Dual Site with Direct Connection

Warning:

It is critical to protect the Maestro Sites against both malicious and unintentional threats:

On each Security Appliance, each required network port must connect to Maestro Orchestrators See "Maestro Orchestrator". with a direct able (without intermediate devices).
On the same Maestro site, the internal synchronization ports on both Orchestrators must connect to each other with a direct cable or must connect to an isolated dedicated network.
On the different Maestro sites, the external synchronization ports on the corresponding Orchestrators must connect to each other with a direct cable or must connect to an isolated dedicated network.

Diagram

This example is for MHO-140.

Description

On each site, two Quantum Maestro Orchestrators A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. are connected for redundancy:
- On each site, Port 48 on Quantum Maestro Orchestrators is for the internal synchronization.
- On each site, Port 47 on Quantum Maestro Orchestrators is for the external synchronization between sites.
  
  (Starting in R81.10, Port 56 is the external synchronization port.)
- On each site, each Security Appliance has an Expansion Line Card.
  
  Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). on different Quantum Maestro Orchestrators connect to odd and to even ports on the Expansion Line Card.
The first Orchestrator on the first site (Orchestrator ID 1_1) connects directly to the first Orchestrator on the second site (Orchestrator ID 2_1).
The second Orchestrator on the first site (Orchestrator ID 1_2) connects directly to the second Orchestrator on the second site (Orchestrator ID 2_2).

Diagram for MHO-140 with R80.20SP

Explanations

Table: Explanations

Item

Description

DAC cables Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers)., Fiber cables (with transceivers), or Breakout cables An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable. that connect Downlink ports on the first Quantum Maestro Orchestrator (3) on the first site to the Security Appliance (17, 19 and 22) on the first site.

These cables connect to the odd port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the first Quantum Maestro Orchestrator (3) on the first site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the dedicated external synchronization port (5) on the first Quantum Maestro Orchestrator (6) on the second site.

The first Quantum Maestro Orchestrator on the first site.

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports on the first Quantum Maestro Orchestrator (6) on the second site to the Security Appliance (18, 21 and 23) on the second site.

These cables connect to the odd port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the first Quantum Maestro Orchestrator (6) on the second site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the dedicated external synchronization port (2) on the first Quantum Maestro Orchestrator (3) on the first site.

The first Quantum Maestro Orchestrator on the second site.

The dedicated internal synchronization port (Port 48) on the first Quantum Maestro Orchestrator (3) on the first site.

This port connects with a DAC cable to the dedicated internal synchronization port (15) on the second Quantum Maestro Orchestrator (11) on the first site.

Important:

This connection is only used to synchronize the configuration of Security Groups A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

The dedicated internal synchronization port (Port 48) on the first Quantum Maestro Orchestrator (6) on the second site.

This port connects with a DAC cable to the dedicated internal synchronization port (16) on the second Quantum Maestro Orchestrator (14) on the second site.

Important:

This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports on the second Quantum Maestro Orchestrator (11) on the first site to the Security Appliance (17, 19 and 22) on the first site.

These cables connect to the even port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the second Quantum Maestro Orchestrator (3) on the first site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the dedicated external synchronization port (13) on the second Quantum Maestro Orchestrator (14) on the second site.

The second Quantum Maestro Orchestrator on the first site.

DAC cables, Fiber cables (with transceivers), or Breakout cables that connect Downlink ports on the second Quantum Maestro Orchestrator (14) on the second site to the Security Appliance (18, 21 and 24).

These cables connect to the even port of an Expansion Line Card on Security Appliances.

The dedicated external synchronization port (Port 47) on the second Quantum Maestro Orchestrator (14) on the second site.

This port connects with a DAC cable or Fiber cable (with transceivers) to the dedicated external synchronization port (10) on the second Quantum Maestro Orchestrator (11) on the first site.

The second Quantum Maestro Orchestrator on the second site.

The dedicated internal synchronization port (Port 48) on the second Quantum Maestro Orchestrator (3) on the first site.

This port connects with a DAC cable to the dedicated internal synchronization port (7) on the first Quantum Maestro Orchestrator (3) on the first site.

Important:

This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

The dedicated internal synchronization port (Port 48) on the second Quantum Maestro Orchestrator (14) on the second site.

This port connects with a DAC cable to the dedicated internal synchronization port (7) on the first Quantum Maestro Orchestrator (6) on the first site.

