Connecting Two Quantum Maestro Orchestrators for Redundancy

This section describes the connection of two Quantum Maestro OrchestratorsClosed A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. for Redundancy on the same site.

Best Practice - For redundancy, install and connect two Quantum Maestro OrchestratorsClosed See "Maestro Orchestrator". on the same site.

Warning - It is critical to protect the Maestro Sites against both malicious and unintentional threats:

  • On each Security Appliance, each required network port must connect to Orchestrators with a direct able (without intermediate devices).

  • On the same Maestro site, the internal synchronization ports on both Orchestrators must connect to each other with a direct cable or must connect to an isolated dedicated network.

Diagram

Important - It is possible to connect only two Quantum Maestro Orchestrators of the same model (see MBS-5038).

Best Practice - Connect cables to the same Uplink and Downlink portsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). on the two Quantum Maestro Orchestrators (for example, if you connected to an Uplink port 4 on one Quantum Maestro Orchestrator, then you must connect to an Uplink port 4 on the other Quantum Maestro Orchestrator).

Notes:

Example for MHO-170:

Table: Explanations

Item

Description

1

Network 1 connected to ports on the Networking Device (3).

2

Network 2 connected to ports on the Networking Device (3).

3

Networking Device (router or switch) that connects your Network 1 and Network 2 to the Quantum Maestro Orchestrators (15 and 16) with Bond interfaces (Link Aggregation).

4

Bond interface that connects Network 1 to the Quantum Maestro Orchestrators (15 and 16).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances (29 and 30) in the applicable Security Group (31).

5

Bond interface that connects Network 2 to the Quantum Maestro Orchestrators (15 and 16).

This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances (26 and 27) in the applicable Security Group (28).

6

SmartConsole Client that connects to the Management Server (7).

7

Management Server that manages Security Groups configured on the Quantum Maestro Orchestrators (15 and 16).

8

Layer 2 switch.

9

A Breakout cableClosed An optical fiber cable that contains several jacketed simplex optical fibers that are packaged together inside an outer jacket. Synonyms: Fanout cable, Fan-Out cable, Splitter cable. connected to the Management port 1. See Splitting the Ports with Breakout Cables.

Note - You assign this Management port (or these split interfaces) to the applicable Security Groups. Shared ManagementClosed Feature that allows to assign the same Management Port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management Port has a different IP address and a different MAC address in each Security Group, to which this port is assigned. feature allows to assign the same Management port (interface ethX-MgmtY) on a Quantum Maestro Orchestrator to different Security Groups. The assigned Management port has a different IP address and a different MAC address in each Security Group, to which this port is assigned.

10

A DAC cableClosed Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers)., Fiber cable (with transceivers), or Breakout cable that connects a first slave of the first Bond (4) on the Networking Device (3) to the first Quantum Maestro Orchestrator (15).

11

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second slave of the first Bond (4) on the Networking Device (3) to the second Quantum Maestro Orchestrator (16).

12

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a first slave of the second Bond (5) on the Networking Device (3) to the first Quantum Maestro Orchestrator (15).

13

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a second slave of the second Bond (5) on the Networking Device (3) to the second Quantum Maestro Orchestrator (16).

14

Client you can use to configure the Gaia Operating System on the Security Appliances in Security Groups.

You connect:

  • Over SSH to the command line (Gaia Clish) of Security Groups.

  • With a web browser to the Gaia Portal of Security Groups.

15

First Quantum Maestro Orchestrator:

  • Connects Network 1 and Network 2 to the Security Appliances (26, 27, 29, and 30).

  • Distributes the traffic between the Security Appliances in the Security Groups.

16

Second Quantum Maestro Orchestrator:

  • Connects Network 1 and Network 2 to the Security Appliances (26, 27, 29, and 30).

  • Distributes the traffic between the Security Appliances in the Security Groups.

17

A DAC that connects the dedicated Synchronization ports on the Quantum Maestro Orchestrators (15 and 16).

Important:

  • This connection is only used to synchronize the configuration of Security Groups between the Quantum Maestro Orchestrators.

  • MHO-175 and MHO-170 require a 100 GbE DAC or 40 GbE DAC cable.

  • MHO-140 requires a 10 GbE DAC cable.

18

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the first Quantum Maestro Orchestrator (15) to the Security Appliance (30).

19

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the second Quantum Maestro Orchestrator (16) to the Security Appliance (30).

20

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the first Quantum Maestro Orchestrator (15) to the Security Appliance (29).

21

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the second Quantum Maestro Orchestrator (16) to the Security Appliance (29).

22

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the first Quantum Maestro Orchestrator (15) to the Security Appliance (27).

23

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the second Quantum Maestro Orchestrator (16) to the Security Appliance (27).

