Connecting Cables to MHO-140

Notes:

The different diagrams below show connections to different ports on the Quantum Maestro Orchestrators A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO..
It is possible to connect to the Quantum Maestro Orchestrator See "Maestro Orchestrator". ports with a DAC cable Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers)., Fiber cable (with transceivers), or Breakout cable An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable..
The sections below provide a high-level description.
The external synchronization port:
- Port 56 - in R81.10 and higher
- Port 47 - in R80.20SP

Warning - It is critical to protect the Maestro Sites against both malicious and unintentional threats:

On each Security Appliance, each required network port must connect to Orchestrators with a direct able (without intermediate devices).
On the same Maestro site, the internal synchronization ports on both Orchestrators must connect to each other with a direct cable or must connect to an isolated dedicated network.

Connecting to the Management Ports with DAC or Fiber Cables

Important - When you connect two Quantum Maestro Orchestrators for redundancy, the Check Point Management Server connects only to one of the Quantum Maestro Orchestrators.

Example:

Note - The default Management ports are Ports 1-4. This diagram shows the connection to the Management port 1. The same applies to the Management ports 2, 3 and 4.

Explanations

Item

Description

SmartConsole Client for the Check PointManagement Server (2).

Check Point Management Server.

Layer 2 switch.

A DAC cable or Fiber cable (with transceivers) connected to the Management port 1.

Note - You assign this Management port to the applicable Security Groups A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.. Shared Management Feature that allows to assign the same Management Port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management Port has a different IP address and a different MAC address in each Security Group, to which this port is assigned. feature allows to assign the same Management port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management port has a different IP address and a different MAC address in each Security Group, to which this port is assigned.

Client you can use to configure the Gaia Operating System on the Security Appliances in Security Groups, which you manage through Port 1 with the Management Server (2).

You connect:

Over SSH to the command line (Gaia Clish) of a Security Group.
With a web browser to the Gaia Portal of a Security Group.

The first Quantum Maestro Orchestrator.

Connecting to the Uplink Ports with DAC or Fiber Cables

Example of a connection to default Uplink ports 5 to 26:

Example of a connection to default Uplink ports 49 to 56:

Explanations

Item	Description
1	Production network 1 that communicates with production network 2 (5) through a Security Group configured on the Quantum Maestro Orchestrator.
2	Layer 2 switch.
3	A DAC or Fiber cable (with transceivers) connected to an Uplink port (in our example, Ports 7 and 49).
4	One of Quantum Maestro Orchestrators.
5	Production network 2 that communicates with production network 1 (1) through a Security Group configured on the Quantum Maestro Orchestrator.
6	A DAC or Fiber cable (with transceivers) connected to an Uplink port (in our example, Ports 16 and 56).
7	Layer 2 switch.

Notes:

You assign the Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. to the applicable Security Group.
It is possible to configure some of the Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). as additional Uplink ports.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.

Connecting to the Uplink Ports with Breakout Cables

Important - It is possible to connect breakout cables only to the top ports 49, 51, 53, and 55. When the specific top ports are in a split mode, the corresponding bottom ports are disabled.

Example:

Explanations

Item

Description

Network 1 connected to ports on the Networking Device (3).

Network 2 connected to ports on the Networking Device (3).

Networking Device (router or switch) that connects your Network 1 and Network 2 to the Quantum Maestro Orchestrators (6 and 8) with Bond interfaces (Link Aggregation).

Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (8 and 10).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances in the applicable Security Group (31).

Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (8 and 10).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances in the applicable Security Group (30).

A Breakout cable connected to an Uplink port (in our example, Port 49) on the first Quantum Maestro Orchestrator (8).

See Breakout Cables.

Notes:

This cable splits the Uplink port into four interfaces.

You assign the new interfaces to the applicable Security Groups.
This connection disables the bottom Uplink port (in our example, Port 50).

A Breakout cable connected to an Uplink port (in our example, Port 55) on the second Quantum Maestro Orchestrator (10).

See Breakout Cables.

Notes:

This cable splits the Uplink port into four interfaces.

You assign the new interfaces to the applicable Security Groups.
This connection disables the bottom Uplink port (in our example, Port 56).

First Quantum Maestro Orchestrator.

A 10 GbE DAC cable connected to the dedicated Synchronization ports 48 on the Quantum Maestro Orchestrators.

Important - This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

Second Quantum Maestro Orchestrator.

Notes:

Cables colored green (solid lines) show connections to the first Quantum Maestro Orchestrator (10).
Cables colored blue (dash lines) show connections to the second Quantum Maestro Orchestrator (12).
It is possible to configure some of the Downlink ports as additional Uplink ports.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.

Connecting to the Downlink Ports with DAC or Fiber Cables

Example of a connection to default Downlink ports 27 to 47:

Explanations

Table: Explanations

Item

Description

The first Quantum Maestro Orchestrator.

The second Quantum Maestro Orchestrator.

A 10 GbE DAC cable connected to the dedicated Synchronization ports on the Quantum Maestro Orchestrators.

Important - This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 30) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 16.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 30) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 16.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 34) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 15.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 34) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 15.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 38) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 13.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 38) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 13.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 42) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 12.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 42) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 12.

A Security Appliance that is assigned to the Security Group 2 (14).

All Security Appliances assigned to the Security Group 2.

A Security Appliance that is assigned to the Security Group 1 (17).

All Security Appliances assigned to the Security Group 1.

Notes:

Port 48 (colored purple) is the dedicated synchronization port to connect two MHO-140 for redundancy on the same site.
It is possible to configure some of the Uplink ports as additional Downlink ports.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.
The Quantum Maestro Orchestrators create Link Aggregation for the applicable Downlink ports automatically.
See these sections:
- Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 2 ports on the Dual Port Card on each Security Appliance
- Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 1 out of 4 ports on the Quad Port Card on each Security Appliance