Dual Site with two Switches

Warning - When you connect the external synchronization ports of Orchestrators See "Maestro Orchestrator". on different Maestro Sites through switches (and not directly to each other), make sure your Layer 2 network between Orchestrators is secured.

Diagram

This example is for MHO-140.

Description

On each site, two Quantum Maestro Orchestrators A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. are connected for redundancy:
- On each site, Port 48 on Quantum Maestro Orchestrators is for the internal synchronization.
- On each site, Port 47 on Quantum Maestro Orchestrators is for the external synchronization between sites.
  
  This Port 47 on Quantum Maestro Orchestrators connects to the Layer 2 Switch on the site.
  
  (Starting in R81.10, Port 56 is the external synchronization port.)
- On each site, each Security Appliance has an Expansion Line Card.
  
  Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). on different Quantum Maestro Orchestrators connect to odd and to even ports on the Expansion Line Card.
Port 47 on the first Orchestrator on the first site (Orchestrator ID 1_1) connects to the Layer 2 Switch (to Port 1) on the first site.
Port 47 on the second Orchestrator on the first site (Orchestrator ID 1_2) connects to the same Layer 2 Switch (to Port 2) on the first site.
Port 47 on the first Orchestrator on the second site (Orchestrator ID 2_1) connects to the Layer 2 Switch (to Port 1) on the second site.
Port 47 on the second Orchestrator on the second site (Orchestrator ID 2_2) connects to the same Layer 2 Switch (to Port 2) on the second site.
The Layer 2 Switch (Port 32) on the first site connects directly to the Layer 2 Switch (to Port 32) on the second site.

Diagram for MHO-140 with R80.20SP

Explanations

Table: Explanations

Item

Description

A port on the Layer 2 switch on the first site (3) that connects to a corresponding port (2) on the Layer 2 switch on the second site (5).

A port on the Layer 2 switch on the second site (5) that connects to a corresponding port (1) on the Layer 2 switch on the first site (3).

The Layer 2 switch on the first site.

Port on the Layer 2 switch on the first site that connects to the dedicated external synchronization port (10) on the first Quantum Maestro Orchestrator (11) on the first site.

The Layer 2 switch on the second site.

Port on the Layer 2 switch on the second site that connects to the dedicated external synchronization port (13) on the first Quantum Maestro Orchestrator (14) on the second site.

Port on the Layer 2 switch on the first site that connects to the dedicated external synchronization port (18) on the second Quantum Maestro Orchestrator (19) on the first site.

Port on the Layer 2 switch on the second site that connects to the dedicated external synchronization port (21) on the second Quantum Maestro Orchestrator (22) on the second site.

DAC cables Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers)., Fiber cables (with transceivers), or Breakout cables An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable. that connect Downlink ports on the first Quantum Maestro Orchestrator (11) on the first site to the Security Appliance (25, 27 and 30) on the first site.

These cables connect to the odd port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the first Quantum Maestro Orchestrator (11) on the first site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the Layer 2 switch (3 to port 4) on the first site.

The first Quantum Maestro Orchestrator on the first site.

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports on the first Quantum Maestro Orchestrator (14) on the second site to the Security Appliance (26, 29 and 31) on the second site.

These cables connect to the odd port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the first Quantum Maestro Orchestrator (14) on the second site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the Layer 2 switch (5 to port 6) on the first site.

The first Quantum Maestro Orchestrator on the second site.

The dedicated internal synchronization port (Port 48) on the first Quantum Maestro Orchestrator (11) on the first site.

This port connects with a DAC cable to the dedicated internal synchronization port (23) on the second Quantum Maestro Orchestrator (19) on the first site.

Important:

This connection is only used to synchronize the configuration of Security Groups A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

The dedicated internal synchronization port (Port 48) on the first Quantum Maestro Orchestrator (14) on the second site.

This port connects with a DAC cable to the dedicated internal synchronization port (24) on the second Quantum Maestro Orchestrator (22) on the second site.

