This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
kamilazat
Advisor
‎2025-02-07 05:19 AM
Jump to solution

Mixing not supported appliance combinations on different security groups or sites

Hi all,

sk162373 lists the 'certified' supported combinations of gateway in a security group. So does this mean that I can, for example, put 16600s on site 1, and 6700s on site 2 in a dual site setting? What about security groups on a dual room setup (active-active)?

 

Cheers! 

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2025-02-09 09:13 PM
Jump to solution

If you have a dual-site security group, the mix and match limitations apply to the whole security group. A dual room setup is just a normal single site security group with longer downlink cables, so same same. 

Mix and match only applies per security group. So your SG1 can have different appliances than SG2, no restrictions there.

View solution in original post

8 Replies
emmap
Employee
Employee
‎2025-02-09 09:13 PM
Jump to solution

If you have a dual-site security group, the mix and match limitations apply to the whole security group. A dual room setup is just a normal single site security group with longer downlink cables, so same same. 

Mix and match only applies per security group. So your SG1 can have different appliances than SG2, no restrictions there.

Wolfgang
Authority
Authority
‎2025-02-09 09:47 PM
Jump to solution

Don't forget the following for migration scenario only...........

"Quantum Maestro supports all other combinations for migration purposes. For example, suppose you would like to replace a 6500 Security Appliance model with a 16200 Security Appliance model: In this scenario, you can include the two Security Appliance models in the same Security Group, allow it to clone the configuration to the 16200 Security Appliance model, remove the 6500 Security Appliance model, and continue to work with the 16200 Security Appliance model only. This migration procedure should include CXL / SND cores configuration and adjustment on new Security Appliances models, which requires downtime because of the reboot. As a result, you must do the migration during a maintenance window."

0 Kudos
Martijn
Advisor
Advisor
‎2025-02-11 05:28 AM
In response to Wolfgang
Jump to solution

Wolfgang,

The article mentions a migration procedure that needs to be followed including CXL/SND configuration. Where can I find such a procedure?

Have to replace 6800 appliances in a Maestro set with 9700 appliances. Only supported for migration, but what is the best approach?

Regards,
Martijn

0 Kudos
Wolfgang
Authority
Authority
‎2025-02-11 07:12 AM
In response to Martijn
Jump to solution

@Martijn if you are happy with the settings on your 6800 use the same on your new appliances. With R81.20 you should enable dynamic balancing (default configuration => enabled), but "PRHF-37532" a known bug we felt in as a result of the specific network traffic of thei Maestro environment.

"Each time the core split is modified by the dynamic split, it invokes mq_mng -o to update a temporary file. A bug in this process can result in potential high CPU usage on the SGM, leading to traffic interruptions."

A private hotfix is available to solve this problem. We moved from 16600 appliances to 9700 and set 4 cores as SNDs and we are not using dynamic_balancing. We did not used the private hotfix because we don't like private hotfixes in Maestro environments (to much problems with updates).

We have other environments with dynamic_balancing enabling which are working fine, but they have to handle different network traffic.

0 Kudos
Martijn
Advisor
Advisor
a week ago
In response to Wolfgang
Jump to solution

Hi Wolfgang,

Do you know if Dynamic Balancing is enabled when upgrading to R81.20? My lab setup (6500) was upgraded from R81.10 to R81.20 and I see Dynamic Balancing is on. Did not enable it myself.

If Dynamic Balancing is enabled on the customers 6800 after upgrading to R81.20, can I add the 9700 appliances without major issues, or is downtime expected.

Martijn

0 Kudos
Wolfgang
Authority
Authority
a week ago
In response to Martijn
Jump to solution

@Martijn dynamic_balancing is on by default with R81.20. I believe you can add the new appliances without any issue to the SG with the 6800s. That's a really great benefit of MAESTRO, adding new hardware without any disruption. Add the appliance to the SG, wait some time.... voila everything is fine and you got more power for the SG.

0 Kudos
Martijn
Advisor
Advisor
a week ago
In response to Wolfgang
Jump to solution

@Wolfgang What's your advice on removing the old hardware. Right away (loosing the roll-back option) or keep them running for some hours/days?

I know the combination is only supported for migrations, but having a roll-back scenario would be nice.

0 Kudos
Wolfgang
Authority
Authority
Monday
In response to Martijn
Jump to solution

@Martijn we did a clusterXL_admin down for the older appliances 2 hours right  after adding all new appliances and no errors seen. After a week without any problems we removed the old appliances from the SG.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events