Connecting Cables to MHO-170

Notes:

The different diagrams below show connections to different ports on the Quantum Maestro Orchestrators A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO..
It is possible to connect to the Quantum Maestro Orchestrator See "Maestro Orchestrator". ports with a DAC cable Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers)., Fiber cable (with transceivers), or Breakout cable An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable..
The sections below provide a high-level description.

Warning - It is critical to protect the Maestro Sites against both malicious and unintentional threats:

On each Security Appliance, each required network port must connect to Orchestrators with a direct able (without intermediate devices).
On the same Maestro site, the internal synchronization ports on both Orchestrators must connect to each other with a direct cable or must connect to an isolated dedicated network.

Connecting to the Management Ports with DAC or Fiber Cables

Important - When you connect two Quantum Maestro Orchestrators for redundancy, the Check Point Management Server connects only to one of the Quantum Maestro Orchestrators.

Example:

Note - The default Management ports are Port 1 and Port 2. This diagram shows the connection to the Management port 1. The same applies to the Management port 2.

Explanations

Item

Description

SmartConsole Client for the Check Point Management Server (2).

Check Point Management Server.

Layer 2 switch.

A DAC cable or Fiber cable (with transceivers) connected to the Management port 1.

Note - You assign this Management port to the applicable Security Groups A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.. Shared Management Feature that allows to assign the same Management Port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management Port has a different IP address and a different MAC address in each Security Group, to which this port is assigned. feature allows to assign the same Management port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management port has a different IP address and a different MAC address in each Security Group, to which this port is assigned.

Client you can use to configure the Gaia Operating System on the Security Appliances in Security Groups, which you manage through Port 1 with the Management Server (2).

You connect:

Over SSH to the command line (Gaia Clish) of a Security Group.
With a web browser to the Gaia Portal of a Security Group.

The first Quantum Maestro Orchestrator.

Connecting to the Management Ports with Breakout Cables

Important:

When you connect two Quantum Maestro Orchestrators for redundancy, the Check Point Management Server connects only to one of the Quantum Maestro Orchestrators.
It is possible to connect breakout cables only to the top odd ports 1 to 29. When the top ports are in a split mode, the bottom even ports 2 to 30 are disabled. The default Management ports are Port 1 and Port 2. When you connect a breakout cable, the Management port 2 is disabled. See MHO-170 Splitting Options.

Example:

Explanations

Item

Description

Layer 2 switch.

To this switch you connect the Check Point Management Server(s).

A Breakout cable connected to the Management port 1. See Breakout Cables.

Notes:

This cable splits the Management port 1 into four interfaces.
This connection disables the bottom Management port 2.
You assign these split Management interfaces to the applicable Security Groups.

Shared Management feature allows to assign the same Management port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups.

The assigned Management port has a different IP address and a different MAC address in each Security Group, to which this port is assigned.

The first Quantum Maestro Orchestrator.

Connecting to the Uplink Ports with DAC or Fiber Cables

Example of a connection to default Uplink ports 3 to 16:

Explanations

Item

Description

Network 1 connected to ports on the Networking Device (3).

Network 2 connected to ports on the Networking Device (3).

Networking Device (router or switch) that connects your Network 1 and Network 2 to the Quantum Maestro Orchestrators (10 and 12) with Bond interfaces (Link Aggregation).

Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (10 and 12).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances in the applicable Security Group (31).

Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (10 and 12).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances in the applicable Security Group (30).

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a first slave of the first Bond (4) on the Networking Device (3) to an Uplink port (in our example, Port 5) on the first Quantum Maestro Orchestrator (10).

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second slave of the first Bond (4) on the Networking Device (3) to an Uplink port (in our example, Port 5) on the second Quantum Maestro Orchestrator (12).

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a first slave of the second Bond (5) on the Networking Device (3) to an Uplink port (in our example, Port 9) on the first Quantum Maestro Orchestrator (10).

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second slave of the second Bond (5) on the Networking Device (3) to an Uplink port (in our example, Port 9) on the second Quantum Maestro Orchestrator (12).

