Getting Started

Important - This section describes a general workflow. For the specific workflow, see: Quick Start with MHO-140 - Single Site with Two Orchestrators (more procedures will be added in the future)

Workflow:

1. Mount Quantum Maestro Orchestrators A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. in their racks.

   See:

   • Mounting the Quantum Maestro Orchestrator MHO-175 in a Rack

   • Mounting the Quantum Maestro Orchestrator MHO-140 and MHO-170 in a Rack

2. Install the Security Appliances for your Security Groups A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.:

   1. Install the applicable Expansion Line Cards (if required) in the appliances.

      See the Installing and Removing Line Cards.

      Notes: Maestro configuration supports only ports 10 Gbps or faster. Maestro does not support Downlink connections from a 10 Gbps Expansion Line Card and a 25 / 40 / 100 Gbps Expansion Line Card at the same time on the same Security Appliance.

      Warning - You must remove all unused Expansion Line Cards (not including 1Gbps) from Security Appliances.

   2. Mount appliances in their racks.

      See the Getting Started Guide for your appliances in sk96246.

   3. Power on the appliances.

3. Connect the required network cables to Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. on the Quantum Maestro Orchestrators See "Maestro Orchestrator".:

   See Connecting Cables to Quantum Maestro Orchestrators.

4. Connect the required network cables from the Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). on the Quantum Maestro Orchestrators to Security Appliances:

   See Connecting Cables to Quantum Maestro Orchestrators.

5. Connect to each Quantum Maestro Orchestrator.

   Note - It is important in which order you configure the Orchestrators in a Dual Site environment. The first Orchestrator you configure becomes the "first" Orchestrator on this Site. It synchronizes the configuration to the "second" Orchestrator on this Site.

   Connecting over SSH

   1. Connect the included Ethernet cable from your computer to the MGMT port on the Orchestrator.

      See MGMT Ports.

      You use this MGMT port only to manage the Orchestrator.

   2. On your computer, configure a static IP address (see the documentation for your operating system):

      1. IP address - between 192.168.1.2 and 192.168.1.254

      2. Subnet mask - 255.255.255.0

      3. Default Gateway - empty

      4. DNS Servers - empty

   3. Open an SSH client and connect to this IP address - 192.168.1.1

   4. Log in to Gaia Clish on the Orchestrator with these default credentials:

      • Username - admin

      • Password - admin

      Best Practice - Change the default password. If the SSH connection is interrupted after the password change, log in again with the new password. See the Gaia Administration Guide for your version.

   5. Activate the Orchestrator - enter "y" when it asks you.

      This Orchestrator activation enables the Downlink ports and the Uplink ports.

      For more information, see sk171784 - Activation of a Quantum Maestro Orchestrator.

   6. Connect the MGMT port of the Orchestrator to your network.

   Connecting through the Console port

   1. Connect to the Console port. See Console Port.

   2. Power on the Orchestrator.

   3. In your Terminal application, log in to Gaia Clish with these default credentials:

      • Username - admin

      • Password - admin

      Best Practice - Change the default password. See the Gaia Administration Guide for your version.

   4. Activate the Orchestrator - enter "y" when it asks you.

      This Orchestrator activation enables the Downlink ports and the Uplink ports.

      For more information, see sk171784 - Activation of a Quantum Maestro Orchestrator.

   

   Example for MHO-140:

6. Configure the required IPv4 settings on the MGMT port:

   

   Example for MHO-140:

   1. Configure the required IPv4 address and Mask Length:

      set interface Mgmt1 ipv4-address <IPv4 Address> mask-length <Length>

      Example:

      set interface Mgmt1 ipv4-address 192.168.10.22 mask-length 24

   2. Change the state of the MGMT port to "on":

      set interface Mgmt1 state on

   3. Configure the required Default Gateway:

      set static-route default nexthop gateway address <IPv4 Address> on

      Example:

      set static-route default nexthop gateway address 192.168.10.1 on

   4. Save the configuration:

      save config

7. Connect the MGMT port of each Quantum Maestro Orchestrator to your network.

8. Connect to each Quantum Maestro Orchestrator through the MGMT port in one of these ways:

   • With a web browser to Gaia Portal on the Orchestrator:

     See the Quantum Maestro Quick Start Guide in the shipping carton.

     https://<IPv4 Address you configured on the MGMT port>

     Example:

     https://192.168.10.22

     

   • With an SSH client to Gaia Clish on the Orchestrator:

     <IPv4 Address you configured on the MGMT port>

     Example:

     192.168.10.22

   Use these credentials:

   • Username - admin

   • Password - the password you configured (the default password is admin)

   Notes: On Quantum Maestro Orchestrators R80.20SP - R81.20, there is no Gaia First Time Configuration Wizard. You do not need to install a license on Quantum Maestro Orchestrators.

9. In Quantum Maestro Orchestrators R82 and higher, run the Gaia First Time Configuration Wizard.

   Procedure

   1. In the Deployment Options window:

      1. In the section Setup, select Continue with <Version> configuration.

         Click Next.

      2. In the section Environment, select the applicable option:

         • Create a new Maestro environment

           Select this option if this is a new Maestro environment without Security Groups.

         • Join an existing Maestro environment

           Select this option if you need to add this Maestro Orchestrator to an existing Maestro environment with configured Security Groups.

         Click Next.

   2. In the Authentication Details window:

      1. Enter the desired administrator password for the Expert mode.

      2. Enter the desired administrator password for the Maintenance mode.

      Click Next.

   3. In the Management Connection window:

      If needed, configure the IP settings for the Orchestrator Management Port.

      Click Next.

   4. In the Device Information window:

      Configure the required settings:

      • Hostname

      • Domain Name

      • DNS Servers

      • Proxy Server

      Click Next.

   5. In the Date and Time Settings window:

      Configure the required settings.

      Click Next.

   6. In the Orchestrator Configuration window:

      1. In the Number of Sites field, select the applicable value.

      2. In the Number of Orchestrators on each Site field, select the applicable value.

      3. In the Site ID field, select the applicable value.

      4. In the Orchestrator ID on Site field, select the applicable value.

      5. Click Next.

      6. Optional: In the Internal Sync field, select the applicable interface other than the default.

      7. Optional: In the External Sync field, select the applicable interface other than the default.

      8. Optional: Select Change VLAN configuration, if it is necessary to change the default VLAN IDs used for Orchestrator synchronization. Configure the required VLAN IDs. See sk168092.

      9. Click Next.

   7. In the First Time Configuration Wizard Summary window:

      1. Read the information on this page.

      2. Click Finish.

10. On the Orchestrator (in Gaia Portal or Gaia Clish), configure the required Security Groups and configuring their Gaia settings.

    Follow the Maestro Administration Guide for your version > Chapter Configuring Security Groups.