Important:

This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.
MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.
MHO-140 requires a 10 GbE DAC cable.

Security Appliance 1 on the first site - member of the Security Group (20).

Security Appliance 1 on the second site - member of the Security Group (20).

Security Appliance 2 on the first site - member of the Security Group (20).

Security Group that contains Security Appliances from both sites (17, 18, 19, 21, 22 and 23).

Security Appliance 2 on the second site - member of the Security Group (20).

Security Appliance 3 on the first site - member of the Security Group (20).

Security Appliance 3 on the second site - member of the Security Group (20).

Configuration of the synchronization ports:

Site	Orchestrator	Internal Sync Port	External Sync Port
1	Orchestrator ID 1_1 (denoted as MHO 1_1)	Port 48 IP 192.0.2.1	Port 47 IP 203.0.113.1
1	Orchestrator ID 1_2 (denoted as MHO 1_2)	Port 48 IP 192.0.2.2	Port 47 IP 203.0.113.2
2	Orchestrator ID 2_1 (denoted as MHO 2_1)	Port 48 IP 192.0.2.15	Port 47 IP 203.0.113.15
2	Orchestrator ID 2_2 (denoted as MHO 2_2)	Port 48 IP 192.0.2.16	Port 47 IP 203.0.113.16

Site

Orchestrator

Internal Sync Port

External Sync Port

Orchestrator ID 1_1

(denoted as MHO 1_1)

Port 48

IP 192.0.2.1

Port 47

IP 203.0.113.1

Orchestrator ID 1_2

(denoted as MHO 1_2)

Port 48

IP 192.0.2.2

Port 47

IP 203.0.113.2

Orchestrator ID 2_1

(denoted as MHO 2_1)

Port 48

IP 192.0.2.15

Port 47

IP 203.0.113.15

Orchestrator ID 2_2

(denoted as MHO 2_2)

Port 48

IP 192.0.2.16

Port 47

IP 203.0.113.16

Configuring Dual Site with Direct Connection

This procedure explains how to configure a new Security Group that contains Security Appliances from two sites in a new Dual Site configuration.

Important - Make sure to read the existing Known Limitations for Dual Site in sk148074.

Warning - This procedure interrupts the traffic. Schedule a maintenance window.

Step Instructions

On each site, install the Quantum Maestro Orchestrators in their racks.

Follow the applicable instructions:

On each site, connect the cables between:

The dedicated internal synchronization ports on the Quantum Maestro Orchestrators.
The Security Appliances and the Downlink ports on the Quantum Maestro Orchestrators.
The production traffic networks and the Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. on the Quantum Maestro Orchestrators.

Follow:

On each site, connect fiber cables (with transceivers) or DAC cables between the dedicated external synchronization ports on the Quantum Maestro Orchestrator.

Procedure

You must connect fiber cables between ports with the same numbers on the Quantum Maestro Orchestrators on each site.

Connect fiber cables between these pairs of Quantum Maestro Orchestrators:

The first Orchestrator on the first site (Orchestrator ID 1_1).

The first Orchestrator on the second site (Orchestrator ID 2_1).

Connect ports with the same numbers.
The second Orchestrator on the first site (Orchestrator ID 1_2).

The second Orchestrator on the second site (Orchestrator ID 2_2).

Connect ports with the same numbers.

Best Practice:

On MHO-175 and MHO-170, use Ports 31 on the Quantum Maestro Orchestrators on each site.
On MHO-140, use Ports 47 on the Quantum Maestro Orchestrators on each site.
Do not use ports with the configured type "management".

It is possible to use any port for external synchronization, except these ports:
- The ports already used for the internal synchronization.
- The disabled ports, if you used breakout cables. See Splitting the Ports with Breakout Cables.

Use an SSH Client or a Serial Console to connect to the command line on each Quantum Maestro Orchestrator on each site.

On each site, configure the dedicated ports for the external synchronization on the Quantum Maestro Orchestrators.

Configure the dedicated port

You must connect to and configure ports with the same numbers on the Quantum Maestro Orchestrators on each site.

Run this command in Gaia Clish:

set maestro port <Quantum Maestro Orchestrator ID>/<Port Label>/<Port Split ID> type site_sync

Example for MHO-140:

Orch_1_1> set maestro port 1/47/1 type site_sync

Orch_2_1> set maestro port 1/47/1 type site_sync

Orch_1_2> set maestro port 2/47/1 type site_sync

Orch_2_2> set maestro port 2/47/1 type site_sync

For information about this Gaia Clish command, see the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.