24

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the first Quantum Maestro Orchestrator (15) to the Security Appliance (26).

25

A DAC cable, Fiber cable (with transceivers), or Breakout cable that connects a Downlink port on the second Quantum Maestro Orchestrator (16) to the Security Appliance (26).

26

Security Appliance 2 in the Security Group 2 (28).

27

Security Appliance 1 in the Security Group 2 (28).

28

All Security Appliances assigned to the Security Group 2.

29

Security Appliance 2 in the Security Group 1 (31).

30

Security Appliance 1 in the Security Group 1 (31).

31

All Security Appliances assigned to the Security Group 1.

Notes:

  • Both Quantum Maestro Orchestrators work together (Active / Active).

  • Cables colored red show management traffic flow.

  • Cables colored green (solid lines) show connections to the first Quantum Maestro Orchestrator (15).

  • Cables colored blue (dash lines) show connections to the second Quantum Maestro Orchestrator (16).

  • When you assign a Security Appliance to a Security Group, the Quantum Maestro Orchestrators determine the applicable Downlink ports automatically.

  • The Quantum Maestro Orchestrators create Link Aggregation for the applicable Downlink ports automatically.

  • Security Group 1 contains:

    • Applicable Uplink ports, to which the cables 10 and 11 are connected.

    • Security Appliances 30 and 29.

    • Applicable management port (or split interface), to which the Management Server 7 is connected.

  • Security Group 2 contains:

    • Applicable Uplink ports, to which the cables 12 and 13 are connected.

    • Security Appliances 27 and 26.

    • Applicable management port (or split interface), to which the Management Server 7 is connected.

Important:

  • See the Release Notes for your version for the list of the required Check Point cards on the Security Appliances.

  • You must connect the same number of cables from each Quantum Maestro Orchestrator to all Security Appliances in the same Security Group.

    Otherwise, the Quantum Maestro Orchestrators are not able to distribute the traffic equally between the Security Appliances in the same Security Group.

  • It is possible to connect a maximum of two Downlink ports from each Quantum Maestro Orchestrator to each Security Appliance.

Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 2 ports on the Dual Port Card on each Security Appliance

Illustration

Instructions

On each Security Appliance (C) in the Security Group:

  1. Connect a cable from Port 1 on the Dual Port Card to a Downlink port on the first Orchestrator (A).

  2. Connect a cable from Port 2 on the Dual Port Card to a Downlink port on the second Orchestrator (B).

Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 1 out of 4 ports on the Quad Port Card on each Security Appliance

Illustration

Instructions

On each Security Appliance (C) in the Security Group:

  1. Connect a cable from Port 1 on the Quad Port Card to a Downlink port on the first Orchestrator (A).

  2. Connect a cable from Port 2 on the Quad Port Card to a Downlink port on the second Orchestrator (B).

Connecting cables between Downlink ports on each Quantum Maestro Orchestrator and 2 out of 4 ports on the Quad Port Card on each Security Appliance

Illustration

Instructions

Important - In R80.20SP, this connection method is supported only with the R80.20SP Jumbo Hotfix Accumulator (Take 105 and above) installed on Orchestrators and Security Groups.

On each Security Appliance (C) in the Security Group:

  1. Connect a cable from Port 1 on the Quad Port Card to a Downlink port on the first Orchestrator (A).

  2. Connect a cable from Port 3 on the Quad Port Card to a Downlink port on the first Orchestrator (A).

  3. Connect a cable from Port 2 on the Quad Port Card to a Downlink port on the second Orchestrator (B).

  4. Connect a cable from Port 4 on the Quad Port Card to a Downlink port on the second Orchestrator (B).

Legend

Item

Description

A

First Orchestrator.

B

Second Orchestrator.

C

Security Appliances in Security Groups.

A DAC cable connected to the dedicated Synchronization ports on the Orchestrators.

Cables that connect odd ports on the Quad Port Card to the first Orchestrator.

Cables that connect even ports on the Quad Port Card to the second Orchestrator.

Best Practice for Security Appliances 23000 series:

Install the expansion cards in this order:

  1. Expansion Slot 3
  2. Expansion Slot 4
  3. Expansion Slot 5
  4. Expansion Slot 1
  5. Expansion Slot 2

Use Slots 1 and 2 only after all other slots are populated.

Overview of the expansion slots on the front panel:

LCD

Slot 4

Slot 5

Storage Devices

Slot 1

Slot 2

Slot 3

Appliance Ports

Workflow

Table: Workflow

Step

Device

Instructions

1

On the Networking Device (3)

Perform these steps (refer to the device vendor documentation):

  1. Configure a first Bond interface (4) on two slave ports.

    This Bond interface connects Network 1 to the Quantum Maestro Orchestrators.

