Quick Start with MHO-140 - Single Site with Two Orchestrators

Part 1 - Installing the Hardware and Connecting Cables

  1. Mount the two Quantum Maestro OrchestratorsClosed A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. MHO-140 in the racks on the site.

    See Mounting the Quantum Maestro Orchestrator MHO-140 and MHO-170 in a Rack.

  2. Install the Security Appliances for your Security GroupsClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

    1. Install the applicable Expansion Line Cards (if required) in the appliances.

      See Installing and Removing Line Cards.

      Notes:

      • Maestro configuration supports only ports 10 Gbps or faster.

      • Maestro does not support Downlink connections from a 10 Gbps Expansion Line Card and a 25 / 40 / 100 Gbps Expansion Line Card at the same time on the same Security Appliance.

      Warning - You must remove all unused Expansion Line Cards (not including 1Gbps) from Security Appliances.

    2. Mount appliances in their racks.

      See the Getting Started Guide for your appliances in sk96246.

    3. Power on the Security Appliances.

  3. Connect a DAC cableClosed Direct Attach Copper cable. A form of the high-speed shielded twinax copper cable with pluggable transceivers on both ends. Used to connect to network devices (switches, routers, or servers). between the dedicated Synchronization ports 48 on the two OrchestratorsClosed See "Maestro Orchestrator"..

    For more information, see Port Mapping for the Quantum Maestro Orchestrator MHO-140.

  4. Connect the required cables between the Security Appliances and the applicable 10 Gbps Downlink portsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization). 27 - 47 on each Orchestrator.

    Important:

    • Maestro configuration supports only ports 10 Gbps or faster on Security Appliances.

    • To connect Security Appliances to these 10 Gbps Downlink ports, use a Fiber cable or a DAC cable.

      You can connect Fiber cables and DAC cables to the same Security Appliance.

    • To connect Fiber cables, you must use only the supported transceivers.

      See sk92755 - Compatibility of transceivers for Check Point appliances.

    See:

    Diagrams:

    Illustration

    Instructions

    On each Security Appliance (C) in the Security Group:

    1. Connect a cable from Port 1 on the Dual Port Card to a Downlink port on the first Orchestrator (A).

    2. Connect a cable from Port 2 on the Dual Port Card to a Downlink port on the second Orchestrator (B).

    Illustration

    Instructions

    On each Security Appliance (C) in the Security Group:

    1. Connect a cable from Port 1 on the Quad Port Card to a Downlink port on the first Orchestrator (A).

    2. Connect a cable from Port 2 on the Quad Port Card to a Downlink port on the second Orchestrator (B).

    Illustration

    Instructions

    Important - In R80.20SP, this connection method is supported only with the R80.20SP Jumbo Hotfix Accumulator (Take 105 and above) installed on Orchestrators and Security Groups.

    On each Security Appliance (C) in the Security Group:

    1. Connect a cable from Port 1 on the Quad Port Card to a Downlink port on the first Orchestrator (A).

    2. Connect a cable from Port 3 on the Quad Port Card to a Downlink port on the first Orchestrator (A).

    3. Connect a cable from Port 2 on the Quad Port Card to a Downlink port on the second Orchestrator (B).

    4. Connect a cable from Port 4 on the Quad Port Card to a Downlink port on the second Orchestrator (B).

    Item

    Description

    A

    First Orchestrator.

    B

    Second Orchestrator.

    C

    Security Appliances in Security Groups.

    A DAC cable connected to the dedicated Synchronization ports on the Orchestrators.

    Cables that connect odd ports on the Quad Port Card to the first Orchestrator.

    Cables that connect even ports on the Quad Port Card to the second Orchestrator.

  5. Connect the required cables between the applicable Uplink portsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. 5 - 26, 49 - 55 on each Orchestrator and your switches.

    Important - To connect Fiber cables, you must use only the supported transceivers.

    See sk92755 - Compatibility of transceivers for Check Point appliances.

    Best Practice - In a Dual Site environment, configure the Uplink ports in the same way on each Orchestrator.

    See:

    Port Speed

    on a Switch

    Port Type on the

    Orchestrator

    Cable to Use

    10 Gbps

    SFP+ / SFP28

    Ports 5 - 26

    Fiber or DAC

    25 Gbps

    QSFP / QSFP28

    Ports 49 - 55

    Fiber, DAC, or Breakout

    40 Gbps

    QSFP / QSFP28

    Ports 49 - 55

    Fiber, DAC, or Breakout

    100 Gbps

    QSFP / QSFP28

    Ports 49 - 55

    Fiber, DAC, or Breakout

    Note - The 25 Gbps speed is available in:

  6. Power on each Orchestrator.

    See Step 7: Initial Power On.