Restart the orchd daemon

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

On each site, configure the total number of Sites on each Quantum Maestro Orchestrator.

Configure the Site ID on each Quantum Maestro Orchestrator.

Configuring the Site ID on the first site

Configure the same Site ID 1 on each Orchestrator.

Run this command in Gaia Clish:

set maestro configuration orchestrator-site-id 1

Restart the orchd daemon on each Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Configuring the Site ID on the second site

Configure the same Site ID 2 on each Orchestrator.

Run this command in Gaia Clish:

set maestro configuration orchestrator-site-id 2

Restart the orchd daemon on each Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Follow these configuration steps:

Configure the applicable Security Groups on the Quantum Maestro Orchestrators.
Configure the Gaia Operating System settings in the new Security Group.
Configure the settings in SmartConsole.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups.

Important Notes for configuring the applicable Security Groups:

Perform the configuration of Security Groups only on one Quantum Maestro Orchestrator.

The Quantum Maestro Orchestrators synchronize the configuration automatically on each site and between the sites.

To create a new Security Group when the SMO Image Cloning is enabled, follow the procedure below.

Best Practice - Enable the SMO Image Cloning. Security Group Members use this feature to download automatically all Hotfixes installed on the SMO. See the Gaia Administration Guide for your version > Chapter Maintenance > Section Snapshot Management > Section SMO Image Cloning.

Procedure

Create a new Security Group that contains interfaces and Security Appliances only from Site 1.

Connect to the command line of the Security Group over SSH at <IP Address of Security Group>.

When you log in, the Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. opens by default.

Important - This connection goes through the Quantum Maestro Orchestrator's management interface you assigned to this Security Group.

Configure the total number of Sites:

set smo security-group site-amount 2

Add to this Security Group the Security Appliances from Site 2.

The Security Appliances on Site 2 automatically clone the software and the configuration from the SMO Security Appliance on Site 1.

To create a new Security Group when the SMO Image Cloning is disabled, follow the procedure below.

Procedure

Create a new Security Group that contains interfaces and Security Appliances only from Site 1.

Connect to the command line of the Security Group over SSH at <IP Address of Security Group>.

When you log in, the Gaia gClish opens by default.

Important - This connection goes through the Quantum Maestro Orchestrator's management interface you assigned to this Security Group.

Configure the total number of Sites:

set smo security-group site-amount 2

Add to this Security Group the Security Appliances from Site 2.

Migrating from Single Site to Dual Site

This procedure explains to change the configuration of an existing Security Group to contain Security Appliances from two sites.

Important - Make sure to read the existing Known Limitations for Dual Site in sk148074.

Warning - This procedure interrupts the traffic. Schedule a maintenance window.

Step Instructions

On the new site, install the Quantum Maestro Orchestrators in their racks.

Follow the applicable instructions:

On the new site, connect the cables between:

The dedicated internal synchronization ports on the Quantum Maestro Orchestrators.
The Security Appliances and the Downlink ports on the Quantum Maestro Orchestrators.
The production traffic networks and the Uplink ports on the Quantum Maestro Orchestrators.

Follow:

On each site, connect fiber cables (with transceivers) or DAC cables between the dedicated external synchronization ports on the Quantum Maestro Orchestrator.

Procedure

You must connect fiber cables between ports with the same numbers on the Quantum Maestro Orchestrators on each site.

Connect fiber cables between these pairs of Quantum Maestro Orchestrators:

The first Orchestrator on the first site (Orchestrator ID 1_1).

The first Orchestrator on the second site (Orchestrator ID 2_1).

Connect ports with the same numbers.
The second Orchestrator on the first site (Orchestrator ID 1_2).

The second Orchestrator on the second site (Orchestrator ID 2_2).

Connect ports with the same numbers.

Best Practice:

On MHO-175 and MHO-170, use Ports 31 on the Quantum Maestro Orchestrators on each site.
On MHO-140, use Ports 47 on the Quantum Maestro Orchestrators on each site.
Do not use ports with the configured type "management".

It is possible to use any port for external synchronization, except these ports:
- The ports already used for the internal synchronization.
- The disabled ports, if you used breakout cables. See Splitting the Ports with Breakout Cables.