Important:

This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports on the second Quantum Maestro Orchestrator (19) on the first site to the Security Appliance (25, 27 and 30) on the first site.

These cables connect to the even port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the second Quantum Maestro Orchestrator (19) on the first site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the Layer 2 switch (3 to port 7) on the first site.

The second Quantum Maestro Orchestrator on the first site.

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports on the second Quantum Maestro Orchestrator (22) on the second site to the Security Appliance (26, 29 and 31) on the second site.

These cables connect to the even port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the second Quantum Maestro Orchestrator (14) on the second site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the Layer 2 switch (5 to port 8) on the second site.

The second Quantum Maestro Orchestrator on the second site.

The dedicated internal synchronization port (Port 48) on the second Quantum Maestro Orchestrator (19) on the first site.

This port connects with a DAC cable to the dedicated internal synchronization port (15) on the first Quantum Maestro Orchestrator (11) on the first site.

Important:

This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

The dedicated internal synchronization port (Port 48) on the second Quantum Maestro Orchestrator (22) on the second site.

This port connects with a DAC cable to the dedicated internal synchronization port (16) on the first Quantum Maestro Orchestrator (14) on the first site.

Important:

This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

Security Appliance 1 on the first site - member of the Security Group (28).

Security Appliance 1 on the second site - member of the Security Group (28).

Security Appliance 2 on the first site - member of the Security Group (28).

Security Group that contains Security Appliances from both sites (25, 26, 27, 29, 30 and 31).

Security Appliance 2 on the second site - member of the Security Group (28).

Security Appliance 3 on the first site - member of the Security Group (28).

Security Appliance 3 on the second site - member of the Security Group (28).

Configuration of the synchronization ports:

Site	Orchestrator	Internal Sync Port	External Sync Port
1	Orchestrator ID 1_1 (denoted as MHO 1_1)	Port 48 IP 192.0.2.1	Port 47 IP 203.0.113.1
1	Orchestrator ID 1_2 (denoted as MHO 1_2)	Port 48 IP 192.0.2.2	Port 47 IP 203.0.113.2
2	Orchestrator ID 2_1 (denoted as MHO 2_1)	Port 48 IP 192.0.2.15	Port 47 IP 203.0.113.15
2	Orchestrator ID 2_2 (denoted as MHO 2_2)	Port 48 IP 192.0.2.16	Port 47 IP 203.0.113.16

Site

Orchestrator

Internal Sync Port

External Sync Port

Orchestrator ID 1_1

(denoted as MHO 1_1)

Port 48

IP 192.0.2.1

Port 47

IP 203.0.113.1

Orchestrator ID 1_2

(denoted as MHO 1_2)

Port 48

IP 192.0.2.2

Port 47

IP 203.0.113.2

Orchestrator ID 2_1

(denoted as MHO 2_1)

Port 48

IP 192.0.2.15

Port 47

IP 203.0.113.15

Orchestrator ID 2_2

(denoted as MHO 2_2)

Port 48

IP 192.0.2.16

Port 47

IP 203.0.113.16

Requirements

Layer 2 switches must support VLAN Q-in-Q Tunneling (encapsulation of 802.1Q VLAN inside 802.1Q VLAN).

You must configure VLAN Trunks and Q-in-Q exactly as described below:

Site	Switch	Port	Port Configuration
1 and 2	SW 1 and SW 2	1	VLAN Trunk that accepts these VLAN IDs: 3600^* (used for a site internal synchronization) 3951 (used for external synchronization)
1 and 2	SW 1 and SW 2	2	VLAN Trunk that accepts these VLAN IDs: 3601^* (used for a site internal synchronization) 3952 (used for external synchronization)
1 and 2	SW 1 and SW 2	32	VLAN Trunk that accepts these VLAN IDs: 3600^* (used for a site internal synchronization) 3601^* (used for a site internal synchronization) 3951 (used for external synchronization) 3952 (used for external synchronization)