First Quantum Maestro Orchestrator.

A 100 GbE or 40 GbE DAC cable connected to the dedicated Synchronization ports 32 on the Quantum Maestro Orchestrators.

Important - This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

Second Quantum Maestro Orchestrator.

Notes:

Cables colored green (solid lines) show connections to the first Quantum Maestro Orchestrator (10).
Cables colored blue (dash lines) show connections to the second Quantum Maestro Orchestrator (12).
You assign the Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. to the applicable Security Groups.
It is possible to configure some of the Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). as additional Uplink ports.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.

Connecting to the Uplink Ports with Breakout Cables

Important - It is possible to connect breakout cables only to the top ports. When the specific top ports are in a split mode, the corresponding bottom ports are disabled.

Example:

Explanations

Item

Description

Network 1 connected to ports on the Networking Device (3).

Network 2 connected to ports on the Networking Device (3).

Networking Device (router or switch) that connects your Network 1 and Network 2 to the Quantum Maestro Orchestrators (6 and 8) with Bond interfaces (Link Aggregation).

Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (8 and 10).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances in the applicable Security Group (31).

Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (8 and 10).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances in the applicable Security Group (30).

A Breakout cable connected to an Uplink port (in our example, Port 5) on the first Quantum Maestro Orchestrator (8).

See Breakout Cables.

Notes:

This cable splits the Uplink port into four interfaces.

You assign the new interfaces to the applicable Security Groups.
This connection disables the bottom Uplink port (in our example, Port 6).

A Breakout cable connected to an Uplink port (in our example, Port 13) on the second Quantum Maestro Orchestrator (10).

See Breakout Cables.

Notes:

This cable splits the Uplink port into four interfaces.

You assign the new interfaces to the applicable Security Groups.
This connection disables the bottom Uplink port (in our example, Port 14).

First Quantum Maestro Orchestrator.

A 100 GbE DAC cable connected to the dedicated Synchronization ports 32 on the Quantum Maestro Orchestrators.

Important - This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

Second Quantum Maestro Orchestrator.

Notes:

Cables colored green (solid lines) show connections to the first Quantum Maestro Orchestrator (10).
Cables colored blue (dash lines) show connections to the second Quantum Maestro Orchestrator (12).
You assign the Uplink interfaces to the applicable Security Groups.
It is possible to configure some of the Downlink ports as additional Uplink ports.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.

Connecting to the Downlink Ports with DAC or Fiber Cables

Example of a connection to default Downlink ports 17 to 30:

Explanations

Table: Explanations

Item

Description

The first Quantum Maestro Orchestrator.

The second Quantum Maestro Orchestrator.

A 100 GbE DAC cable connected to the dedicated Synchronization ports on the Quantum Maestro Orchestrators.

Important - This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 20) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 16.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 20) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 16.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 22) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 15.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 22) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 15.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 24) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 13.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 24) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 13.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 26) on the first Quantum Maestro Orchestrator (1) and to the applicable port on the Expansion Line Card on the Security Appliance 12.

A DAC cable or Fiber cable (with transceivers) connected to a Downlink port (in our example, Port 26) on the second Quantum Maestro Orchestrator (2) and to the applicable port on the Expansion Line Card on the Security Appliance 12.

A Security Appliance that is assigned to the Security Group 2 (14).

All Security Appliances assigned to the Security Group 2.

A Security Appliance that is assigned to the Security Group 1 (17).

All Security Appliances assigned to the Security Group 1.

Notes:

Port 32 (colored purple) is the dedicated synchronization port to connect two MHO-170 for redundancy on the same site.
It is possible to configure some of the Uplink ports as additional Downlink ports.

See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Section Configuration Procedure > Section Configuring Security Groups in Gaia Clish > Section Configuring the Port Settings.
The Quantum Maestro Orchestrators create Link Aggregation for the applicable Downlink ports automatically.
See these sections:
- Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 2 ports on the Dual Port Card on each Security Appliance
- Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 1 out of 4 ports on the Quad Port Card on each Security Appliance