Use an SSH Client or a Serial Console to connect to the command line on each Quantum Maestro Orchestrator on each site.

On each site, configure the total number of Sites on each Quantum Maestro Orchestrator.

Run this command in Gaia Clish:

set maestro configuration orchestrator-site-amount 2

Configure the Site ID on each Quantum Maestro Orchestrator.

Configuring the Site ID on the first site

Configure the same Site ID 1 on each Orchestrator:

Run this command in Gaia Clish:

set maestro configuration orchestrator-site-id 1

Restart the orchd daemon on each Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Configuring the Site ID on the second site

Configure the same Site ID 2 on each Orchestrator:

Run this command in Gaia Clish:

set maestro configuration orchestrator-site-id 2

Restart the orchd daemon on each Orchestrator.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

Make sure the date and time are the same on all Quantum Maestro Orchestrators on both sites.

Run these commands in Gaia Clish:

show date

show time

show timezone

show ntp active

For more information, see the Gaia Administration Guide for your version.

On the existing site (Site ID 1), back up the current configuration on each Quantum Maestro Orchestrator (Orchestrator ID 1_1 and Orchestrator ID 1_2).

Procedure

Back up the /etc/maestro.json file to some directory (for example, your home directory):

cp -v /etc/maestro.json ~/maestro.json_BKP

Back up the /etc/maestro_full.json file to some directory (for example, your home directory):

cp -v /etc/maestro_full.json ~/maestro_full.json_BKP

On the new site (Site ID 2), configure the dedicated ports for the external synchronization on the Quantum Maestro Orchestrators (Orchestrator ID 2_1 and Orchestrator ID 2_2).

Warning - You must perform this step on the Quantum Maestro Orchestrators on the new site before you perform this step on the Quantum Maestro Orchestrators on the existing site. This is to make sure the current configuration is preserved on the new site.

Procedure

Configure the dedicated port.

You must connect and configure ports with the same numbers on the Quantum Maestro Orchestrators on each site.

set maestro port <Quantum Maestro Orchestrator ID>/<Port Label>/<Port Split ID> type site_sync

Example for MHO-140:

Orch_2_1> set maestro port 2/47/1 type site_sync

Orch_2_2> set maestro port 2/47/1 type site_sync

Restart the orchd daemon.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

On the existing site (Site ID 1), configure the dedicated ports for the external synchronization on the Quantum Maestro Orchestrators (Orchestrator ID 1_1 and Orchestrator ID 1_2).

Procedure

Configure the dedicated port.

You must connect and configure ports with the same numbers on the Quantum Maestro Orchestrators on each site.

set maestro port <Quantum Maestro Orchestrator ID>/<Port Label>/<Port Split ID> type site_sync

Example for MHO-140:

Orch_1_1> set maestro port 1/47/1 type site_sync

Orch_1_2> set maestro port 1/47/1 type site_sync

Restart the orchd daemon.

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

On the new site (Site ID 2), restart the orchd daemon on each Quantum Maestro Orchestrator (Orchestrator ID 2_1 and Orchestrator ID 2_2). This forces the new site to synchronize the applicable configuration from the existing site.

Procedure

Restart the orchd daemon

orchd restart

Warning - No traffic flows through the Quantum Maestro Orchestrator until this daemon restarts.

On the existing site (Site ID 1), apply the current configuration on the first Orchestrator (Orchestrator ID 1_1).

It is possible to apply the current configuration in one of these ways:

In Gaia Portal

For information, see the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Portal.

With a web browser, connect to the Gaia Portal on the Quantum Maestro Orchestrator:

https://<IP Address of Orchestrator's MGMT Port>

Log in to the Gaia Portal.
From the left navigation tree, click Orchestrator page.
In the bottom left corner, click Apply.

Optional: Enable the SMO Image Cloning.

See the Gaia Administration Guide for your version > Chapter Maintenance > Section Snapshot Management > Section SMO Image Cloning.

Best Practice - Enable the SMO Image Cloning. Security Group Members use this feature to download automatically all Hotfixes installed on the SMO.

On the existing site (Site ID 1), add Security Appliances from the new site (Site ID 2) to this Security Group.

It is possible to change the configuration in one of these ways:

In Gaia Portal
In Gaia Clish

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups.