the R81.10 version of CCME was heavily revamped.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
SriniKrish
Collaborator

Hi Tim,

Thank you so much for your response and much appreciated.

Yes, I went through r80.20 and no wonder the contents were completely off in the exam.

That being said, I still expect the content around the topic be available in Admin guide for R81.10. if anyone wants to do CCSE, and if they have hands on and have access to Admin guide, they could cover everything but doesn't seem to be the case with Maestro without the course ware.

Also, inspite of having deployment experience, the course content was way off. Anyways, Appreciate any documents from knowledge perspective. I have access to a maestro environment in prod and if I have documentation, don't mind putting the hours.

 

cheers

Srini

Timothy_Hall
Legend Legend
Legend

There is plenty of content available for Maestro, namely:

SKs (270)
CheckMates threads (300)
Maestro slide decks (15)
All official documentation - 1000 pages
- Maestro Admin Guide R81.10
- Maestro Getting Started
- Old Maestro R80.20SP Courseware and Labs 3.0

All of this content was brought together by a single expert for the CCME R81.10 class which also includes some original content not available elsewhere.  If you can't attend the updated CCME R81.10 class (which also had its labs revamped to maximize student participation with limited hardware) I'd strongly suggest acquiring the CCME R81.10 courseware, part number is CPTS-DOC-CCME-R81.1-EKIT.  Cost is $400 USD.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
SriniKrish
Collaborator

Thanks for the update.

I did go through R81.10 admin guide and I don't see any reference on the correction table and its dependencies apart from how is solves asymmetric route when NAT is in play which is covered in R80.20 as well.

Unlike CCSE which is an established course and content available readily, there is less dependency on the course ware. Infact I've done CCSE from R71 till the current version which no need to refer course ware. But Maestro being niche, I expected documentation to reflect most content. Anyways, I will content my local CP reps to see if there is any CP partner discounts or access to contents. I have access to the environment so hands on is not a challenge.

Thank you !

Regards

Srini

0 Kudos