Part 2 - Initial Configuration on each Orchestrator

Notes:

  • You do not need to install a license on Quantum Maestro Orchestrators.

  • It is important in which order you configure the Orchestrators.

    The first Orchestrator you configure becomes the "first" Orchestrator on this Site.

    It synchronizes the configuration to the "second" Orchestrator on this Site.

  1. Connect with a web browser to Gaia Portal on the "first" Orchestrator.

    https://<IPv4 Address you configured on the Orchestrator MGMT port>

    Example:

    https://192.168.10.22

  2. Log in with these default credentials:

    • Username - admin

    • Password - admin

    The Gaia First Time Configuration Wizard opens.

  3. In the Deployment Options window:

    1. In the section Setup, select Continue with <Version> configuration.

      Click Next.

    2. In the section Environment, select the applicable option:

      • Create a new Maestro environment

        Select this option if this is a new Maestro environment without Security Groups.

      • Join an existing Maestro environment

        Select this option if you need to add this Maestro Orchestrator to an existing Maestro environment with configured Security Groups.

      Click Next.

  4. In the Authentication Details window:

    1. Enter the desired administrator password for the Expert mode.

    2. Enter the desired administrator password for the Maintenance mode.

    Click Next.

  5. In the Management Connection window:

    If needed, configure the IP settings for the Orchestrator Management Port.

    Click Next.

  6. In the Device Information window:

    Configure the required settings:

    • Hostname

    • Domain Name

    • DNS Servers

    • Proxy Server

    Click Next.

  7. In the Date and Time Settings window:

    Configure the required settings.

    Click Next.

  8. In the Orchestrator Configuration window:

    1. In the Number of Sites field, select the applicable value.

    2. In the Number of Orchestrators on each Site field, select the applicable value.

    3. In the Site ID field, select the applicable value.

    4. In the Orchestrator ID on Site field, select the applicable value.

    5. Click Next.

    6. Optional: In the Internal Sync field, select the applicable interface other than the default.

    7. Optional: In the External Sync field, select the applicable interface other than the default.

    8. Optional: Select Change VLAN configuration, if it is necessary to change the default VLAN IDs used for Orchestrator synchronization. Configure the required VLAN IDs. See sk168092.

    9. Click Next.

  9. In the First Time Configuration Wizard Summary window:

    1. Read the information on this page.

    2. Click Finish.

  10. Connect the MGMT port of the Orchestrator #1 to your network.

  11. Make sure the connection from a computer on your network to Orchestrator #1 works.

    With a web browser, connect to this URL:

    https://<IPv4 Address you configured on the MGMT port>

    Example:

    https://192.168.10.22

  12. Repeat Steps 1 - 11 for the Orchestrator #2.

    You must configure a different IPv4 address than that of the Orchestrator #1.

Notes:

  • You do not need to install a license on Quantum Maestro Orchestrators.

  • It is important in which order you configure the Orchestrators.

    The first Orchestrator you configure becomes the "first" Orchestrator on this Site.

    It synchronizes the configuration to the "second" Orchestrator on this Site.

  • It is possible to configure each Quantum Maestro Orchestrator through the Console port. See Console Port.

  1. Connect the included Ethernet cable from your computer to the MGMT port labeled 0 on the rear panel of the Orchestrator #1.

    See MHO-140 Rear Panel.

    You use this MGMT port only to manage the Orchestrator.

  2. On your computer, configure a static IP address (see the documentation for your operating system):

    1. IP address - between 192.168.1.2 and 192.168.1.254

    2. Subnet mask - 255.255.255.0

    3. Default Gateway - empty

    4. DNS Servers - empty

  3. Open an SSH client and connect to this IP address - 192.168.1.1

  4. Log in to Gaia Clish on the Orchestrator #1 with these default credentials:

    • Username - admin

    • Password - admin

    Best Practice - Change the default password.

    If the SSH connection is interrupted after the password change, log in again with the new password.

    See the Gaia Administration Guide for your Orchestrator version:

  5. Activate the Orchestrator #1 - enter "y" when it asks you.

    This Orchestrator activation enables the Downlink ports and the Uplink ports.

    For more information, see sk171784 - Activation of a Quantum Maestro Orchestrator.

  6. Configure the IPv4 settings on the MGMT port on the Orchestrator #1 as required in your network.

    Example for MHO-140:

    1. Configure the required IPv4 address and Mask Length:

      set interface Mgmt1 ipv4-address <IPv4 Address> mask-length <Length>

      Example:

      set interface Mgmt1 ipv4-address 192.168.10.22 mask-length 24

    2. Change the state of the MGMT port to "on":

      set interface Mgmt1 state on

    3. Configure the required Default Gateway:

      set static-route default nexthop gateway address <IPv4 Address> on

      Example:

      set static-route default nexthop gateway address 192.168.10.1 on

    4. Save the configuration:

      save config

  7. Connect the MGMT port of the Orchestrator #1 to your network.

  8. Make sure the connection from a computer on your network to Orchestrator #1 works.

    With a web browser, connect to this URL:

    https://<IPv4 Address you configured on the MGMT port>

    Example:

    https://192.168.10.22

    Notes:

    • On Orchestrators R80.20SP - R81.20, there is no Gaia First Time Configuration Wizard.

    • You do not need to install a license on Orchestrators.

  9. Repeat Steps 1 - 8 for the Orchestrator #2.

    You must configure a different IPv4 address than that of the Orchestrator #1.

Part 3 - Creating a New Security Group

  1. Connect with a web browser to Gaia Portal on the "first" Orchestrator.

    https://<IPv4 Address you configured on the Orchestrator MGMT port>

    Example:

    https://192.168.10.22

  2. Log in.

  3. From the left navigation panel:

    • In the Orchestrator versions R82 and higher:

      In the Orchestrator Management section, click the Security Groups page.

    • In the Orchestrator versions R80.20SP - R81.20:

      Click the Orchestrator page.

    The Topology section contains the table that shows these sections (from left to right):

    Pane

    Description

    Unassigned Gateways

    All detected Security Appliances that are not part of configured Security Groups.

    Topology

    Configured Security Groups with their assigned Security Appliances and ports.

    Unassigned Interfaces

    All interfaces on Orchestrators that are not part of configured Security Groups.

  4. In the middle pane Topology, at the top, right-click Security Groups and click New Security Group.

  5. In the Security Group <X> configuration window, enter the required information, including the First Time Wizard, and click OK.

  6. From the left pane Unassigned Gateways, drag and drop at least one Security Appliance to the Security Group’s Gateways section.

  7. From the right pane Unassigned Interfaces, drag and drop at least one Management port (eth<X>-Mgmt<Y>) to the Security Group’s Interfaces section.

    See:

  8. From the right pane Unassigned Interfaces, drag and drop the required Uplink ports to the Security Group’s Interfaces section.

  9. At the bottom of this page, click Apply.

  10. Wait for the Orchestrator to create the new Security Group.

    Important - This takes approximately 10 minutes, and it automatically reboots the assigned Security Appliances.

  11. Connect a cable between the assigned Management port (eth<X>-Mgmt<Y>) on the Orchestrator front panel and your switch.

    See:

For more information, see the Maestro Administration Guide for your version:

Part 4 - Configuring Gaia Settings on the New Security Group

  1. Connect with a web browser to Gaia Portal on the Security Group (through the assigned Management port eth<X>-Mgmt<Y>).

    https://<IPv4 Address of Security Group>

    Example:

    https://192.168.10.66

  2. Log in.

  3. Configure the applicable interfaces and other settings.

    See the Gaia Administration Guide for your version:

Part 5 - Configuring a Security Gateway Object in SmartConsole

  1. Connect with SmartConsole to the applicable Security Management Server / Domain Management Server that must manage this Security Group.

    See the Quantum Security Management Administration Guide for your version.

  2. Create a new Security Gateway and configure the required settings.

  3. Configure the applicable rules in the Access Control Policy.

  4. Configure the applicable rules in the Threat Prevention Policy.

    See the Threat Prevention Administration Guide for your version.

  5. Install the Access Control Policy on this Security Gateway object.

  6. Install the Threat Prevention Policy on this Security Gateway object.

Part 6 - Monitoring the Security Group Members

  1. Connect to the command line on the Security Group with an SSH client to:

    <IPv4 Address of Security Group>

  2. Run this command:

  3. Wait for each Security Group Members to show its state as "ACTIVE".

    Important - This can take 6-7 minutes.