Site

Switch

Port

Port Configuration

and

SW 1

and

SW 2

VLAN Trunk that accepts these VLAN IDs:

3600^* (used for a site internal synchronization)
3951 (used for external synchronization)

and

SW 1

and

SW 2

VLAN Trunk that accepts these VLAN IDs:

3601^* (used for a site internal synchronization)
3952 (used for external synchronization)

and

SW 1

and

SW 2

VLAN Trunk that accepts these VLAN IDs:

3600^* (used for a site internal synchronization)
3601^* (used for a site internal synchronization)
3951 (used for external synchronization)
3952 (used for external synchronization)

Important:

VLAN ID 3951 and VLAN ID 3952:

Starting from the version R81.10, it is possible to change the default VLAN IDs with this command:

set maestro configuration orchestrators base-vlan <VLAN ID 1> <VLAN ID 2> ... <VLAN ID N>

In the version R80.20SP, it is not possible to change these VLAN IDs.

^*The default Site Sync VLAN IDs are:
- 3600 on Orchestrator ID 1_1 and Orchestrator ID 2_1
- 3601 on Orchestrator ID 1_2 and Orchestrator ID 2_2
If these default Site Sync VLAN IDs conflict with the existing VLAN IDs in your environment, then it is possible to change the Base Site Sync VLAN IDs on Quantum Maestro Orchestrators.

Latency between the Layer 2 switches on different sites must be lower than 100ms.
Packet lost between the Layer 2 switches on different sites must be lower than 5%.

Configuring Dual Site with two Switches

This procedure explains how to configure a new Security Group that contains Security Appliances from two sites in a new Dual Site configuration.

Important - Make sure to read the existing Known Limitations for Dual Site in sk148074.

Warning - This procedure interrupts the traffic. Schedule a maintenance window.

Step Instructions

On each site, install the Quantum Maestro Orchestrators in their racks.

Follow the applicable instructions:

On each site, connect the cables between:

The dedicated internal synchronization ports on the Quantum Maestro Orchestrators.
The Security Appliances and the Downlink ports on the Quantum Maestro Orchestrators.
The production traffic networks and the Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. on the Quantum Maestro Orchestrators.

Follow:

On each site, connect fiber cables (with transceivers) or DAC cables between the dedicated external synchronization ports on the Quantum Maestro Orchestrator and the ports on the Layer 2 switch.

Best Practice:

On MHO-175 and MHO-170, use Ports 31 on the Quantum Maestro Orchestrators on each site.
On MHO-140, use Ports 47 on the Quantum Maestro Orchestrators on each site.
Do not use ports with the configured type "management".
On the Layer 2 switches on different sites, connect Quantum Maestro Orchestrators to ports with the same numbers:
- Connect Orchestrator ID 1_1 and Orchestrator ID 2_1 to port X on the switches
- Connect Orchestrator ID 1_2 and Orchestrator ID 2_2 to port Y on the switches

It is possible to use any port for external synchronization, except these ports:

The ports already used for the internal synchronization.
The disabled ports, if you used breakout cables. See Splitting the Ports with Breakout Cables.

Use an SSH Client or a Serial Console to connect to the command line on each Quantum Maestro Orchestrator on each site.

On each site, configure the dedicated ports for the external synchronization on the Quantum Maestro Orchestrators.

Configure the dedicated port

You must connect and configure ports with the same numbers on the Quantum Maestro Orchestrators on each site.

Run this command in Gaia Clish:

set maestro port <Quantum Maestro Orchestrator ID>/<Port Label>/<Port Split ID> type site_sync

Example for MHO-140:

Orch_1_1> set maestro port 1/47/1 type site_sync

Orch_2_1> set maestro port 1/47/1 type site_sync

Orch_1_2> set maestro port 2/47/1 type site_sync

Orch_2_2> set maestro port 2/47/1 type site_sync

For information about this Gaia Clish command, see the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.

Restart the orchd daemon

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

On each site, configure the total number of Sites on each Quantum Maestro Orchestrator.

