- Products
- Learn
- Local User Groups
- Partners
- More
1 Solution
Accepted Solutions
Maestro Masters
Round Table session with Maestro experts
Hello,
I'm starting building a dual site, dual MHO infrastructure and I need some tips.
I want to configure a SG cross site, but I don't undestand how to configure management port for it.
In a singole site, dual MHO the documentation (Maestro basic setup) explain how to create a bond active standby using port 1 of both MHO. In this scenario, I have redundancy to access SMO.
But, how to setup it in a SG cross site? Do I need to use port 1 of both MHO of the second site too? So I have 4 port in this bond?
Regards
M
Yes, magg0 as management bond is relevant for Security Group. As particular SecGrp exists on both sites and ports connections are the same on both sites you are adding / using the same interfaces for both sites.
Mgmt IP is used by SMO Master SGM on active site. You can think about two cases:
- regular Security Group - SMO Master (lowest SGM ID in active site) from active site is using magg0 IP for communication
- VSX Security Group - then it represents magg0 IP for VS0 on active site. No matter if you are using VSX HA or VSLS, there is one site, where SMO Master SGM is active for VS0.
When you create another Security Group then you can create another magg (new interfaces) or share the same magg (create magg with Mgmt interfefaces used by first SecGrp) with different IP address.
BR
Daniel.
Hello,
Setup is the same. On second site you need need to attach corespondig mgmt ports (the same as in site 1). Physical connections should be mirrored between sites.
So configuration prompt is using two interfaces in magg (from site perspective) but in reality consist 4 ports (one Mgmt per MHO).
BR
Daniel.
Hi Daniel,
if I understand correctly, the magg0 configuration (make with eth1-Mgmt1 and eth2-Mgmt1) is for Security Gateway, so I don't need to do anything on MHO (both site).
When the magg0 of site2 start to work? In which case?
One more thing, if I install a VSX on this SG, and with VSLS balance some VS on site1 and some other VS on site2, when access on the IP assigned to to the SG witch magg0 I use? Site1 or Site2?
And if I whant to create a second SG on site1 only with another IP, may I create another magg (like magg1) or can I use the same?
How to see this from SG prospective?
Regards
Yes, magg0 as management bond is relevant for Security Group. As particular SecGrp exists on both sites and ports connections are the same on both sites you are adding / using the same interfaces for both sites.
Mgmt IP is used by SMO Master SGM on active site. You can think about two cases:
- regular Security Group - SMO Master (lowest SGM ID in active site) from active site is using magg0 IP for communication
- VSX Security Group - then it represents magg0 IP for VS0 on active site. No matter if you are using VSX HA or VSLS, there is one site, where SMO Master SGM is active for VS0.
When you create another Security Group then you can create another magg (new interfaces) or share the same magg (create magg with Mgmt interfefaces used by first SecGrp) with different IP address.
BR
Daniel.
Very helful Daniel,
how to find in which site VSX VS0 is active in case of SG cross site?
And, for othes SG if I create a new magg have I to name it as magg0 , magg1, magg2 and so on?
M
It shoud be enough to use cmd from SecGrp bash: asg stat vs all
No, each SecGrp is isolated from each other so on each you can configure magg0.
BR
Daniel
Many thanks for your support Daniel
Regards
M
No problem and Good luck with implementation!
BR
Daniel.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY