Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Evgeniy_Olkov
Collaborator
Collaborator

Typical Check Point Maestro Project

Hi. Just decided to share our typical Maestro project. Here you can see the topology. I hope it will help someone to create their own project or just for better understanding how Maestro works.

 

L1 scheme:

L1.png

L2 shceme:

L2.png

L3 scheme:

L3.png

If you have any question feel free to ask.

8 Replies
MikeB
Advisor

Hi Evgeniy, thank you for this valuable information.

You know how it would be a topology with two sites and a single MHO in each? and if the deployment with 3 MHO is supported? (2 in one site and just 1 in the other site)
0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator

Hi! Thanks for the feedback!
Unfortunately, I don't have the dual site topology. But I know for sure, that it should be symmetrical (1 and 1 or 2 and 2).
Maarten_Sjouw
Champion
Champion

Dual site with 3 MHO's is not supported at all. The dual site situation is setup with either 1 MHO on each site or 2 on each site. For the Dual site to work you need to duplicate the drawing and make sure all VLAN's are stretched over to the other location. On top of that you need to create portchannels/bonding groups for all ports used in the dual MHO setups, single site-dual MHO or dual site-dual MHO.
Regards, Maarten
Sherif
Explorer

Hi Evgeniy,

thank you for sharing your topology design and the outstanding diagrams!

In this topology is the Maestro being used to inspect east-west traffic (between local vlans) in addition to north-south traffic (to/from internet)? - or is it used only for north-south traffic inspection ?

If the Maestro is used to inspect east-west traffic, are the local vlans gateways on the core-switch or are they (moved) onto the Maestro (security appliances) ?

Cheers,

Sherif

0 Kudos
Bob_Zimmerman
Authority
Authority

I must have missed this when it was originally posted. Very interesting!

Is the sync between the Maestro boxes directly connected? I know with firewalls this is a very bad idea. Firewall sync should go through a switch to avoid problems when rebooting one of the members (when they're directly connected and you reboot member A, member B sees its interface go down, and has to go into contention to see if its peer failed or it failed; a failure in contention can cause B to refuse to take over). How do the Maestro boxes handle that?

0 Kudos
Darren_Phang
Participant

Hi Evgeniy,

 

Nice diagram. Relatively easy to understand and interpret your diagram. Could you please share what tools you are using to draw this network diagram? 

 

Regards,

Darren

0 Kudos
Outis
Explorer

Hi Evgeniy, 

I have used this topology with VSX, and I have issues with connection between security group (SG) with VSX. I have config one VSX for management zone (include SG management and others management devices), and all devices have default gateway is IP of VSX. All devices on management zone could ping and connect but only IP of SG couldn't ping or connect to IP of VSX. I have show arp on SG and see mac address of VSX but on I don't see mac address of SG on VSX.

0 Kudos
_Val_
Admin
Admin

@Outis, this is a very old post. I suggest you to open a new discussion and ask community for help

0 Kudos