Typical Check Point Maestro Project

Evgeniy_Olkov · ‎2020-03-23

Hi. Just decided to share our typical Maestro project. Here you can see the topology. I hope it will help someone to create their own project or just for better understanding how Maestro works.

L1 scheme:

L2 shceme:

L3 scheme:

If you have any question feel free to ask.

MikeB · ‎2020-04-30

Hi Evgeniy, thank you for this valuable information.

You know how it would be a topology with two sites and a single MHO in each? and if the deployment with 3 MHO is supported? (2 in one site and just 1 in the other site)

Evgeniy_Olkov · ‎2020-05-01

Hi! Thanks for the feedback!
Unfortunately, I don't have the dual site topology. But I know for sure, that it should be symmetrical (1 and 1 or 2 and 2).

Maarten_Sjouw · ‎2020-05-02

Dual site with 3 MHO's is not supported at all. The dual site situation is setup with either 1 MHO on each site or 2 on each site. For the Dual site to work you need to duplicate the drawing and make sure all VLAN's are stretched over to the other location. On top of that you need to create portchannels/bonding groups for all ports used in the dual MHO setups, single site-dual MHO or dual site-dual MHO.

Regards, Maarten

Sherif · ‎2020-11-28

Hi Evgeniy,

thank you for sharing your topology design and the outstanding diagrams!

In this topology is the Maestro being used to inspect east-west traffic (between local vlans) in addition to north-south traffic (to/from internet)? - or is it used only for north-south traffic inspection ?

If the Maestro is used to inspect east-west traffic, are the local vlans gateways on the core-switch or are they (moved) onto the Maestro (security appliances) ?

Cheers,

Sherif

Bob_Zimmerman · ‎2020-11-29

I must have missed this when it was originally posted. Very interesting!

Is the sync between the Maestro boxes directly connected? I know with firewalls this is a very bad idea. Firewall sync should go through a switch to avoid problems when rebooting one of the members (when they're directly connected and you reboot member A, member B sees its interface go down, and has to go into contention to see if its peer failed or it failed; a failure in contention can cause B to refuse to take over). How do the Maestro boxes handle that?

Darren_Phang · ‎2020-11-29

Hi Evgeniy,

Nice diagram. Relatively easy to understand and interpret your diagram. Could you please share what tools you are using to draw this network diagram?

Regards,

Darren

Outis · ‎2023-06-08

Hi Evgeniy,

I have used this topology with VSX, and I have issues with connection between security group (SG) with VSX. I have config one VSX for management zone (include SG management and others management devices), and all devices have default gateway is IP of VSX. All devices on management zone could ping and connect but only IP of SG couldn't ping or connect to IP of VSX. I have show arp on SG and see mac address of VSX but on I don't see mac address of SG on VSX.

_Val_ · ‎2023-06-09

@Outis, this is a very old post. I suggest you to open a new discussion and ask community for help