    Configure the applicable settings, so that the traffic from and to Network 1 passes only on this Bond interface.

  2. Configure a second Bond interface (5) on two slave ports.

    This Bond interface connects Network 2 to the Quantum Maestro Orchestrators.

    Configure the applicable settings, so that the traffic from and to Network 2 passes only on this Bond interface.

  3. With a cable (10), connect the first slave interface of the first Bond (4) interface to an Uplink port (in our example, Port 3) on the first Quantum Maestro Orchestrator (15).

  4. With a cable (11), connect the second slave interface of the first Bond (4) interface to an Uplink port (in our example, Port 3) on the second Quantum Maestro Orchestrator (16).

  5. With cable (12), connect the first slave interface of the second Bond interface (5) to an Uplink port (in our example, Port 9) on the first Quantum Maestro Orchestrator (15).

  6. With cable (13), connect the second slave interface of the second Bond interface (5) to an Uplink port (in our example, Port 9) on the second Quantum Maestro Orchestrator (16).

2

On the first Quantum Maestro Orchestrator (15)

Perform these steps:

  1. With cable (18), connect a Downlink port (in our example, Port 18) to the applicable port on the first Security Appliance (30) in the Security Group 1 (31).

  2. With cable (20), connect a Downlink port (in our example, Port 22) to the applicable port on the second Security Appliance (29) in the Security Group 1 (31).

  3. With cable (22), connect a Downlink port (in our example, Port 26) to the applicable port on the first Security Appliance (27) in the Security Group 2 (28).

  4. With cable (24), connect a Downlink port (in our example, Port 30) to the applicable port on the second Security Appliance (26) in the Security Group 2 (28).

See these sections:

3

On the second Quantum Maestro Orchestrator (16)

Perform these steps:

  1. With cable (19), connect a Downlink port (in our example, Port 18) to the applicable port on the first Security Appliance (30) in the Security Group 1 (31).

  2. With cable (21), connect a Downlink port (in our example, Port 22) to the applicable port on the second Security Appliance (29) in the Security Group 1 (31).

  3. With cable (23), connect a Downlink port (in our example, Port 26) to the applicable port on the first Security Appliance (27) in the Security Group 2 (28).

  4. With cable (25), connect a Downlink port (in our example, Port 30) to the applicable port on the second Security Appliance (26) in the Security Group 2 (28).

See these sections:

4

On both Quantum Maestro Orchestrators (15 and 16)

Connect a DAC cable (17) between the dedicated synchronization port (in our example, Port 32) on the first Quantum Maestro Orchestrator (15) and the dedicated synchronization port (in our example, Port 32) on the second Quantum Maestro Orchestrator (16).

5

On the first Quantum Maestro Orchestrator (15)

With cable (9), connect the Management Server to the Management port (in our example, Port 1).

In our example, we used a Breakout cable because we have two Security Groups.

For more information that applies to MHO-175, see:

For more information that applies to MHO-170, see:

For more information that applies to MHO-140, see:

6

One of the two Quantum Maestro Orchestrators (15 or 16)

Perform these steps:

  1. Connect to the Gaia Operating System on the Quantum Maestro Orchestrator.

    You connect through a dedicated port:

    • In MHO-175 and MHO-170 - the MGMT port on the front panel (top right corner).

    • In MHO-140 - one of the ports on the rear panel.

  2. Create the Security Group 1.

    Assign these:

    • The two Security Appliances 30 and 29

    • The two applicable Uplink ports (in our example, Port 1/3/1 and Port 2/3/1)

    • The applicable management port (or split interface) on the Quantum Maestro Orchestrator (in our example, the split Port 1/1/1)

    See the Maestro Administration Guide for your version > Chapter Configuring Security Groups.

  3. Configure the Bond interfaces in the Security Group 1:

    1. Connect to the Gaia Operating System on the Security Group 1.

    2. Configure a Bond interface on the applicable two slave Uplink ports (in our example, Port 1/3/1 and Port 2/3/1).

      This Bond interface provides a redundant Uplink connection for the traffic inspected by the Security Appliances (30 and 29).

    See the Maestro Administration Guide for your version > Chapter Configuring Security Groups > Chapter Configuring Security Groups > Section Configuring Gaia Settings of a Security Group.

    For information about the configuration of Bond interfaces, see the Gaia Administration Guide for your version.

  4. Repeat Steps 2 and 3 to create and configure the Security Group 2:

    Assign these:

    • The two Security Appliances 27 and 26

    • The two applicable Uplink ports (in our example, Port 1/9/1 and Port 2/9/1)

    • The applicable management port (or split interface) on the Quantum Maestro Orchestrator (in our example, the split Port 1/1/2)