This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
kamilazat
Advisor
Friday
Jump to solution

Mixing not supported appliance combinations on different security groups or sites

Hi all,

sk162373 lists the 'certified' supported combinations of gateway in a security group. So does this mean that I can, for example, put 16600s on site 1, and 6700s on site 2 in a dual site setting? What about security groups on a dual room setup (active-active)?

 

Cheers! 

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
Sunday
Jump to solution

If you have a dual-site security group, the mix and match limitations apply to the whole security group. A dual room setup is just a normal single site security group with longer downlink cables, so same same. 

Mix and match only applies per security group. So your SG1 can have different appliances than SG2, no restrictions there.

View solution in original post

4 Replies
emmap
Employee
Employee
Sunday
Jump to solution

If you have a dual-site security group, the mix and match limitations apply to the whole security group. A dual room setup is just a normal single site security group with longer downlink cables, so same same. 

Mix and match only applies per security group. So your SG1 can have different appliances than SG2, no restrictions there.

Wolfgang
Authority
Authority
Sunday
Jump to solution

Don't forget the following for migration scenario only...........

"Quantum Maestro supports all other combinations for migration purposes. For example, suppose you would like to replace a 6500 Security Appliance model with a 16200 Security Appliance model: In this scenario, you can include the two Security Appliance models in the same Security Group, allow it to clone the configuration to the 16200 Security Appliance model, remove the 6500 Security Appliance model, and continue to work with the 16200 Security Appliance model only. This migration procedure should include CXL / SND cores configuration and adjustment on new Security Appliances models, which requires downtime because of the reboot. As a result, you must do the migration during a maintenance window."

0 Kudos
Martijn
Advisor
Advisor
yesterday
In response to Wolfgang
Jump to solution

Wolfgang,

The article mentions a migration procedure that needs to be followed including CXL/SND configuration. Where can I find such a procedure?

Have to replace 6800 appliances in a Maestro set with 9700 appliances. Only supported for migration, but what is the best approach?

Regards,
Martijn

0 Kudos
Wolfgang
Authority
Authority
yesterday
In response to Martijn
Jump to solution

@Martijn if you are happy with the settings on your 6800 use the same on your new appliances. With R81.20 you should enable dynamic balancing (default configuration => enabled), but "PRHF-37532" a known bug we felt in as a result of the specific network traffic of thei Maestro environment.

"Each time the core split is modified by the dynamic split, it invokes mq_mng -o to update a temporary file. A bug in this process can result in potential high CPU usage on the SGM, leading to traffic interruptions."

A private hotfix is available to solve this problem. We moved from 16600 appliances to 9700 and set 4 cores as SNDs and we are not using dynamic_balancing. We did not used the private hotfix because we don't like private hotfixes in Maestro environments (to much problems with updates).

We have other environments with dynamic_balancing enabling which are working fine, but they have to handle different network traffic.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events