This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
‎2024-12-03 11:30 PM
Jump to solution

which SGM gets the SMO role ?

I know that one of the SGMs get's the SMO role. I remember this is regarding to the port number used for downlinks. I searched through knowledgebase and community but I'm not able to find such information.

Can anyone give me a hint to the documentation how the process is working which SGM get's the SMO role.

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2024-12-03 11:55 PM
In response to Wolfgang
Jump to solution

It has nothing to do with port numbers, it's purely based on SGM IDs, which are simply allocated in order of SGMs being added to the group. So adding a new appliance won't change which one the SMO is, unless you don't already have an SGM 1_1.

And even if that were the case, the new one wouldn't assume SMO role until after it has synchronised everything and become active, so there's still no impact to it.

View solution in original post

3 Replies
Danny
Champion Champion
Champion
‎2024-12-03 11:42 PM
Jump to solution

First SGM gets SMO master role, communicates with Management and shares the security policy and all configuration to the other active SGMs via CCP.

# asg_blade_config get_smo_ip
# grep '192.0.2.1 ' /etc/hosts
# echo $CPHA_SMO
# asg stat -i tasks

From Check Point AI Copilot:

In Check Point Maestro, the Single Management Object (SMO) is a technology that manages the Security Group as one large Security Gateway with one management IP address. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

To verify which Security Group Member is elected as the SMO, you can use the following command:

asg stat -i tasks

This command will display the distribution of tasks among the Security Group Members, including the SMO task.

Example Output in a Maestro Single Site Configuration:

[Expert@HostName-ch0x-0x:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)    |                       Chassis 1                          |
--------------------------------------------------------------------------------
| SMO (0)           |                        1(local)                          |
| General (1)       |                        1(local)                          |
| LACP (2)          |                        1(local)                          |
| CH Monitor (3)    |                        1(local)                          |
| DR Manager (4)    |                        1(local)                          |
| UIPC (5)          |                        1(local)                          |
| Alert (6)         |                        1(local)                          |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#

In this example, the SMO task runs on Security Group Member #1, as indicated by the string "(local)".

Example Output in a Maestro Dual Site Configuration:

[Expert@HostName-ch0x-0x:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)    |                       Chassis 2                          |
--------------------------------------------------------------------------------
| SMO (0)           |                        3(local)                          |
| General (1)       |                        3(local)                          |
| LACP (2)          |                        3(local)                          |
| CH Monitor (3)    |                        3(local)                          |
| DR Manager (4)    |                        3(local)                          |
| UIPC (5)          |                        3(local)                          |
| Alert (6)         |                        3(local)                          |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#

In this example, the SMO task runs on Security Group Member #3, as indicated by the string "(local)".

Learn more:
  1. R82 Scalable Platforms Administration Guide - SMO-and-Policies
  2. R82 Performance Tuning Administration Guide - Front-Matter-Glossary
  3. sk178544 - Use the Management API verify-management-license to see how many Security Gateway objects...
0 Kudos
Wolfgang
Authority
Authority
‎2024-12-03 11:53 PM
In response to Danny
Jump to solution

Thanks @Danny for the detailed explanations. We want to add a a new SGM to an existing SG. But we have to use a downlink port with a lower port number then the already used. I think the SGM which holds the SMO role should stay on the same SGM, but we want to be sure.

I remember someone posted here that the SMO role building process has something todo with the port numbers, tha's why I'm a little bit confuesed

0 Kudos
emmap
Employee
Employee
‎2024-12-03 11:55 PM
In response to Wolfgang
Jump to solution

It has nothing to do with port numbers, it's purely based on SGM IDs, which are simply allocated in order of SGMs being added to the group. So adding a new appliance won't change which one the SMO is, unless you don't already have an SGM 1_1.

And even if that were the case, the new one wouldn't assume SMO role until after it has synchronised everything and become active, so there's still no impact to it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events