Configure the Site ID on each Quantum Maestro Orchestrator.

Configuring the Site ID on the first site

Configure the same Site ID 1 on each Orchestrator:

set maestro configuration orchestrator-site-id 1

Restart the orchd daemon on each Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Configuring the Site ID on the second site

Configure the same Site ID 2 on each Orchestrator:

set maestro configuration orchestrator-site-id 2

Restart the orchd daemon on each Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Optional: Configure a new Base Site Sync VLAN ID on each Quantum Maestro Orchestrator.

This step applies if the default Site Sync VLAN IDs 3600 and 3601 conflict with the existing VLAN IDs in your environment.

For information about the Base Site Sync VLAN ID, see the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Base Site Sync VLAN ID in Dual Site Deployment.

Explanation

The default Site Sync VLAN IDs are:

3600 on Orchestrator ID 1_1 and Orchestrator ID 2_1
3601 on Orchestrator ID 1_2 and Orchestrator ID 2_2

If you configure a new Base Site Sync VLAN ID, then Quantum Maestro Orchestrators assign the new Site Sync VLAN IDs in this way:

Orchestrator ID 1_1 and Orchestrator ID 2_1 use the Site Sync VLAN ID based on this formula:

(Base Site Sync VLAN ID you configured) + 0
Orchestrator ID 1_2 and Orchestrator ID 2_2 use the Site Sync VLAN ID based on this formula:

(Base Site Sync VLAN ID you configured) + 1

Example:

If you configure the Base Site Sync VLAN ID 4800 on all Quantum Maestro Orchestrators, then

Orchestrator ID 1_1 and Orchestrator ID 2_1 use the Site Sync VLAN ID 4800
Orchestrator ID 1_2 and Orchestrator ID 2_2 use the Site Sync VLAN ID 4801

Procedure

Warning - This procedure interrupts the traffic. Schedule a maintenance window.

Connect to the command line on each Quantum Maestro Orchestrator.
Log in to Gaia Clish.

Configure the same Base Site Sync VLAN ID on all Quantum Maestro Orchestrators:

set maestro configuration orchestrator-site-vlan <Number>

Restart the orchd daemon on each Quantum Maestro Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Follow these configuration steps:

Configure the applicable Security Groups on the Quantum Maestro Orchestrators.
Configure the Gaia Operating System settings in the new Security Group.
Configure the settings in SmartConsole.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups.

Important Notes for configuring the applicable Security Groups:

Perform the configuration of Security Groups only on one Quantum Maestro Orchestrator.

The Quantum Maestro Orchestrators synchronize the configuration automatically on each site and between the sites.

To create a new Security Group when the SMO Image Cloning is enabled, follow the procedure below.

Best Practice - Enable the SMO Image Cloning. Security Group Members use this feature to download automatically all Hotfixes installed on the SMO. See the Gaia Administration Guide for your version > Chapter Maintenance > Section Snapshot Management > Section SMO Image Cloning.

Procedure

Create a new Security Group that contains interfaces and Security Appliances only from Site 1.

Connect to the command line of the Security Group over SSH at <IP Address of Security Group>.

When you log in, the Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. opens by default.

Important - This connection goes through the Quantum Maestro Orchestrator's management interface you assigned to this Security Group.

Configure the total number of Sites:

set smo security-group site-amount 2

Add to this Security Group the Security Appliances from Site 2.

The Security Appliances on Site 2 automatically clone the software and the configuration from the SMO Security Appliance on Site 1.

To create a new Security Group when the SMO Image Cloning is disabled, follow the procedure below.

Procedure

Create a new Security Group that contains interfaces and Security Appliances only from Site 1.

Connect to the command line of the Security Group over SSH at <IP Address of Security Group>.

When you log in, the Gaia gClish opens by default.

Important - This connection goes through the Quantum Maestro Orchestrator's management interface you assigned to this Security Group.

Configure the total number of Sites:

set smo security-group site-amount 2

Add to this Security Group the Security Appliances from Site 2.